Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
I7GcHDtUIF.exe

Overview

General Information

Sample name:I7GcHDtUIF.exe
renamed because original name is a hash value
Original sample name:bb63e746e54ae6a1ff2d5d01fc4b6c61.exe
Analysis ID:1499931
MD5:bb63e746e54ae6a1ff2d5d01fc4b6c61
SHA1:b22879f1eb81aabb7cf37fd531f85724f84fdc09
SHA256:18aeb7be496d51bada50f3781764bb7771f74d7050e3ceefa51725b3f86a59f6
Tags:Amadeyexe
Infos:

Detection

Amadey
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
System process connects to network (likely due to code injection or exploit)
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses netsh to modify the Windows network and firewall settings
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • I7GcHDtUIF.exe (PID: 3492 cmdline: "C:\Users\user\Desktop\I7GcHDtUIF.exe" MD5: BB63E746E54AE6A1FF2D5D01FC4B6C61)
    • Hkbsse.exe (PID: 732 cmdline: "C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe" MD5: BB63E746E54AE6A1FF2D5D01FC4B6C61)
      • rundll32.exe (PID: 3752 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Main MD5: 889B99C52A60DD49227C5E485A016679)
        • rundll32.exe (PID: 6572 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Main MD5: EF3179D498793BF4234F708D3BE28633)
          • netsh.exe (PID: 7000 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
            • conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 6752 cmdline: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 6840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • rundll32.exe (PID: 2472 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll, Main MD5: 889B99C52A60DD49227C5E485A016679)
  • Hkbsse.exe (PID: 2720 cmdline: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe MD5: BB63E746E54AE6A1FF2D5D01FC4B6C61)
  • Hkbsse.exe (PID: 1908 cmdline: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe MD5: BB63E746E54AE6A1FF2D5D01FC4B6C61)
  • Hkbsse.exe (PID: 7764 cmdline: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe MD5: BB63E746E54AE6A1FF2D5D01FC4B6C61)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "45.80.158.31/g9bkfkWf/index.php", "Version": "4.41", "Install Folder": "28c5e5ba36", "Install File": "Hkbsse.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
I7GcHDtUIF.exeJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dllJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dllJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
        C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dllJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
          C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dllJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
            C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
              Click to see the 2 entries

              Memory Dumps

              SourceRuleDescriptionAuthorStrings
              00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                  00000000.00000000.1659071184.00000000006F1000.00000020.00000001.01000000.00000003.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                    0000000E.00000000.2288882399.0000000000141000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                      0000000E.00000002.2290214428.0000000000141000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                        Click to see the 5 entries

                        Unpacked PEs

                        SourceRuleDescriptionAuthorStrings
                        8.2.rundll32.exe.6c830000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                          8.2.rundll32.exe.6c830000.0.unpackJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
                            1.0.Hkbsse.exe.140000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                              0.0.I7GcHDtUIF.exe.6f0000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                                14.0.Hkbsse.exe.140000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                                  Click to see the 6 entries

                                  Sigma Signatures

                                  System Summary

                                  barindex
                                  Sigma detected: Suspicious Script Execution From Temp Folder
                                  Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Main, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 6572, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, ProcessId: 6752, ProcessName: powershell.exe
                                  Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
                                  Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems), frack113: Data: Command: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Main, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 6572, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, ProcessId: 6752, ProcessName: powershell.exe
                                  Sigma detected: Non Interactive PowerShell Process Spawned
                                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Main, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 6572, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, ProcessId: 6752, ProcessName: powershell.exe

                                  Stealing of Sensitive Information

                                  barindex
                                  Sigma detected: Capture Wi-Fi password
                                  Source: Process startedAuthor: Joe Security: Data: Command: netsh wlan show profiles, CommandLine: netsh wlan show profiles, CommandLine|base64offset|contains: l, Image: C:\Windows\System32\netsh.exe, NewProcessName: C:\Windows\System32\netsh.exe, OriginalFileName: C:\Windows\System32\netsh.exe, ParentCommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Main, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 6572, ParentProcessName: rundll32.exe, ProcessCommandLine: netsh wlan show profiles, ProcessId: 7000, ProcessName: netsh.exe

                                  Suricata Signatures

                                  No Suricata rule has matched

                                  Joe Sandbox Signatures

                                  Click to jump to signature section

                                  Show All Signature Results

                                  AV Detection

                                  barindex
                                  Antivirus detection for URL or domain
                                  Source: http://45.80.158.31/g9bkfkWf/index.php?scr=1Avira URL Cloud: Label: malware
                                  Source: http://45.80.158.31/g9bkfkWf/index.php?wal=1Avira URL Cloud: Label: malware
                                  Source: http://45.80.158.31/g9bkfkWf/index.php?wal=18Avira URL Cloud: Label: malware
                                  Source: http://45.80.158.31/g9bkfkWf/index.php?wal=1urnAvira URL Cloud: Label: malware
                                  Source: http://45.80.158.31/g9bkfkWf/index.phpAvira URL Cloud: Label: malware
                                  Antivirus detection for dropped file
                                  Source: C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dllAvira: detection malicious, Label: HEUR/AGEN.1300426
                                  Source: C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dllAvira: detection malicious, Label: TR/PSW.Agent.nwhwy
                                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dllAvira: detection malicious, Label: HEUR/AGEN.1300426
                                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dllAvira: detection malicious, Label: TR/PSW.Agent.nwhwy
                                  Found malware configuration
                                  Source: I7GcHDtUIF.exeMalware Configuration Extractor: Amadey {"C2 url": "45.80.158.31/g9bkfkWf/index.php", "Version": "4.41", "Install Folder": "28c5e5ba36", "Install File": "Hkbsse.exe"}
                                  Multi AV Scanner detection for dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeReversingLabs: Detection: 60%
                                  Multi AV Scanner detection for submitted file
                                  Source: I7GcHDtUIF.exeReversingLabs: Detection: 60%
                                  AI detected suspicious sample
                                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                                  Machine Learning detection for dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeJoe Sandbox ML: detected
                                  Machine Learning detection for sample
                                  Source: I7GcHDtUIF.exeJoe Sandbox ML: detected
                                  Source: I7GcHDtUIF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: I7GcHDtUIF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Source: Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: cred64.dll.1.dr, cred64[1].dll.1.dr
                                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C83C5EF FindFirstFileExW,_free,FindNextFileW,_free,FindClose,_free,8_2_6C83C5EF
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\userJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\OneDrive\desktop.iniJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppDataJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\Videos\desktop.iniJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\Music\desktop.iniJump to behavior

                                  Networking

                                  barindex
                                  System process connects to network (likely due to code injection or exploit)
                                  Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.80.158.31 80Jump to behavior
                                  C2 URLs / IPs found in malware configuration
                                  Source: Malware configuration extractorIPs: 45.80.158.31
                                  Source: Joe Sandbox ViewASN Name: UK2NET-ASGB UK2NET-ASGB
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_006FB219 SetCurrentDirectoryA,GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA,0_2_006FB219
                                  Source: rundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.80.158.31/
                                  Source: Hkbsse.exe, 00000001.00000003.1696660497.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000001.00000003.1696660497.0000000000D7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.80.158.31/g9bkfkWf/Plugins/clip64.dll
                                  Source: Hkbsse.exe, 00000001.00000003.1696660497.0000000000D7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.80.158.31/g9bkfkWf/Plugins/clip64.dllndows.storage.dlll
                                  Source: Hkbsse.exe, 00000001.00000003.1696660497.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1944445331.00000265A3D88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4126034396.000000000354A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4126034396.0000000003590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.80.158.31/g9bkfkWf/index.php
                                  Source: Hkbsse.exe, 00000001.00000003.1696660497.0000000000D6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.80.158.31/g9bkfkWf/index.php?scr=1
                                  Source: rundll32.exe, 00000005.00000002.1944445331.00000265A3DB2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1944445331.00000265A3DD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.80.158.31/g9bkfkWf/index.php?wal=1
                                  Source: rundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.80.158.31/g9bkfkWf/index.php?wal=18
                                  Source: rundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.80.158.31/g9bkfkWf/index.php?wal=1urn
                                  Source: rundll32.exe, 00000008.00000002.4126034396.000000000354A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.80.158.31/g9bkfkWf/index.phpk
                                  Source: rundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.80.158.31/im
                                  Source: rundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://45.80.158.31/sP
                                  Source: powershell.exe, 00000009.00000002.1900026260.000001A9B4A36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1923706296.000001A9C31D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                                  Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                                  Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                                  Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                  Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                                  Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                                  Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                                  Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                                  Source: powershell.exe, 00000009.00000002.1900026260.000001A9B4734000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
                                  Source: powershell.exe, 00000009.00000002.1923706296.000001A9C31D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                                  Source: powershell.exe, 00000009.00000002.1923706296.000001A9C31D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                                  Source: powershell.exe, 00000009.00000002.1923706296.000001A9C31D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                                  Source: powershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                                  Source: powershell.exe, 00000009.00000002.1900026260.000001A9B4A36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1923706296.000001A9C31D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C833140 OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,8_2_6C833140
                                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C833140 OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,8_2_6C833140
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_007105E7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,0_2_007105E7
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_001605E7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,2_2_001605E7
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeFile created: C:\Windows\Tasks\Hkbsse.jobJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_006FB2190_2_006FB219
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_007150540_2_00715054
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_0073B17B0_2_0073B17B
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_0073C2400_2_0073C240
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_0073B29B0_2_0073B29B
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_007366F00_2_007366F0
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_007148650_2_00714865
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_007178430_2_00717843
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_0072B8A30_2_0072B8A3
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_0073AA290_2_0073AA29
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_006F4AF00_2_006F4AF0
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_00719BE50_2_00719BE5
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_00736B880_2_00736B88
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_006F4C700_2_006F4C70
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_006F4E700_2_006F4E70
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_001650542_2_00165054
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_0018B17B2_2_0018B17B
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_0018C2402_2_0018C240
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_0018B29B2_2_0018B29B
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_001866F02_2_001866F0
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_001678432_2_00167843
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_001648652_2_00164865
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_0017B8A32_2_0017B8A3
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_0018AA292_2_0018AA29
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_00144AF02_2_00144AF0
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_00186B882_2_00186B88
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_00169BE52_2_00169BE5
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_00144C702_2_00144C70
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_00144E702_2_00144E70
                                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C8331408_2_6C833140
                                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C8422C18_2_6C8422C1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B4C77F89_2_00007FFD9B4C77F8
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: String function: 001619D0 appears 39 times
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: String function: 0015BA50 appears 128 times
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: String function: 00161392 appears 67 times
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: String function: 007119D0 appears 39 times
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: String function: 0070BA50 appears 128 times
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: String function: 00711392 appears 67 times
                                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6C837560 appears 34 times
                                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6C835F40 appears 103 times
                                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6C836CB8 appears 47 times
                                  Source: I7GcHDtUIF.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@18/22@0/1
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_006FB219 SetCurrentDirectoryA,GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA,0_2_006FB219
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeFile created: C:\Users\user\AppData\Roaming\309a138a12cecfJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
                                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6840:120:WilError_03
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeMutant created: \Sessions\1\BaseNamedObjects\309a138a12cecfb9dfd5a76987d8a372
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeFile created: C:\Users\user\AppData\Local\Temp\28c5e5ba36Jump to behavior
                                  Source: I7GcHDtUIF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeFile read: C:\Users\desktop.iniJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Main
                                  Source: cred64.dll.1.dr, cred64[1].dll.1.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                                  Source: cred64.dll.1.dr, cred64[1].dll.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                                  Source: cred64.dll.1.dr, cred64[1].dll.1.drBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                                  Source: cred64.dll.1.dr, cred64[1].dll.1.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                                  Source: cred64.dll.1.dr, cred64[1].dll.1.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                                  Source: cred64.dll.1.dr, cred64[1].dll.1.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                                  Source: rundll32.exe, 00000005.00000002.1944445331.00000265A3D28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                                  Source: cred64.dll.1.dr, cred64[1].dll.1.drBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                                  Source: I7GcHDtUIF.exeReversingLabs: Detection: 60%
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeFile read: C:\Users\user\Desktop\I7GcHDtUIF.exeJump to behavior
                                  Source: unknownProcess created: C:\Users\user\Desktop\I7GcHDtUIF.exe "C:\Users\user\Desktop\I7GcHDtUIF.exe"
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeProcess created: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe"
                                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
                                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Main
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Main
                                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                                  Source: C:\Windows\System32\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll, Main
                                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeProcess created: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe" Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, MainJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll, MainJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, MainJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel OptimalJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: wininet.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: mstask.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: mpr.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: dui70.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: duser.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: chartv.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: oleacc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: atlthunk.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: textinputframework.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: coreuicomponents.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: ntmarta.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: coremessaging.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: wtsapi32.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: winsta.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: textshaping.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeSection loaded: explorerframe.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: apphelp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: wininet.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: winhttp.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: winnsi.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: windowscodecs.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: edputil.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: wintypes.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: appresolver.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: bcp47langs.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: wininet.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: wininet.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: wininet.dll
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeSection loaded: kernel.appcore.dll
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32Jump to behavior
                                  Source: Window RecorderWindow detected: More than 3 window changes detected
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\OfficeJump to behavior
                                  Source: I7GcHDtUIF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                                  Source: I7GcHDtUIF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                                  Source: I7GcHDtUIF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                                  Source: I7GcHDtUIF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: I7GcHDtUIF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                                  Source: I7GcHDtUIF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                                  Source: I7GcHDtUIF.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Source: I7GcHDtUIF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                                  Source: Binary string: D:\Mktmp\StealerDLL\x64\Release\STEALERDLL.pdb source: cred64.dll.1.dr, cred64[1].dll.1.dr
                                  Source: I7GcHDtUIF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                  Source: I7GcHDtUIF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                  Source: I7GcHDtUIF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                  Source: I7GcHDtUIF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                  Source: I7GcHDtUIF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_0071F9EC LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0071F9EC
                                  Source: cred64[1].dll.1.drStatic PE information: section name: _RDATA
                                  Source: cred64.dll.1.drStatic PE information: section name: _RDATA
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_0071136C push ecx; ret 0_2_0071137F
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_0070049B push ds; retf 0000h0_2_0070049F
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_0016136C push ecx; ret 2_2_0016137F
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_0015049B push ds; retf 0000h2_2_0015049F
                                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C8375A6 push ecx; ret 8_2_6C8375B9
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B4B28FA push ebx; iretd 9_2_00007FFD9B4B290A
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B4B2785 push ebx; iretd 9_2_00007FFD9B4B290A
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B58BBCA push ss; ret 9_2_00007FFD9B58BBD5
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B584BCA push ss; ret 9_2_00007FFD9B584BCC
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B584BD0 push ss; ret 9_2_00007FFD9B584BD9
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B58B2CA push esi; retf 9_2_00007FFD9B58B2CB
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B58CACC push eax; retf 0000h9_2_00007FFD9B58CAD5
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B5812CF push ss; ret 9_2_00007FFD9B5812D1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B58CAA8 push 140000C9h; retf 0000h9_2_00007FFD9B58CAB1
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B58CA8A push esi; retf 9_2_00007FFD9B58CA8B
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B58B260 push ss; ret 9_2_00007FFD9B58B263
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B586340 push eax; retf 9_2_00007FFD9B58634B
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B584B05 push ss; ret 9_2_00007FFD9B584B0B
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B5862DE push ss; ret 9_2_00007FFD9B5862E0
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B58AA1B push ss; ret 9_2_00007FFD9B58AA1E
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B58221A push esi; retf 9_2_00007FFD9B58221B
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B5888B2 push esi; retf 9_2_00007FFD9B5888B3
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B58185F push ss; ret 9_2_00007FFD9B581861
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B589942 push ss; ret 9_2_00007FFD9B589944
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B5837A8 push eax; retf 9_2_00007FFD9B5837B3
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B582F98 push ss; ret 9_2_00007FFD9B582F9A
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B58CF60 push eax; iretd 9_2_00007FFD9B58CF61
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B58285C push ss; ret 9_2_00007FFD9B582865
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B582856 push ss; ret 9_2_00007FFD9B582858
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B58AFFA push ss; ret 9_2_00007FFD9B58AFFD
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD9B586E64 push ss; ret 9_2_00007FFD9B586E6C
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dllJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeFile created: C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dllJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeFile created: C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dllJump to dropped file
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeFile created: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dllJump to dropped file
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeFile created: C:\Windows\Tasks\Hkbsse.jobJump to behavior

                                  Hooking and other Techniques for Hiding and Protection

                                  barindex
                                  Loading BitLocker PowerShell Module
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                  Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeThread delayed: delay time: 180000Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeThread delayed: delay time: 180000Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 9719Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5091Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4680Jump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-28460
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dllJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dllJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dllJump to dropped file
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dllJump to dropped file
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeAPI coverage: 4.5 %
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeAPI coverage: 2.3 %
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe TID: 4080Thread sleep time: -1500000s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe TID: 2676Thread sleep time: -540000s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe TID: 344Thread sleep time: -180000s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe TID: 4080Thread sleep time: -30000s >= -30000sJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exe TID: 3492Thread sleep count: 278 > 30Jump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exe TID: 3492Thread sleep time: -278000s >= -30000sJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exe TID: 3492Thread sleep count: 9719 > 30Jump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exe TID: 3492Thread sleep time: -9719000s >= -30000sJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7228Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeLast function: Thread delayed
                                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                  Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                                  Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C83C5EF FindFirstFileExW,_free,FindNextFileW,_free,FindClose,_free,8_2_6C83C5EF
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_006F85E0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,0_2_006F85E0
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeThread delayed: delay time: 30000Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeThread delayed: delay time: 180000Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeThread delayed: delay time: 180000Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeThread delayed: delay time: 30000Jump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\userJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\OneDrive\desktop.iniJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppDataJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\Videos\desktop.iniJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\Music\desktop.iniJump to behavior
                                  Source: rundll32.exe, 00000008.00000002.4126034396.00000000035A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWAc*t
                                  Source: rundll32.exe, 00000005.00000002.1944445331.00000265A3DB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW7
                                  Source: rundll32.exe, 00000008.00000002.4126034396.000000000354A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW8
                                  Source: rundll32.exe, 00000005.00000002.1944445331.00000265A3D28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                                  Source: Hkbsse.exe, 00000001.00000003.1696660497.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1944445331.00000265A3DB2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4126034396.00000000035A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                  Source: netsh.exe, 00000006.00000003.1703353327.0000027C72365000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllSS
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_0072A4FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0072A4FE
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_0071F9EC LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0071F9EC
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_0072DCE2 mov eax, dword ptr fs:[00000030h]0_2_0072DCE2
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_00729F7B mov eax, dword ptr fs:[00000030h]0_2_00729F7B
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_0017DCE2 mov eax, dword ptr fs:[00000030h]2_2_0017DCE2
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_00179F7B mov eax, dword ptr fs:[00000030h]2_2_00179F7B
                                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C83C0D1 mov eax, dword ptr fs:[00000030h]8_2_6C83C0D1
                                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C83AA9F mov eax, dword ptr fs:[00000030h]8_2_6C83AA9F
                                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C83DA64 GetProcessHeap,8_2_6C83DA64
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_0072A4FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0072A4FE
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_007115F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_007115F5
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_00710C37 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00710C37
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_0017A4FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0017A4FE
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_001615F5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_001615F5
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_00160C37 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00160C37
                                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C836CCD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_6C836CCD
                                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C837431 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_6C837431
                                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C83A094 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_6C83A094

                                  HIPS / PFW / Operating System Protection Evasion

                                  barindex
                                  System process connects to network (likely due to code injection or exploit)
                                  Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.80.158.31 80Jump to behavior
                                  Contains functionality to inject code into remote processes
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_006F77A0 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,0_2_006F77A0
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeProcess created: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe" Jump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, MainJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll, MainJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel OptimalJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_007117E1 cpuid 0_2_007117E1
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\HTAGVDFUIE.xlsx VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\LTKMYBSEYZ.xlsx VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\ONBQCLYSPU.docx VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\ONBQCLYSPU.xlsx VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\UMMBDNEQBN.docx VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\UMMBDNEQBN.xlsx VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\VLZDGUKUTZ.docx VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\XZXHAVGRAG.docx VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_006FB219 SetCurrentDirectoryA,GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA,0_2_006FB219
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_006FB219 SetCurrentDirectoryA,GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA,0_2_006FB219
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_006F85E0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,0_2_006F85E0

                                  Lowering of HIPS / PFW / Operating System Security Settings

                                  barindex
                                  Uses netsh to modify the Windows network and firewall settings
                                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles

                                  Stealing of Sensitive Information

                                  barindex
                                  Yara detected Amadeys Clipper DLL
                                  Source: Yara matchFile source: 8.2.rundll32.exe.6c830000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll, type: DROPPED
                                  Yara detected Amadeys stealer DLL
                                  Source: Yara matchFile source: I7GcHDtUIF.exe, type: SAMPLE
                                  Source: Yara matchFile source: 8.2.rundll32.exe.6c830000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 1.0.Hkbsse.exe.140000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.0.I7GcHDtUIF.exe.6f0000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 14.0.Hkbsse.exe.140000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 2.2.Hkbsse.exe.140000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 3.2.Hkbsse.exe.140000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 14.2.Hkbsse.exe.140000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 0.2.I7GcHDtUIF.exe.6f0000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 3.0.Hkbsse.exe.140000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 2.0.Hkbsse.exe.140000.0.unpack, type: UNPACKEDPE
                                  Source: Yara matchFile source: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000000.00000000.1659071184.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000E.00000000.2288882399.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 0000000E.00000002.2290214428.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000001.00000000.1664512178.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000002.00000000.1667726403.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000003.00000002.1692138583.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
                                  Source: Yara matchFile source: 00000003.00000000.1689588542.0000000000141000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, type: DROPPED
                                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll, type: DROPPED
                                  Tries to harvest and steal WLAN passwords
                                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                                  Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
                                  Tries to harvest and steal browser information (history, passwords, etc)
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.jsonJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login DataJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login DataJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login DataJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login DataJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login DataJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login DataJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login DataJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login DataJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.jsonJump to behavior
                                  Tries to harvest and steal ftp login credentials
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xmlJump to behavior
                                  Tries to steal Instant Messenger accounts or passwords
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\.purple\accounts.xmlJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\System32\.purple\accounts.xmlJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\.purple\accounts.xmlJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xmlJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\ImmersiveControlPanel\.purple\accounts.xmlJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\System32\oobe\.purple\accounts.xmlJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files (x86)\FZZgSiwoxTBSBtKXXbDNUUJFBqMCcytLQCqtnkRwXnprVQJgVODeSJUWpvjulcQr\.purple\accounts.xmlJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Temp\28c5e5ba36\.purple\accounts.xmlJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\SysWOW64\.purple\accounts.xmlJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\Desktop\{6D809377-6AF0-444B-8957-A3773F02200E}\Common Files\microsoft shared\ClickToRun\.purple\accounts.xmlJump to behavior
                                  Source: C:\Windows\System32\rundll32.exeFile opened: C:\.purple\accounts.xmlJump to behavior
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_0072269B Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_0072269B
                                  Source: C:\Users\user\Desktop\I7GcHDtUIF.exeCode function: 0_2_007219A4 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_007219A4
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_0017269B Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,2_2_0017269B
                                  Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exeCode function: 2_2_001719A4 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,2_2_001719A4

                                  Mitre Att&ck Matrix

                                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                                  Native API                                  		1
                                  DLL Side-Loading                                  		1
                                  DLL Side-Loading                                  		1
                                  Disable or Modify Tools                                  		2
                                  OS Credential Dumping                                  		1
                                  System Time Discovery                                  		Remote Services1
                                  Archive Collected Data                                  		1
                                  Ingress Tool Transfer                                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                  CredentialsDomainsDefault Accounts1
                                  Scheduled Task/Job                                  		1
                                  Scheduled Task/Job                                  		211
                                  Process Injection                                  		1
                                  Deobfuscate/Decode Files or Information                                  		1
                                  Credentials in Registry                                  		1
                                  Account Discovery                                  		Remote Desktop Protocol2
                                  Data from Local System                                  		1
                                  Encrypted Channel                                  		Exfiltration Over BluetoothNetwork Denial of Service
                                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                                  Scheduled Task/Job                                  		2
                                  Obfuscated Files or Information                                  		1
                                  Credentials In Files                                  		3
                                  File and Directory Discovery                                  		SMB/Windows Admin Shares2
                                  Clipboard Data                                  		1
                                  Application Layer Protocol                                  		Automated ExfiltrationData Encrypted for Impact
                                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                                  DLL Side-Loading                                  		NTDS26
                                  System Information Discovery                                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                                  Masquerading                                  		LSA Secrets121
                                  Security Software Discovery                                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                                  Virtualization/Sandbox Evasion                                  		Cached Domain Credentials1
                                  Process Discovery                                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items211
                                  Process Injection                                  		DCSync21
                                  Virtualization/Sandbox Evasion                                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                  Rundll32                                  		Proc Filesystem1
                                  Application Window Discovery                                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                                  System Owner/User Discovery                                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                                  Behavior Graph

                                  Hide Legend

                                  Legend:

                                  • Process
                                  • Signature
                                  • Created File
                                  • DNS/IP Info
                                  • Is Dropped
                                  • Is Windows Process
                                  • Number of created Registry Values
                                  • Number of created Files
                                  • Visual Basic
                                  • Delphi
                                  • Java
                                  • .Net C# or VB.NET
                                  • C, C++ or other language
                                  • Is malicious
                                  • Internet
                                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1499931 Sample: I7GcHDtUIF.exe Startdate: 27/08/2024 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Antivirus detection for URL or domain 2->61 63 Antivirus detection for dropped file 2->63 65 8 other signatures 2->65 10 I7GcHDtUIF.exe 5 2->10         started        14 Hkbsse.exe 2->14         started        16 Hkbsse.exe 2->16         started        18 Hkbsse.exe 2->18         started        process3 file4 53 C:\Users\user\AppData\Local\...\Hkbsse.exe, PE32 10->53 dropped 55 C:\Users\user\...\Hkbsse.exe:Zone.Identifier, ASCII 10->55 dropped 73 Contains functionality to inject code into remote processes 10->73 20 Hkbsse.exe 30 10->20         started        signatures5 process6 dnsIp7 57 45.80.158.31 UK2NET-ASGB Netherlands 20->57 45 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 20->45 dropped 47 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 20->47 dropped 49 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 20->49 dropped 51 2 other malicious files 20->51 dropped 69 Multi AV Scanner detection for dropped file 20->69 71 Machine Learning detection for dropped file 20->71 25 rundll32.exe 20->25         started        27 rundll32.exe 12 20->27         started        file8 signatures9 process10 signatures11 30 rundll32.exe 25 25->30         started        75 System process connects to network (likely due to code injection or exploit) 27->75 process12 signatures13 77 Tries to steal Instant Messenger accounts or passwords 30->77 79 Uses netsh to modify the Windows network and firewall settings 30->79 81 Tries to harvest and steal ftp login credentials 30->81 83 2 other signatures 30->83 33 powershell.exe 26 30->33         started        37 netsh.exe 2 30->37         started        process14 file15 43 C:\Users\user\...\246122658369_Desktop.zip, Zip 33->43 dropped 67 Loading BitLocker PowerShell Module 33->67 39 conhost.exe 33->39         started        41 conhost.exe 37->41         started        signatures16 process17

                                  Screenshots

                                  Thumbnails

                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                  windows-stand

                                  Antivirus, Machine Learning and Genetic Malware Detection

                                  Initial Sample

                                  SourceDetectionScannerLabelLink
                                  I7GcHDtUIF.exe61%ReversingLabsWin32.Infostealer.Tinba
                                  I7GcHDtUIF.exe100%Joe Sandbox ML

                                  Dropped Files

                                  SourceDetectionScannerLabelLink
                                  C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll100%AviraHEUR/AGEN.1300426
                                  C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll100%AviraTR/PSW.Agent.nwhwy
                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll100%AviraHEUR/AGEN.1300426
                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll100%AviraTR/PSW.Agent.nwhwy
                                  C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe100%Joe Sandbox ML
                                  C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe61%ReversingLabsWin32.Infostealer.Tinba

                                  Unpacked PE Files

                                  No Antivirus matches

                                  Domains

                                  No Antivirus matches

                                  URLs

                                  SourceDetectionScannerLabelLink
                                  http://nuget.org/NuGet.exe0%URL Reputationsafe
                                  https://aka.ms/winsvr-2022-pshelp0%URL Reputationsafe
                                  http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                                  http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                                  https://contoso.com/License0%URL Reputationsafe
                                  https://contoso.com/Icon0%URL Reputationsafe
                                  http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                                  https://contoso.com/0%URL Reputationsafe
                                  https://nuget.org/nuget.exe0%URL Reputationsafe
                                  http://45.80.158.31/sP0%Avira URL Cloudsafe
                                  https://aka.ms/pscore680%URL Reputationsafe
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                                  http://45.80.158.31/g9bkfkWf/index.php?scr=1100%Avira URL Cloudmalware
                                  http://45.80.158.31/g9bkfkWf/index.php?wal=1100%Avira URL Cloudmalware
                                  http://45.80.158.31/0%Avira URL Cloudsafe
                                  http://45.80.158.31/im0%Avira URL Cloudsafe
                                  https://aka.ms/winsvr-2022-pshelpX0%Avira URL Cloudsafe
                                  http://45.80.158.31/g9bkfkWf/index.php?wal=18100%Avira URL Cloudmalware
                                  http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
                                  https://github.com/Pester/Pester0%Avira URL Cloudsafe
                                  http://45.80.158.31/g9bkfkWf/index.phpk0%Avira URL Cloudsafe
                                  http://45.80.158.31/g9bkfkWf/Plugins/clip64.dllndows.storage.dlll0%Avira URL Cloudsafe
                                  http://45.80.158.31/g9bkfkWf/index.php?wal=1urn100%Avira URL Cloudmalware
                                  http://45.80.158.31/g9bkfkWf/Plugins/clip64.dll0%Avira URL Cloudsafe
                                  http://45.80.158.31/g9bkfkWf/index.php100%Avira URL Cloudmalware

                                  Domains and IPs

                                  Contacted Domains

                                  No contacted domains info

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  http://45.80.158.31/g9bkfkWf/index.php?scr=1Hkbsse.exe, 00000001.00000003.1696660497.0000000000D6E000.00000004.00000020.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://45.80.158.31/sPrundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://nuget.org/NuGet.exepowershell.exe, 00000009.00000002.1900026260.000001A9B4A36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1923706296.000001A9C31D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://45.80.158.31/g9bkfkWf/index.php?wal=1rundll32.exe, 00000005.00000002.1944445331.00000265A3DB2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1944445331.00000265A3DD3000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://45.80.158.31/rundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://contoso.com/Licensepowershell.exe, 00000009.00000002.1923706296.000001A9C31D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/Iconpowershell.exe, 00000009.00000002.1923706296.000001A9C31D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://aka.ms/winsvr-2022-pshelpXpowershell.exe, 00000009.00000002.1900026260.000001A9B4734000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://45.80.158.31/imrundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://45.80.158.31/g9bkfkWf/index.php?wal=18rundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://45.80.158.31/g9bkfkWf/index.phpkrundll32.exe, 00000008.00000002.4126034396.000000000354A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://45.80.158.31/g9bkfkWf/Plugins/clip64.dllndows.storage.dlllHkbsse.exe, 00000001.00000003.1696660497.0000000000D7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://45.80.158.31/g9bkfkWf/index.php?wal=1urnrundll32.exe, 00000005.00000002.1944678630.00000265A5C00000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000009.00000002.1900026260.000001A9B3388000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/powershell.exe, 00000009.00000002.1923706296.000001A9C31D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://nuget.org/nuget.exepowershell.exe, 00000009.00000002.1900026260.000001A9B4A36000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.1923706296.000001A9C31D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://45.80.158.31/g9bkfkWf/Plugins/clip64.dllHkbsse.exe, 00000001.00000003.1696660497.0000000000D6E000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000001.00000003.1696660497.0000000000D7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://aka.ms/pscore68powershell.exe, 00000009.00000002.1900026260.000001A9B3161000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000009.00000002.1900026260.000001A9B3161000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://45.80.158.31/g9bkfkWf/index.phpHkbsse.exe, 00000001.00000003.1696660497.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1944445331.00000265A3D88000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4126034396.000000000354A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.4126034396.0000000003590000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: malware
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  45.80.158.31
                                  		unknownNetherlands
                                  		13213UK2NET-ASGBtrue

                                  General Information

                                  Joe Sandbox version:40.0.0 Tourmaline
                                  Analysis ID:1499931
                                  Start date and time:2024-08-27 18:14:07 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 9m 0s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:15
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Sample name:I7GcHDtUIF.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:bb63e746e54ae6a1ff2d5d01fc4b6c61.exe
                                  Detection:MAL
                                  Classification:mal100.phis.troj.spyw.evad.winEXE@18/22@0/1
                                  EGA Information:
                                  • Successful, ratio: 75%
                                  HCA Information:
                                  • Successful, ratio: 85%
                                  • Number of executed functions: 35
                                  • Number of non-executed functions: 196
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                  Warnings

                                  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                                  • Execution Graph export aborted for target powershell.exe, PID 6752 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • Skipping network analysis since amount of network traffic is too extensive
                                  • VT rate limit hit for: I7GcHDtUIF.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  12:14:57API Interceptor5594026x Sleep call for process: Hkbsse.exe modified
                                  12:15:10API Interceptor37x Sleep call for process: powershell.exe modified
                                  12:15:36API Interceptor5120222x Sleep call for process: rundll32.exe modified
                                  17:14:57Task SchedulerRun new task: Hkbsse path: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  UK2NET-ASGBhttp://airdrop-manta-pacific-99s.pages.dev/Get hashmaliciousUnknownBrowse
                                  • 173.244.207.29
                                  K9PWTHTxcy.dllGet hashmaliciousDanaBotBrowse
                                  • 45.80.158.189
                                  K9PWTHTxcy.dllGet hashmaliciousDanaBotBrowse
                                  • 45.80.158.189
                                  ipNkjpa6m0.msiGet hashmaliciousDanaBotBrowse
                                  • 45.80.158.189
                                  yJYNZgoiNh.msiGet hashmaliciousDanaBot, RHADAMANTHYSBrowse
                                  • 45.80.158.189
                                  QIkZ7aeVBV.msiGet hashmaliciousDanaBot, RHADAMANTHYSBrowse
                                  • 45.80.158.189
                                  J6oTAcCqhp.msiGet hashmaliciousDanaBotBrowse
                                  • 45.80.158.189
                                  sora.arm7.elfGet hashmaliciousMiraiBrowse
                                  • 77.92.90.55
                                  PBEZlc6yX7.elfGet hashmaliciousMiraiBrowse
                                  • 77.92.78.176
                                  ZG7UaFRPVW.exeGet hashmaliciousDBatLoader, RemcosBrowse
                                  • 45.80.158.32

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):1285120
                                  Entropy (8bit):6.458915405189223
                                  Encrypted:false
                                  SSDEEP:24576:6jm1sk9lP6nWZJaIOo/QHtH9YZ0yNJW+6JyKb:N96nWerAQHB9yjWzA
                                  MD5:4A4527A3ECF33AC8DC86E12681ABF97B
                                  SHA1:78D10BB2D329A8332E5DC867AD29B88B264D416B
                                  SHA-256:927D13D42C06A92311D6338E5BBE9CD1B895C1B46E0E3A02D6058AF1B05926AC
                                  SHA-512:27B8EA90479C99B12328223745A29806957E86CA687300D5B08CA617F7DA2CDF516BE7A3993FE60D8BC6E509A65EBB2B1BD8655EA9DEEC3CE804B21095D30ABC
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\cred64[1].dll, Author: Joe Security
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  Reputation:low
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^.._...^.._...^.._2..^W._..^W._...^W._...^.._...^...^C..^.._...^.._...^..X^...^.._...^Rich...^........................PE..d.....f.........." .........T...............................................P............`.........................................@...X............ .......`..p............0.........p...........................@................................................text............................... ..`.rdata..............................@..@.data............D..................@....pdata..p....`......................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):130560
                                  Entropy (8bit):6.397229151092778
                                  Encrypted:false
                                  SSDEEP:3072:FDrG/eLj+t+YpqUjWouVPkrH3/U9acw62xm4+5j:5aeL6g2jfuVPqxA5j
                                  MD5:BABFDA6375B07D76F6A46AF11BDC3787
                                  SHA1:0CD82432E87EFC88A1BB17C29231F6D09F4110E9
                                  SHA-256:11B87C0AD7C06050D3AF24D73AED0B01C1839264243CB29B992B06DED124D9EA
                                  SHA-512:A1DF0624A4302F04586C22EFCBCEDBB77A69EDD55F3298C3EF9B880ED16CE1F6D728BE2246A11C295B76D412C06E3A6EDE9D69DB0E3DDCF463B9F42174512D5A
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll, Author: Joe Security
                                  • Rule: JoeSecurity_Amadey_3, Description: Yara detected Amadey\'s Clipper DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\clip64[1].dll, Author: Joe Security
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  Reputation:low
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.j.c.j.c.j.8.i.i.j.8.o..j.8.n.q.j..n.l.j..i.r.j..o.B.j.8.k.d.j.c.k...j...c.`.j...j.b.j.....b.j...h.b.j.Richc.j.........................PE..L.....f...........!.....R...........r.......p...............................@............@.........................p...........P............................ ..t...@...8...........................x...@............p..L............................text....Q.......R.................. ..`.rdata...t...p...v...V..............@..@.data...............................@....rsrc...............................@..@.reloc..t.... ......................@..B........................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):1504
                                  Entropy (8bit):5.275304657373953
                                  Encrypted:false
                                  SSDEEP:24:3BJSKco4KmBs4RPT6BmFoUe7u1omjKcm9qr9t7J0gt/NKmNUNEr8H0UMem:xJSU4y4RQmFoUeCamfm9qr9tK8NfUNEZ
                                  MD5:33799FF21C1046542DA65F158A80F71B
                                  SHA1:4B06DF6635E108A9E8375C87C6E66EB3290C8C17
                                  SHA-256:50F009D3CE3132D05929E4C06EBD4E64853526576B92487F74F0F4F02238F371
                                  SHA-512:BE40524003108E0C0E0B5498F1331D3B010BA55D12C51924B509CE6F78986B8366B9F58389B465209369C28C8321AD02525F80FFCB1733B53BB56AFBA8C01AEC
                                  Malicious:false
                                  Reputation:low
                                  Preview:@...e...........4..................... ..............@..........@...............|.jdY\.H.s9.!..|4.......System.IO.Compression...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

                                  C:\Users\user\AppData\Local\Temp\246122658369

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
                                  File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                  Category:dropped
                                  Size (bytes):97735
                                  Entropy (8bit):7.880301703861533
                                  Encrypted:false
                                  SSDEEP:1536:CBCz5m0ikEEa/NZd4WArZy1TWJWlIRCoT3C2Xjwv1cyqhaigBSkX8CCl7CzOP3WL:WO/iXVZd4WAFyMJWvoLC2+jqwBSG85ls
                                  MD5:E6C9C35AD49585897495AAA6FD8484C6
                                  SHA1:276CBA2B705DEF83B1FCF53E8076FC941091EE97
                                  SHA-256:A4E2FAFA1E2FA17381C856043B8BA887995DA650DE7C1898B1BD5E4072119F09
                                  SHA-512:E5CA46A9859380A00ACE691E476E3E80F2CB5E37DDDCA9F968B0F8BFC8FBEA1C49D617A9C2267A07E06681A7022BBCF5B23B8E8753C6D587D2A5F3E539074871
                                  Malicious:true
                                  Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3.*..m..,.X.c.#....O.*.i.....w...._.#.*bi.F.xJ.5KC"...N...m.g....Uf.....?.2......Q.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..<.t..A...#'..N>.._.u.......^y.[......1..].+..B....%?........r.....{f`.'(Xw...&e.......Q...8X.V..._.^.(..(...&(....~....[.....).....+.F"8x{I.t.p....pj.g.Ez..+..........O.Wz.......\..4;?...O.........QA..Z.DqCr.Y...L....V..\A.

                                  C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                  Category:dropped
                                  Size (bytes):6140
                                  Entropy (8bit):7.801624226088071
                                  Encrypted:false
                                  SSDEEP:96:a0WMMYYuZSYsnt6vLvOLv/2+8R6CbsT/3+8R6CbsTWfAcNMXxRr0pC/ZtDg3iYjH:a0WHnuZSKjm4jb2xjb2wNMBJU003fjHn
                                  MD5:B97560527E37FDF2486D39F475DE1E28
                                  SHA1:45E51224FEAF42173340D7521A9DBA6E023BE72D
                                  SHA-256:F35C9B5FEEE22D1518EC80D9F02561D84AE94059815672E15D3787C25557D862
                                  SHA-512:343D3C1809A222207D13DB36C646867BCD9034593082BD3DA9407AA2AA265560CA155F58BA633E936011BB6FC2AF41849B5F71F9B286314E4E9F75BAA12BC1BA
                                  Malicious:true
                                  Preview:PK........Q@DWP.............._Files_\HTAGVDFUIE.xlsx..Ir@!.D.....#..N.?H..(..ud....\....7...0...Q.}SU]?P:]p......X?:i.L.L.Z....k. ..4.. wN.w...P.7..Z......d..!/_.h5.......t.7+..&................ixr..U.go..9....YhBuLc...P..$...V.|.+wS[...e.x.vK='ma........c[5Q........3...LXj...[.c...g...#.J...........9.v...6..dP.l..J...$A?..wv?\...O.u..Q....*a..X.....6..M^.y.-.Emm.~P.qu.S?...ssbb..a..S..G....m.f..........]*.*'..;..Z9uL....n....._5.....PMV...G|..=.z..k^.....u..E..4.{(.K.R...gmG.\oh.eMm8D4Fj...y.^).m./..bm.-.......0......(..+...]....U.WOkq..V.C0gP...~.......7.V;.I.<..{.]....hV+.......u..So.P.....Cn.S..E......i>..:.A.6.{.1..6p..."2..../...k.p?IjD(>1..}........PK........Q@DW/1............._Files_\LTKMYBSEYZ.xlsx.SI.E!..w.?.....Y...vE..M...tt.sO\...i..BI.T|..rp..d.d.i..}C.s|.@^mn..\.U..h..z....).>.q....?.= ..}E..(.Yb.s.:..c....."...~.3..y.....g....k.(..."........q9&a..>.!.S.>..a?'..b....:.....}...P+..-.........=.|...T..Z.ri..1....r.|..?w..2

                                  C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\I7GcHDtUIF.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):445440
                                  Entropy (8bit):6.510925176267381
                                  Encrypted:false
                                  SSDEEP:12288:Y5fdcr5zzkoTCKPWop7tGZDH9ibUB25u2Ot:0atzzPTCKPBpoBQbzw
                                  MD5:BB63E746E54AE6A1FF2D5D01FC4B6C61
                                  SHA1:B22879F1EB81AABB7CF37FD531F85724F84FDC09
                                  SHA-256:18AEB7BE496D51BADA50F3781764BB7771F74D7050E3CEEFA51725B3F86A59F6
                                  SHA-512:A7AD6ECB848789CD32090863EF5196DAB836A4A5937B988516E0D72F69B2FB6459DB9BAF0FF8281D301134CBF9A66D2B889FB647AD0F637CF0E03F46CEA23E42
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe, Author: Joe Security
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 61%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L.....f.................(..........4........@....@..........................0............@..................................F...................................N......8...................|...........@............@..$............................text...J&.......(.................. ..`.rdata.......@.......,..............@..@.data...|f...`...4...F..............@....rsrc................z..............@..@.reloc...N.......P...|..............@..B........................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe:Zone.Identifier

                                  Download File
                                  Process:C:\Users\user\Desktop\I7GcHDtUIF.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:modified
                                  Size (bytes):26
                                  Entropy (8bit):3.95006375643621
                                  Encrypted:false
                                  SSDEEP:3:ggPYV:rPYV
                                  MD5:187F488E27DB4AF347237FE461A079AD
                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                  Malicious:true
                                  Preview:[ZoneTransfer]....ZoneId=0

                                  C:\Users\user\AppData\Local\Temp\_Files_\HTAGVDFUIE.xlsx

                                  Download File
                                  Process:C:\Windows\System32\rundll32.exe
                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1026
                                  Entropy (8bit):4.692693183518806
                                  Encrypted:false
                                  SSDEEP:24:FrPOQ32qakAnGkyNl2g/fQJnKVOvsyX1aZKx1aHEg:53Sq9/fiK4XQfHEg
                                  MD5:78F042E25B7FAF970F75DFAA81955268
                                  SHA1:F7C4C8DDF51B3C5293E0A92F6767D308BBF568B4
                                  SHA-256:E4C9709AFEA9D9830CED1AA6DF1711D0332A5972688640368DDC32C07C0D5D17
                                  SHA-512:CE2548833F62C549CA0268BE445E517AC986CA44EA52916A153DFFE4D7FA59B703E5927DFE70836E8B082C246793DF2066D72DB4A6E1C948940E88C524952348
                                  Malicious:false
                                  Preview:HTAGVDFUIELGZFCTZZGRSQISCXMOKSCAZEJVAPBPJKABIZKEGFAGMGOIUPHPJOYIWMVIKWCNUOWDMGCFXJQANMMOULIVTQQGUZVVOLZWBYTHYOHMMVIMTTBBCAIGONNRVEUMTCTCEMTWFNDSQPHEPLAFZAKYSROZKRQDUZOUZIKJGJRIBJODHOULJHWQBIJSAIYMXLFOSFOEFKTQPEEWFTFCIFSLHXSXYXBWTPCWMCGPETOSVLNKYCONFWCIUFEQKOWQNQKJSIZKNZXOQWMTJOGWDBUFBKDXUPYYIXUTOPSOVWLVKIOKFPSXDAVMBUZIYYZUQTDLZIMRRGXLTOEJMFWLOMNPNLICPZPKTHPXELGBYTJLOJOEWNRDNMXXRYMAJBWCTNMBREIJDVVIXEHEGYQKZQCGLVHOCMUSKXCQQMURLYKWUIUMFSGYMZUQXCTZOKQYXJAUDEVTSOOQUKZKKEEOANGSIIWTUVEGHTCOTXCDTCZIFUAWDLWKDNQTUAXBCRBKEGHCEPWTXOQVBWKIXLQEUCHHRHMKWOVVBFOLNUHSLLMHOOFDQCOVQVCNKKYOGNPYFHMPHXNPOTANYIGKSXGYDKBAEAYCNSDEQRTDZXKUOIUOHOMJPCCDXHJTXLKPCLAKLUNDAFZVUXKBSBAWUIBEQFANHTKLDXHBVLMBIXZUPHFUIHTECGPPEITWIRPTQHJDDRMAQERQMDOELBOQSEMMMCCUPQVDZXOFFYQSEIDXDPFNKRGYVUDDHHQGPRFUFAJOKTJSGMHWRXPZFPTHUACEOFEZUYOSJGJLFUTHTDWBPUETPFOWWTNVGDPCHGGCYSORPYRNRZVFDIQZLGVXSZLKMPDVKQURMLSZDDXVNBPXKBLQIKBTAWLYTZWTFUNWLSZPWUWBVBXUJMBCFHPMBIRGLQAWDQTJEHKOGMUTEILXROVHXNUORTTYMCMDGNZYCCCTIABCKYPUCGPPUUSBWLIPYZKIMRHFVZCGDPKZ

                                  C:\Users\user\AppData\Local\Temp\_Files_\LTKMYBSEYZ.xlsx

                                  Download File
                                  Process:C:\Windows\System32\rundll32.exe
                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1026
                                  Entropy (8bit):4.687722658485212
                                  Encrypted:false
                                  SSDEEP:24:gTVIxDsK0PxMQbXpEHH8+976o9VWmCUGGFT3IIU8wyG33bu3jUn:gZIxDW5lj02otC1G5IIUF/n
                                  MD5:9A59DF7A478E34FB1DD60514E5C85366
                                  SHA1:DE10B95426671A161E37E5CE1AD6424AB3C07D98
                                  SHA-256:582393A08E0952F43A544A991772B088CC77CE584F8844DE6C5246BA36E703D5
                                  SHA-512:70B4673D358E097AB2B75633A64A19C16E1422C81B6B198D81BF17B7609BFB4ACF5DE36228FF3884C5B9BA0A15E13F56C94968E5136B497C826F3D201A971B00
                                  Malicious:false
                                  Preview:LTKMYBSEYZYLWBDLQYQSGHCEKOMUGSMOJLJVFHAICZAEQCNCBEGUYSPUJHNJSDQTVUPUFCNWSVXGWFVWMFIWRQGVLGYUUBXDZXYJMKPAQTJLYUZTWHPYSRLPQBTKDHEWTTWLDXITQQAGNHQLMCYZCGICKEHUUXVCXHMYJQQYOQIXMRPWDNHFRXHXUHBSJQQHJNETRHWEBONEJBHTDQQNCEMAEDULTTSDIGDGEYCFSHOYFMDRTHCJKCFEFLMLVJNHUTISDTYYKQXVYELRXTCPVMTHGMXSDMUSFEPIIFBHCRRCGWXNWEXQGIUUAYBLCIBZGCXXZYYFPOIAUUAZEORINBBTOZEUXMAZYFVDWGLZZHOHNZHSEJYZULRNGAFKDQXEYHMJWAZXCTSLOIDSVWCDDAJVQOZRXWVWCMYQCKXRQMOHVCMJHXERQTMBGRETHKBIQULAPJVABDGMJDULEZZHMATXEUVKGXGGFBUQPNFRZOPVDFONCFHWZHXDJQQLBBLRNEDPABSGIFBWEQTJAGKFRSLLFIXBIADJYQFXLIYTRHHMHAEDZRJJZZSOCKJNBHWWZEZXGEEJOALVQSBDQTYEHCQVMQMBKNHLBFIRUKLCVRFKGJWGONQGFFIPLGGCUDTZOLCUDDOARJHBVHHRZEYWWKNFEXBVKDTVKTGDMSUOSIIJKKXODRUCUDQHPOJRJZICJUGIDYTFJNVOJIFAVDFPGFTUQFDWLLALACJUWFIKJDQRZQVIIULGPKDOEMRGWVXSLFQHDVZJLHRKVFDXZZCYMKQTRZIBEAHUAXZFKIOBFQACDYLWSHXGVQBAYTXLOISPDOUTEJPQXZNCWCWFKRYQGOEIQEKGUMTCROZMZMVLTCMMBZZHLSYRTDCWSSQEKPTOUQZYPJDCZQTZSHURDOLLYIYFPIECQEHEYPDXHDRIYSOEILWHEODCIXNORCUDGORDQCYVQHNTVIZVMIQLRODCUBWDVZCRJJNXNJQMHPXE

                                  C:\Users\user\AppData\Local\Temp\_Files_\ONBQCLYSPU.docx

                                  Download File
                                  Process:C:\Windows\System32\rundll32.exe
                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1026
                                  Entropy (8bit):4.699434772658264
                                  Encrypted:false
                                  SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                  MD5:02D3A9BE2018CD12945C5969F383EF4A
                                  SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                  SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                  SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                  Malicious:false
                                  Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                  C:\Users\user\AppData\Local\Temp\_Files_\ONBQCLYSPU.xlsx

                                  Download File
                                  Process:C:\Windows\System32\rundll32.exe
                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1026
                                  Entropy (8bit):4.699434772658264
                                  Encrypted:false
                                  SSDEEP:24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
                                  MD5:02D3A9BE2018CD12945C5969F383EF4A
                                  SHA1:085F3165672114B2B8E9F73C629ADABBF99F178D
                                  SHA-256:6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
                                  SHA-512:A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
                                  Malicious:false
                                  Preview:ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

                                  C:\Users\user\AppData\Local\Temp\_Files_\UMMBDNEQBN.docx

                                  Download File
                                  Process:C:\Windows\System32\rundll32.exe
                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1026
                                  Entropy (8bit):4.695685570184741
                                  Encrypted:false
                                  SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                  MD5:A28F7445BB3D064C83EB9DBC98091F76
                                  SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                  SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                  SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                  Malicious:false
                                  Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                  C:\Users\user\AppData\Local\Temp\_Files_\UMMBDNEQBN.xlsx

                                  Download File
                                  Process:C:\Windows\System32\rundll32.exe
                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1026
                                  Entropy (8bit):4.695685570184741
                                  Encrypted:false
                                  SSDEEP:24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
                                  MD5:A28F7445BB3D064C83EB9DBC98091F76
                                  SHA1:D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
                                  SHA-256:10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
                                  SHA-512:42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
                                  Malicious:false
                                  Preview:UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

                                  C:\Users\user\AppData\Local\Temp\_Files_\VLZDGUKUTZ.docx

                                  Download File
                                  Process:C:\Windows\System32\rundll32.exe
                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1026
                                  Entropy (8bit):4.701757898321461
                                  Encrypted:false
                                  SSDEEP:24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
                                  MD5:520219000D5681B63804A2D138617B27
                                  SHA1:2C7827C354FD7A58FB662266B7E3008AFB42C567
                                  SHA-256:C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
                                  SHA-512:C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
                                  Malicious:false
                                  Preview:VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

                                  C:\Users\user\AppData\Local\Temp\_Files_\XZXHAVGRAG.docx

                                  Download File
                                  Process:C:\Windows\System32\rundll32.exe
                                  File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1026
                                  Entropy (8bit):4.69156792375111
                                  Encrypted:false
                                  SSDEEP:24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
                                  MD5:A4E170A8033E4DAE501B5FD3D8AC2B74
                                  SHA1:589F92029C10058A7B281AA9F2BBFA8C822B5767
                                  SHA-256:E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
                                  SHA-512:FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
                                  Malicious:false
                                  Preview:XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fa5gjsuk.erh.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fynr42ps.xyz.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jmyefkhg.vzz.ps1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l0ynuwcx.ev3.psm1

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.038920595031593
                                  Encrypted:false
                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                  Malicious:false
                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                  C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):130560
                                  Entropy (8bit):6.397229151092778
                                  Encrypted:false
                                  SSDEEP:3072:FDrG/eLj+t+YpqUjWouVPkrH3/U9acw62xm4+5j:5aeL6g2jfuVPqxA5j
                                  MD5:BABFDA6375B07D76F6A46AF11BDC3787
                                  SHA1:0CD82432E87EFC88A1BB17C29231F6D09F4110E9
                                  SHA-256:11B87C0AD7C06050D3AF24D73AED0B01C1839264243CB29B992B06DED124D9EA
                                  SHA-512:A1DF0624A4302F04586C22EFCBCEDBB77A69EDD55F3298C3EF9B880ED16CE1F6D728BE2246A11C295B76D412C06E3A6EDE9D69DB0E3DDCF463B9F42174512D5A
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll, Author: Joe Security
                                  • Rule: JoeSecurity_Amadey_3, Description: Yara detected Amadey\'s Clipper DLL, Source: C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll, Author: Joe Security
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.j.c.j.c.j.8.i.i.j.8.o..j.8.n.q.j..n.l.j..i.r.j..o.B.j.8.k.d.j.c.k...j...c.`.j...j.b.j.....b.j...h.b.j.Richc.j.........................PE..L.....f...........!.....R...........r.......p...............................@............@.........................p...........P............................ ..t...@...8...........................x...@............p..L............................text....Q.......R.................. ..`.rdata...t...p...v...V..............@..@.data...............................@....rsrc...............................@..@.reloc..t.... ......................@..B........................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                  Category:dropped
                                  Size (bytes):1285120
                                  Entropy (8bit):6.458915405189223
                                  Encrypted:false
                                  SSDEEP:24576:6jm1sk9lP6nWZJaIOo/QHtH9YZ0yNJW+6JyKb:N96nWerAQHB9yjWzA
                                  MD5:4A4527A3ECF33AC8DC86E12681ABF97B
                                  SHA1:78D10BB2D329A8332E5DC867AD29B88B264D416B
                                  SHA-256:927D13D42C06A92311D6338E5BBE9CD1B895C1B46E0E3A02D6058AF1B05926AC
                                  SHA-512:27B8EA90479C99B12328223745A29806957E86CA687300D5B08CA617F7DA2CDF516BE7A3993FE60D8BC6E509A65EBB2B1BD8655EA9DEEC3CE804B21095D30ABC
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Author: Joe Security
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^.._...^.._...^.._2..^W._..^W._...^W._...^.._...^...^C..^.._...^.._...^..X^...^.._...^Rich...^........................PE..d.....f.........." .........T...............................................P............`.........................................@...X............ .......`..p............0.........p...........................@................................................text............................... ..`.rdata..............................@..@.data............D..................@....pdata..p....`......................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................

                                  C:\Windows\Tasks\Hkbsse.job

                                  Download File
                                  Process:C:\Users\user\Desktop\I7GcHDtUIF.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):284
                                  Entropy (8bit):3.423816428685331
                                  Encrypted:false
                                  SSDEEP:6:vUwXflNeRKUEZ+lX1cjNetPjgsW2YRZuy0l5ltut0:8af2RKQ1C2jzvYRQV7Ut0
                                  MD5:C0966E2C40AB31F162A84F6A19C7F565
                                  SHA1:64E0C31513009BD77F72477EA172073CC71A0FED
                                  SHA-256:0735C3B2AEC6A66D1201BAC13ED1949442B9204C9AEACAF53124F0D16EC4CAE7
                                  SHA-512:40CD8252F24554F07CDD3F85873987896C948AB9645C14E9616B4152897458C0887F08D6C7226A315AFD02C7546549A18CC837AC8ABB577734511E83BD4950EB
                                  Malicious:false
                                  Preview:......$....D.].>J.".F.......<... .....s.......... ....................8.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.2.8.c.5.e.5.b.a.3.6.\.H.k.b.s.s.e...e.x.e.........J.O.N.E.S.-.P.C.\.j.o.n.e.s...................0...................@3P.........................

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):6.510925176267381
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:I7GcHDtUIF.exe
                                  File size:445'440 bytes
                                  MD5:bb63e746e54ae6a1ff2d5d01fc4b6c61
                                  SHA1:b22879f1eb81aabb7cf37fd531f85724f84fdc09
                                  SHA256:18aeb7be496d51bada50f3781764bb7771f74d7050e3ceefa51725b3f86a59f6
                                  SHA512:a7ad6ecb848789cd32090863ef5196dab836a4a5937b988516e0d72f69b2fb6459db9baf0ff8281d301134cbf9a66d2b889fb647ad0f637cf0e03f46cea23e42
                                  SSDEEP:12288:Y5fdcr5zzkoTCKPWop7tGZDH9ibUB25u2Ot:0atzzPTCKPBpoBQbzw
                                  TLSH:C3945B213962C032C65092711E68FFF594EDE9259B7109DB77C40F7BAE211E26A31F3A
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

                                  File Icon

                                  Icon Hash:90cececece8e8eb0

                                  Static PE Info

                                  General

                                  Entrypoint:0x421334
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x669FF0D5 [Tue Jul 23 18:05:09 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:6
                                  OS Version Minor:0
                                  File Version Major:6
                                  File Version Minor:0
                                  Subsystem Version Major:6
                                  Subsystem Version Minor:0
                                  Import Hash:f524bbe3419681c6783b5efcee446fb5

                                  Entrypoint Preview

                                  Instruction
                                  call 00007F03647B1809h
                                  jmp 00007F03647B0F39h
                                  int3
                                  int3
                                  push ecx
                                  lea ecx, dword ptr [esp+08h]
                                  sub ecx, eax
                                  and ecx, 0Fh
                                  add eax, ecx
                                  sbb ecx, ecx
                                  or eax, ecx
                                  pop ecx
                                  jmp 00007F03647B190Fh
                                  push ecx
                                  lea ecx, dword ptr [esp+08h]
                                  sub ecx, eax
                                  and ecx, 07h
                                  add eax, ecx
                                  sbb ecx, ecx
                                  or eax, ecx
                                  pop ecx
                                  jmp 00007F03647B18F9h
                                  mov ecx, dword ptr [ebp-0Ch]
                                  mov dword ptr fs:[00000000h], ecx
                                  pop ecx
                                  pop edi
                                  pop edi
                                  pop esi
                                  pop ebx
                                  mov esp, ebp
                                  pop ebp
                                  push ecx
                                  ret
                                  mov ecx, dword ptr [ebp-10h]
                                  xor ecx, ebp
                                  call 00007F03647B077Bh
                                  jmp 00007F03647B10A0h
                                  push eax
                                  push dword ptr fs:[00000000h]
                                  lea eax, dword ptr [esp+0Ch]
                                  sub esp, dword ptr [esp+0Ch]
                                  push ebx
                                  push esi
                                  push edi
                                  mov dword ptr [eax], ebp
                                  mov ebp, eax
                                  mov eax, dword ptr [00466014h]
                                  xor eax, ebp
                                  push eax
                                  push dword ptr [ebp-04h]
                                  mov dword ptr [ebp-04h], FFFFFFFFh
                                  lea eax, dword ptr [ebp-0Ch]
                                  mov dword ptr fs:[00000000h], eax
                                  ret
                                  push eax
                                  push dword ptr fs:[00000000h]
                                  lea eax, dword ptr [esp+0Ch]
                                  sub esp, dword ptr [esp+0Ch]
                                  push ebx
                                  push esi
                                  push edi
                                  mov dword ptr [eax], ebp
                                  mov ebp, eax
                                  mov eax, dword ptr [00466014h]
                                  xor eax, ebp
                                  push eax
                                  mov dword ptr [ebp-10h], eax
                                  push dword ptr [ebp-04h]
                                  mov dword ptr [ebp-04h], FFFFFFFFh
                                  lea eax, dword ptr [ebp-0Ch]
                                  mov dword ptr fs:[00000000h], eax

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x6469c0xc8.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x6d0000x1e0.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x6e0000x4ea4.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x5d1a00x38.rdata
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x5d27c0x18.rdata
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x5d1d80x40.rdata
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x540000x324.rdata
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x5264a0x52800ef82979d949946bd234e046a5d2371dcFalse0.5054776278409091zlib compressed data6.56427678012931IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0x540000x118d20x11a004b118dc98dab27fcc7075fed7903471aFalse0.42483931737588654data5.016991696711072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0x660000x667c0x3400e73079fc6017490f501f52e9114a7b7aFalse0.15301983173076922DOS executable (block device driver @\273)3.7606148271111945IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0x6d0000x1e00x2004a05bbd64487346fb2d65a9ea12c5f5eFalse0.53125data4.7176788329467545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x6e0000x4ea40x50008db40983a0908633d7909b7d9703dc0dFalse0.703857421875data6.604156026621878IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_MANIFEST0x6d0600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                  Imports

                                  DLLImport
                                  KERNEL32.dllCreateThread, GetLocalTime, GetThreadContext, GetProcAddress, VirtualAllocEx, RemoveDirectoryA, ReadProcessMemory, GetSystemInfo, CreateDirectoryA, SetThreadContext, SetEndOfFile, DecodePointer, ReadConsoleW, HeapReAlloc, HeapSize, CloseHandle, CreateFileA, GetFileAttributesA, GetLastError, Sleep, GetTempPathA, SetCurrentDirectoryA, GetModuleHandleA, ResumeThread, GetComputerNameExW, GetVersionExW, CreateMutexA, VirtualAlloc, WriteFile, VirtualFree, WriteProcessMemory, GetModuleFileNameA, CreateProcessA, ReadFile, GetTimeZoneInformation, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetStringTypeW, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, SetFilePointerEx, SetStdHandle, GetFullPathNameW, GetCurrentDirectoryW, DeleteFileW, LCMapStringW, CompareStringW, MultiByteToWideChar, HeapAlloc, HeapFree, GetCommandLineW, GetCommandLineA, GetStdHandle, FileTimeToSystemTime, SystemTimeToTzSpecificLocalTime, PeekNamedPipe, GetFileType, GetFileInformationByHandle, GetDriveTypeW, RaiseException, GetCurrentThreadId, IsProcessorFeaturePresent, QueueUserWorkItem, GetModuleHandleExW, FormatMessageW, WideCharToMultiByte, EnterCriticalSection, LeaveCriticalSection, TryEnterCriticalSection, DeleteCriticalSection, SetLastError, InitializeCriticalSectionAndSpinCount, CreateEventW, SwitchToThread, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetSystemTimeAsFileTime, GetTickCount, GetModuleHandleW, WaitForSingleObjectEx, QueryPerformanceCounter, SetEvent, ResetEvent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsDebuggerPresent, GetStartupInfoW, GetCurrentProcessId, InitializeSListHead, CreateTimerQueue, SignalObjectAndWait, SetThreadPriority, GetThreadPriority, GetLogicalProcessorInformation, CreateTimerQueueTimer, ChangeTimerQueueTimer, DeleteTimerQueueTimer, GetNumaHighestNodeNumber, GetProcessAffinityMask, SetThreadAffinityMask, RegisterWaitForSingleObject, UnregisterWait, EncodePointer, GetCurrentThread, GetThreadTimes, FreeLibrary, FreeLibraryAndExitThread, GetModuleFileNameW, LoadLibraryExW, VirtualProtect, DuplicateHandle, ReleaseSemaphore, InterlockedPopEntrySList, InterlockedPushEntrySList, InterlockedFlushSList, QueryDepthSList, UnregisterWaitEx, LoadLibraryW, RtlUnwind, ExitProcess, CreateFileW, WriteConsoleW
                                  USER32.dllGetSystemMetrics, ReleaseDC, GetDC
                                  GDI32.dllCreateCompatibleBitmap, SelectObject, CreateCompatibleDC, DeleteObject, BitBlt
                                  ADVAPI32.dllRegCloseKey, RegQueryInfoKeyW, RegGetValueA, RegQueryValueExA, GetSidSubAuthorityCount, GetSidSubAuthority, GetUserNameA, LookupAccountNameA, RegSetValueExA, RegOpenKeyExA, RegEnumValueW, GetSidIdentifierAuthority
                                  SHELL32.dllSHGetFolderPathA, ShellExecuteA, SHFileOperationA
                                  ole32.dllCoUninitialize, CoCreateInstance, CoInitialize
                                  WININET.dllHttpOpenRequestA, InternetWriteFile, InternetOpenUrlA, InternetOpenW, HttpEndRequestW, HttpAddRequestHeadersA, HttpSendRequestExA, InternetOpenA, InternetCloseHandle, HttpSendRequestA, InternetConnectA, InternetReadFile
                                  gdiplus.dllGdipGetImageEncodersSize, GdipDisposeImage, GdiplusStartup, GdiplusShutdown, GdipGetImageEncoders, GdipSaveImageToFile, GdipCreateBitmapFromHBITMAP
                                  WS2_32.dllclosesocket, inet_pton, getaddrinfo, WSAStartup, send, socket, connect, recv, htons, freeaddrinfo

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishUnited States

                                  Network Behavior

                                  Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:12:14:57
                                  Start date:27/08/2024
                                  Path:C:\Users\user\Desktop\I7GcHDtUIF.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\I7GcHDtUIF.exe"
                                  Imagebase:0x6f0000
                                  File size:445'440 bytes
                                  MD5 hash:BB63E746E54AE6A1FF2D5D01FC4B6C61
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000000.1659071184.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:1
                                  Start time:12:14:57
                                  Start date:27/08/2024
                                  Path:C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe"
                                  Imagebase:0x140000
                                  File size:445'440 bytes
                                  MD5 hash:BB63E746E54AE6A1FF2D5D01FC4B6C61
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000000.1664512178.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe, Author: Joe Security
                                  Antivirus matches:
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 61%, ReversingLabs
                                  Reputation:low
                                  Has exited:false

                                  General

                                  Target ID:2
                                  Start time:12:14:57
                                  Start date:27/08/2024
                                  Path:C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
                                  Imagebase:0x140000
                                  File size:445'440 bytes
                                  MD5 hash:BB63E746E54AE6A1FF2D5D01FC4B6C61
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000000.1667726403.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:12:15:00
                                  Start date:27/08/2024
                                  Path:C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
                                  Imagebase:0x140000
                                  File size:445'440 bytes
                                  MD5 hash:BB63E746E54AE6A1FF2D5D01FC4B6C61
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000002.1692138583.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000000.1689588542.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:12:15:00
                                  Start date:27/08/2024
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Main
                                  Imagebase:0x40000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:12:15:00
                                  Start date:27/08/2024
                                  Path:C:\Windows\System32\rundll32.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\cred64.dll, Main
                                  Imagebase:0x7ff722d00000
                                  File size:71'680 bytes
                                  MD5 hash:EF3179D498793BF4234F708D3BE28633
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:12:15:00
                                  Start date:27/08/2024
                                  Path:C:\Windows\System32\netsh.exe
                                  Wow64 process (32bit):false
                                  Commandline:netsh wlan show profiles
                                  Imagebase:0x7ff7d09f0000
                                  File size:96'768 bytes
                                  MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:true

                                  General

                                  Target ID:7
                                  Start time:12:15:00
                                  Start date:27/08/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:8
                                  Start time:12:15:01
                                  Start date:27/08/2024
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\309a138a12cecf\clip64.dll, Main
                                  Imagebase:0x840000
                                  File size:61'440 bytes
                                  MD5 hash:889B99C52A60DD49227C5E485A016679
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:9
                                  Start time:12:15:03
                                  Start date:27/08/2024
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
                                  Imagebase:0x7ff788560000
                                  File size:452'608 bytes
                                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:10
                                  Start time:12:15:03
                                  Start date:27/08/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:14
                                  Start time:12:16:00
                                  Start date:27/08/2024
                                  Path:C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
                                  Imagebase:0x140000
                                  File size:445'440 bytes
                                  MD5 hash:BB63E746E54AE6A1FF2D5D01FC4B6C61
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000E.00000000.2288882399.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000E.00000002.2290214428.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:2.4%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:25.6%
                                    Total number of Nodes:634
                                    Total number of Limit Nodes:12
                                    execution_graph 27864 70a530 27873 6fb170 Sleep CreateMutexA GetLastError 27864->27873 27866 70a53b 27880 6feca0 27866->27880 27868 70a54a 27940 706f40 72 API calls 3 library calls 27868->27940 27870 70a54f 27871 70a4e0 CreateThread CreateThread CreateThread 27870->27871 27872 70a520 Sleep 27871->27872 27872->27872 27874 6fb1b7 27873->27874 27875 6fb1a6 27873->27875 27874->27866 27875->27874 27876 6fb1aa GetLastError 27875->27876 27876->27874 27877 6fb1b9 27876->27877 27941 72a079 27877->27941 27879 6fb1c0 27994 6fe050 27880->27994 27884 6fed21 28029 6f5ca0 27884->28029 27886 6fed2c 28083 70c0d0 27886->28083 27888 6fed48 28092 70bc70 27888->28092 27890 6fed5d GetModuleFileNameA 27892 6fef10 27890->27892 27892->27892 28100 70ba50 27892->28100 27894 6fef2c 27895 6ff112 ISource 27894->27895 27897 6ff19b 27894->27897 28115 710a41 27895->28115 28122 72a6ba 27897->28122 27898 6ff133 27898->27868 27940->27870 27944 729f17 27941->27944 27945 729f37 27944->27945 27946 729f25 27944->27946 27956 729dbe 27945->27956 27972 711717 GetModuleHandleW 27946->27972 27949 729f2a 27949->27945 27973 729fbd GetModuleHandleExW 27949->27973 27951 729f70 27951->27879 27955 729f7a 27957 729dca CallCatchBlock 27956->27957 27979 72c7ab EnterCriticalSection 27957->27979 27959 729dd4 27980 729e2a 27959->27980 27961 729de1 27984 729dff 27961->27984 27964 729f7b 27989 72dce2 GetPEB 27964->27989 27967 729faa 27970 729fbd CallUnexpected 3 API calls 27967->27970 27968 729f8a GetPEB 27968->27967 27969 729f9a GetCurrentProcess TerminateProcess 27968->27969 27969->27967 27971 729fb2 ExitProcess 27970->27971 27972->27949 27974 729fff 27973->27974 27975 729fdc GetProcAddress 27973->27975 27976 72a005 FreeLibrary 27974->27976 27977 729f36 27974->27977 27978 729ff1 27975->27978 27976->27977 27977->27945 27978->27974 27979->27959 27981 729e36 CallCatchBlock 27980->27981 27983 729e97 CallUnexpected 27981->27983 27987 72d285 14 API calls CallUnexpected 27981->27987 27983->27961 27988 72c7f3 LeaveCriticalSection 27984->27988 27986 729ded 27986->27951 27986->27964 27987->27983 27988->27986 27990 729f85 27989->27990 27991 72dcfc 27989->27991 27990->27967 27990->27968 27993 72eca7 5 API calls __dosmaperr 27991->27993 27993->27990 28127 6f85e0 27994->28127 27996 6fe0bd 27997 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 27996->27997 28000 6f5ca0 35 API calls 27996->28000 28001 6fe405 27996->28001 28003 6fe3dd ISource 27996->28003 28006 70bc70 26 API calls 27996->28006 28206 6f9840 36 API calls 3 library calls 27996->28206 28207 6f2440 26 API calls 6 library calls 27996->28207 27997->27996 27998 710a41 Concurrency::details::ResourceManager::RetrieveSystemVersionInformation 5 API calls 27999 6fe401 27998->27999 28013 70b230 27999->28013 28000->27996 28002 72a6ba Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 28001->28002 28005 6fe40a 28002->28005 28003->27998 28007 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28005->28007 28006->27996 28008 6fe462 28007->28008 28009 6f5ca0 35 API calls 28008->28009 28010 6fe46d 28009->28010 28012 6fe050 56 API calls 28010->28012 28014 70b256 28013->28014 28015 70b25d 28014->28015 28016 70b292 28014->28016 28017 70b2b1 28014->28017 28015->27884 28018 70b2e9 28016->28018 28019 70b299 28016->28019 28024 70b2a6 std::_Rethrow_future_exception 28017->28024 28215 6f2440 26 API calls 3 library calls 28017->28215 28216 6f2440 26 API calls 3 library calls 28018->28216 28214 6f2440 26 API calls 3 library calls 28019->28214 28023 70b29f 28023->28024 28025 72a6ba Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 28023->28025 28024->27884 28026 70b2f3 28025->28026 28028 70b321 __Cnd_destroy_in_situ ISource __Mtx_destroy_in_situ Concurrency::details::_TaskCollection::~_TaskCollection 28026->28028 28217 70f456 EnterCriticalSection LeaveCriticalSection Concurrency::details::_CancellationTokenState::_RegisterCallback 28026->28217 28028->27884 28218 6f59d0 28029->28218 28031 6f5ce4 28221 6f4c70 28031->28221 28033 6f5d0b 28034 6f5da7 ISource 28033->28034 28036 6f5dd2 28033->28036 28035 710a41 Concurrency::details::ResourceManager::RetrieveSystemVersionInformation 5 API calls 28034->28035 28037 6f5dc9 28035->28037 28038 72a6ba Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 28036->28038 28037->27886 28039 6f5dd7 Concurrency::details::SchedulerBase::Initialize 28038->28039 28040 6f5e37 RegOpenKeyExA 28039->28040 28041 6f5e90 RegCloseKey 28040->28041 28042 6f5eb6 28041->28042 28042->28042 28043 70ba50 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 28042->28043 28045 6f5ece 28043->28045 28044 6f5f36 ISource 28046 710a41 Concurrency::details::ResourceManager::RetrieveSystemVersionInformation 5 API calls 28044->28046 28045->28044 28047 6f5f5d 28045->28047 28048 6f5f59 28046->28048 28049 72a6ba Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 28047->28049 28048->27886 28050 6f5f62 RegOpenKeyExA 28049->28050 28052 6f5fd7 RegCloseKey 28050->28052 28054 6f6014 28052->28054 28053 6f608e ISource 28055 710a41 Concurrency::details::ResourceManager::RetrieveSystemVersionInformation 5 API calls 28053->28055 28054->28053 28056 6f60a6 28054->28056 28057 6f60a2 28055->28057 28058 72a6ba Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 28056->28058 28057->27886 28059 6f60ab __wsopen_s 28058->28059 28060 70ba50 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 28059->28060 28061 6f6119 28060->28061 28062 70ba50 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 28061->28062 28063 6f614d 28062->28063 28064 70ba50 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 28063->28064 28065 6f617e 28064->28065 28066 70ba50 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 28065->28066 28067 6f61af 28066->28067 28068 70ba50 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 28067->28068 28069 6f61e0 RegOpenKeyExA 28068->28069 28071 6f65f8 28069->28071 28070 6f66f8 ISource 28072 710a41 Concurrency::details::ResourceManager::RetrieveSystemVersionInformation 5 API calls 28070->28072 28071->28070 28073 6f671e 28071->28073 28074 6f671a 28072->28074 28075 72a6ba Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 28073->28075 28074->27886 28076 6f6723 GdiplusStartup 28075->28076 28232 70b610 26 API calls 3 library calls 28076->28232 28078 6f67b0 GetDC 28080 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28078->28080 28081 6f68ab 28080->28081 28082 6f5ca0 28 API calls 28081->28082 28084 70c130 28083->28084 28084->28084 28235 70af90 26 API calls 4 library calls 28084->28235 28086 70c149 28088 70c164 CatchIt 28086->28088 28236 6f2440 26 API calls 6 library calls 28086->28236 28091 70c1b9 CatchIt 28088->28091 28237 6f2440 26 API calls 6 library calls 28088->28237 28090 70c201 28090->27888 28091->27888 28093 70bce2 28092->28093 28094 70bc98 28092->28094 28099 70bcf1 CatchIt 28093->28099 28239 6f2440 26 API calls 6 library calls 28093->28239 28094->28093 28095 70bca1 28094->28095 28238 70ccd0 26 API calls 2 library calls 28095->28238 28097 70bcaa 28097->27890 28099->27890 28103 70ba6e CatchIt 28100->28103 28105 70ba94 28100->28105 28101 70bb7e 28242 70ccc0 26 API calls Concurrency::details::_CancellationTokenState::_RegisterCallback 28101->28242 28103->27894 28104 70bb83 28243 6f2440 26 API calls 3 library calls 28104->28243 28105->28101 28107 70bae8 28105->28107 28108 70bb0d 28105->28108 28107->28104 28240 6f2440 26 API calls 3 library calls 28107->28240 28113 70baf9 std::_Rethrow_future_exception 28108->28113 28241 6f2440 26 API calls 3 library calls 28108->28241 28109 70bb88 28112 72a6ba Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 28112->28101 28113->28112 28114 70bb60 ISource 28113->28114 28114->27894 28116 710a4a 28115->28116 28117 710a4c IsProcessorFeaturePresent 28115->28117 28116->27898 28119 710c73 28117->28119 28244 710c37 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 28119->28244 28121 710d56 28121->27898 28245 72a646 25 API calls 2 library calls 28122->28245 28124 72a6c9 28246 72a6d7 11 API calls CallUnexpected 28124->28246 28126 72a6d6 28208 727b40 28127->28208 28130 6f8668 28131 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28130->28131 28133 6f8677 28131->28133 28132 710a41 Concurrency::details::ResourceManager::RetrieveSystemVersionInformation 5 API calls 28134 6f8b75 28132->28134 28135 6f5ca0 35 API calls 28133->28135 28134->27996 28136 6f8682 28135->28136 28137 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28136->28137 28138 6f86a4 28137->28138 28139 6f5ca0 35 API calls 28138->28139 28140 6f86af GetModuleHandleA GetProcAddress 28139->28140 28142 6f86d5 ISource 28140->28142 28143 6f8756 ISource 28142->28143 28144 6f8b7c 28142->28144 28145 6f8787 GetSystemInfo 28143->28145 28146 6f8783 GetNativeSystemInfo 28143->28146 28147 72a6ba Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 28144->28147 28151 6f878d 28145->28151 28146->28151 28148 6f8b81 28147->28148 28149 72a6ba Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 28148->28149 28150 6f8b86 28149->28150 28152 6f87ef 28151->28152 28153 6f88c9 28151->28153 28175 6f8798 ISource 28151->28175 28154 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28152->28154 28155 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28153->28155 28156 6f8810 28154->28156 28157 6f88f5 28155->28157 28158 6f5ca0 35 API calls 28156->28158 28159 6f5ca0 35 API calls 28157->28159 28160 6f8817 28158->28160 28161 6f88fc 28159->28161 28162 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28160->28162 28163 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28161->28163 28165 6f882f 28162->28165 28164 6f8914 28163->28164 28166 6f5ca0 35 API calls 28164->28166 28167 6f5ca0 35 API calls 28165->28167 28168 6f891b 28166->28168 28170 6f8836 28167->28170 28169 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28168->28169 28172 6f894c 28169->28172 28210 72c5a1 40 API calls 28170->28210 28174 6f5ca0 35 API calls 28172->28174 28173 6f8861 28173->28148 28173->28175 28176 6f8953 28174->28176 28175->28132 28211 6f57c0 26 API calls 3 library calls 28176->28211 28178 6f8962 28179 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28178->28179 28180 6f899d 28179->28180 28181 6f5ca0 35 API calls 28180->28181 28182 6f89a4 28181->28182 28183 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28182->28183 28184 6f89bc 28183->28184 28185 6f5ca0 35 API calls 28184->28185 28186 6f89c3 28185->28186 28187 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28186->28187 28188 6f89f4 28187->28188 28189 6f5ca0 35 API calls 28188->28189 28190 6f89fb 28189->28190 28212 6f57c0 26 API calls 3 library calls 28190->28212 28192 6f8a0a 28193 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28192->28193 28194 6f8a45 28193->28194 28195 6f5ca0 35 API calls 28194->28195 28196 6f8a4c 28195->28196 28197 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28196->28197 28198 6f8a64 28197->28198 28199 6f5ca0 35 API calls 28198->28199 28200 6f8a6b 28199->28200 28201 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28200->28201 28202 6f8a9c 28201->28202 28203 6f5ca0 35 API calls 28202->28203 28204 6f8aa3 28203->28204 28213 6f57c0 26 API calls 3 library calls 28204->28213 28206->27996 28207->27996 28209 6f8646 GetVersionExW 28208->28209 28209->28130 28209->28175 28210->28173 28211->28178 28212->28192 28213->28175 28214->28023 28215->28024 28216->28023 28217->28028 28233 70b910 26 API calls 3 library calls 28218->28233 28220 6f59fb 28220->28031 28222 6f4cce 28221->28222 28223 6f4ca4 28221->28223 28234 70b910 26 API calls 3 library calls 28222->28234 28224 70ba50 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 28223->28224 28225 6f4cbb 28224->28225 28226 710a41 Concurrency::details::ResourceManager::RetrieveSystemVersionInformation 5 API calls 28225->28226 28228 6f4cca 28226->28228 28228->28033 28229 6f4d2b 28230 710a41 Concurrency::details::ResourceManager::RetrieveSystemVersionInformation 5 API calls 28229->28230 28231 6f4e66 28230->28231 28231->28033 28232->28078 28233->28220 28234->28229 28235->28086 28236->28088 28237->28090 28238->28097 28239->28099 28240->28113 28241->28113 28243->28109 28244->28121 28245->28124 28246->28126 28247 72e633 28252 72e409 28247->28252 28250 72e672 28253 72e428 28252->28253 28254 72e43b 28253->28254 28261 72e450 28253->28261 28272 72af63 14 API calls __dosmaperr 28254->28272 28256 72e440 28273 72a6aa 25 API calls __cftof 28256->28273 28258 72e44b 28258->28250 28269 73547c 28258->28269 28260 72e621 28278 72a6aa 25 API calls __cftof 28260->28278 28267 72e570 28261->28267 28274 734d0b 37 API calls 2 library calls 28261->28274 28264 72e5c0 28264->28267 28275 734d0b 37 API calls 2 library calls 28264->28275 28266 72e5de 28266->28267 28276 734d0b 37 API calls 2 library calls 28266->28276 28267->28258 28277 72af63 14 API calls __dosmaperr 28267->28277 28279 734e41 28269->28279 28272->28256 28273->28258 28274->28264 28275->28266 28276->28267 28277->28260 28278->28258 28282 734e4d CallCatchBlock 28279->28282 28280 734e54 28299 72af63 14 API calls __dosmaperr 28280->28299 28282->28280 28284 734e7f 28282->28284 28283 734e59 28300 72a6aa 25 API calls __cftof 28283->28300 28290 73540e 28284->28290 28289 734e63 28289->28250 28302 72a3dd 28290->28302 28295 735444 28297 734ea3 28295->28297 28356 72e7d5 14 API calls __dosmaperr 28295->28356 28301 734ed6 LeaveCriticalSection __wsopen_s 28297->28301 28299->28283 28300->28289 28301->28289 28357 72a35a 28302->28357 28305 72a401 28307 72a33d 28305->28307 28369 72a28b 28307->28369 28310 73549c 28311 7354b9 28310->28311 28312 7354e7 28311->28312 28313 7354ce 28311->28313 28394 72f82b 28312->28394 28408 72af50 14 API calls __dosmaperr 28313->28408 28317 7354f5 28410 72af50 14 API calls __dosmaperr 28317->28410 28318 73550c 28407 735155 CreateFileW 28318->28407 28322 7354fa 28411 72af63 14 API calls __dosmaperr 28322->28411 28324 7355c2 GetFileType 28327 735614 28324->28327 28328 7355cd GetLastError 28324->28328 28325 735545 28325->28324 28330 735597 GetLastError 28325->28330 28412 735155 CreateFileW 28325->28412 28326 7354e0 28326->28295 28416 72f776 15 API calls 2 library calls 28327->28416 28414 72af2d 14 API calls __dosmaperr 28328->28414 28329 7354d3 28409 72af63 14 API calls __dosmaperr 28329->28409 28413 72af2d 14 API calls __dosmaperr 28330->28413 28333 7355db CloseHandle 28333->28329 28335 735604 28333->28335 28415 72af63 14 API calls __dosmaperr 28335->28415 28337 73558a 28337->28324 28337->28330 28339 735635 28340 735681 28339->28340 28417 735364 71 API calls 2 library calls 28339->28417 28345 735688 28340->28345 28419 734f02 71 API calls 3 library calls 28340->28419 28341 735609 28341->28329 28344 7356b6 28344->28345 28346 7356c4 28344->28346 28418 72e928 28 API calls 2 library calls 28345->28418 28346->28326 28348 735740 CloseHandle 28346->28348 28420 735155 CreateFileW 28348->28420 28350 73576b 28351 735775 GetLastError 28350->28351 28355 73568f 28350->28355 28421 72af2d 14 API calls __dosmaperr 28351->28421 28353 735781 28422 72f93e 15 API calls 2 library calls 28353->28422 28355->28326 28356->28297 28358 72a37a 28357->28358 28364 72a371 28357->28364 28358->28364 28366 72e051 37 API calls 3 library calls 28358->28366 28360 72a39a 28367 72efdb 37 API calls __fassign 28360->28367 28362 72a3b0 28368 72f008 37 API calls __fassign 28362->28368 28364->28305 28365 72ece7 5 API calls _unexpected 28364->28365 28365->28305 28366->28360 28367->28362 28368->28364 28370 72a2b3 28369->28370 28371 72a299 28369->28371 28373 72a2ba 28370->28373 28374 72a2d9 28370->28374 28387 72a41c 14 API calls _free 28371->28387 28378 72a2a3 28373->28378 28388 72a436 15 API calls _unexpected 28373->28388 28389 72ea79 MultiByteToWideChar 28374->28389 28377 72a2ef GetLastError 28390 72af2d 14 API calls __dosmaperr 28377->28390 28378->28295 28378->28310 28380 72a315 28380->28378 28393 72ea79 MultiByteToWideChar 28380->28393 28381 72a2e8 28381->28377 28381->28380 28392 72a436 15 API calls _unexpected 28381->28392 28382 72a2fb 28391 72af63 14 API calls __dosmaperr 28382->28391 28386 72a32c 28386->28377 28386->28378 28387->28378 28388->28378 28389->28381 28390->28382 28391->28378 28392->28380 28393->28386 28395 72f837 CallCatchBlock 28394->28395 28423 72c7ab EnterCriticalSection 28395->28423 28397 72f83e 28399 72f863 28397->28399 28403 72f8d2 EnterCriticalSection 28397->28403 28405 72f885 28397->28405 28427 72f605 15 API calls 3 library calls 28399->28427 28402 72f868 28402->28405 28428 72f753 EnterCriticalSection 28402->28428 28403->28405 28406 72f8df LeaveCriticalSection 28403->28406 28424 72f935 28405->28424 28406->28397 28407->28325 28408->28329 28409->28326 28410->28322 28411->28329 28412->28337 28413->28329 28414->28333 28415->28341 28416->28339 28417->28340 28418->28355 28419->28344 28420->28350 28421->28353 28422->28355 28423->28397 28429 72c7f3 LeaveCriticalSection 28424->28429 28426 72f8a5 28426->28317 28426->28318 28427->28402 28428->28405 28429->28426 28430 6fed6c 28431 6fed77 28430->28431 28432 6fed9c ISource 28430->28432 28431->28432 28433 6ff13a 28431->28433 28435 6feed5 GetModuleFileNameA 28432->28435 28434 72a6ba Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 28433->28434 28436 6ff13f 28434->28436 28437 6fef10 28435->28437 28494 72a207 28436->28494 28437->28437 28441 70ba50 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 28437->28441 28439 6ff145 28507 70b1f0 28439->28507 28446 6fef2c 28441->28446 28443 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28444 6ff175 28443->28444 28445 70b1f0 26 API calls 28444->28445 28448 6ff188 28445->28448 28449 6ff19b 28446->28449 28453 6ff112 ISource 28446->28453 28447 710a41 Concurrency::details::ResourceManager::RetrieveSystemVersionInformation 5 API calls 28450 6ff133 28447->28450 28448->28449 28452 72a079 23 API calls 28448->28452 28451 72a6ba Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 28449->28451 28454 6ff1a0 28451->28454 28452->28449 28453->28447 28511 7100fc 13 API calls Concurrency::details::_CancellationTokenState::_RegisterCallback 28454->28511 28456 6ff1d0 28457 6ff2bb 28456->28457 28458 6ff1db 28456->28458 28512 70fcba 65 API calls Concurrency::details::_CancellationTokenState::_RegisterCallback 28457->28512 28460 6ff1f4 send 28458->28460 28462 6ff211 28458->28462 28460->28458 28460->28462 28461 6ff2c1 28513 70fcba 65 API calls Concurrency::details::_CancellationTokenState::_RegisterCallback 28461->28513 28464 6ff230 send 28462->28464 28467 6ff24d 28462->28467 28464->28462 28464->28467 28465 6ff28f __Mtx_unlock 28465->28461 28468 6ff2a8 28465->28468 28466 6ff272 send 28466->28465 28466->28467 28467->28465 28467->28466 28469 710a41 Concurrency::details::ResourceManager::RetrieveSystemVersionInformation 5 API calls 28468->28469 28470 6ff2b7 28469->28470 28495 72a213 CallCatchBlock 28494->28495 28496 72a232 28495->28496 28497 72a21d 28495->28497 28499 72a22d 28496->28499 28516 72c742 EnterCriticalSection 28496->28516 28514 72af63 14 API calls __dosmaperr 28497->28514 28499->28439 28501 72a222 28515 72a6aa 25 API calls __cftof 28501->28515 28502 72a24f 28517 72a190 65 API calls 4 library calls 28502->28517 28505 72a25a 28518 72a281 LeaveCriticalSection ___scrt_uninitialize_crt 28505->28518 28508 70b210 28507->28508 28508->28508 28509 70ba50 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 28508->28509 28510 6ff15a 28509->28510 28510->28443 28511->28456 28514->28501 28515->28499 28516->28502 28517->28505 28518->28499 28519 6fe729 GetModuleFileNameA 28520 6fe761 28519->28520 28520->28520 28521 70ba50 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 28520->28521 28522 6fe77d 28521->28522 28523 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28522->28523 28524 6fe790 28523->28524 28525 6f5ca0 35 API calls 28524->28525 28526 6fe79b 28525->28526 28527 6fe050 56 API calls 28526->28527 28528 6fe7af 28527->28528 28530 6fe7c4 28528->28530 28642 6f2440 26 API calls 6 library calls 28528->28642 28531 70bc70 26 API calls 28530->28531 28532 6fe84a ISource 28531->28532 28533 6feb4c 28532->28533 28536 6fea11 ISource 28532->28536 28534 72a6ba Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 28533->28534 28535 6feb51 28534->28535 28537 72a6ba Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 28535->28537 28539 70ba50 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 28536->28539 28542 6feab5 ISource 28536->28542 28538 6feb56 28537->28538 28545 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28538->28545 28541 6fea50 28539->28541 28540 6feb1a ISource 28543 710a41 Concurrency::details::ResourceManager::RetrieveSystemVersionInformation 5 API calls 28540->28543 28544 70ba50 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 28541->28544 28542->28535 28542->28540 28546 6feb3b 28543->28546 28547 6fea7c 28544->28547 28548 6febad 28545->28548 28549 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28547->28549 28551 6f5ca0 35 API calls 28548->28551 28550 6fea97 28549->28550 28552 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28550->28552 28553 6febb5 28551->28553 28554 6feaac 28552->28554 28555 70bc70 26 API calls 28553->28555 28569 6fb9b0 GetUserNameA 28554->28569 28557 6febc5 28555->28557 28558 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28557->28558 28559 6febe0 28558->28559 28560 6f5ca0 35 API calls 28559->28560 28561 6febe7 28560->28561 28562 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28561->28562 28563 6febfc 28562->28563 28564 6f5ca0 35 API calls 28563->28564 28565 6fec03 ISource 28564->28565 28566 6fec7a ISource 28565->28566 28567 72a6ba Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 28565->28567 28568 6fec99 28567->28568 28570 6fba27 28569->28570 28570->28570 28571 70ba50 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 28570->28571 28572 6fba43 28571->28572 28573 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28572->28573 28574 6fbaed 28573->28574 28575 6fbbbd CoInitialize 28574->28575 28576 6fbbe1 CoCreateInstance 28575->28576 28588 6fbc0a ISource 28575->28588 28577 6fbc04 CoUninitialize 28576->28577 28578 6fbf90 28576->28578 28577->28588 28579 6fbfb6 28578->28579 28606 6fc05b Concurrency::details::SchedulerBase::Initialize 28578->28606 28583 6fbfe9 CoUninitialize 28579->28583 28584 6fbfd2 CoUninitialize 28579->28584 28579->28588 28580 6fc1f2 28581 72a6ba Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 28580->28581 28582 6fc1f7 28581->28582 28586 6fc256 CoInitialize 28582->28586 28585 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28583->28585 28584->28588 28587 6fc003 28585->28587 28589 6fc271 CoCreateInstance 28586->28589 28599 6fc297 ISource 28586->28599 28591 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28587->28591 28588->28580 28592 6fbf8b ISource 28588->28592 28590 6fc291 CoUninitialize 28589->28590 28601 6fc317 28589->28601 28590->28599 28593 6fc01b 28591->28593 28595 710a41 Concurrency::details::ResourceManager::RetrieveSystemVersionInformation 5 API calls 28592->28595 28594 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28593->28594 28596 6fc033 28594->28596 28598 6fc1ee 28595->28598 28602 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28596->28602 28597 6fc39a 28605 72a6ba Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 28597->28605 28598->28542 28599->28597 28603 6fc315 ISource 28599->28603 28600 710a41 Concurrency::details::ResourceManager::RetrieveSystemVersionInformation 5 API calls 28604 6fc396 28600->28604 28601->28599 28610 6fc364 CoUninitialize 28601->28610 28611 6fc350 CoUninitialize 28601->28611 28607 6fc045 28602->28607 28603->28600 28604->28542 28608 6fc39f 28605->28608 28612 6fc0dc GetLocalTime 28606->28612 28609 6fb9b0 45 API calls 28607->28609 28616 6fc3e6 Concurrency::details::SchedulerBase::Initialize 28608->28616 28618 6fc590 ISource 28608->28618 28609->28588 28610->28599 28613 6fc35f 28611->28613 28626 6fc17b CoUninitialize 28612->28626 28613->28599 28614 6fc5fa ISource 28615 710a41 Concurrency::details::ResourceManager::RetrieveSystemVersionInformation 5 API calls 28614->28615 28619 6fc61e 28615->28619 28620 6fc406 CreateFileA InternetOpenA InternetOpenUrlA InternetReadFile 28616->28620 28617 6fc62c 28621 72a6ba Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 28617->28621 28618->28614 28618->28617 28619->28542 28622 6fc478 28620->28622 28623 6fc4a7 CloseHandle InternetCloseHandle InternetCloseHandle 28620->28623 28624 6fc631 28621->28624 28622->28623 28627 6fc487 WriteFile InternetReadFile 28622->28627 28625 70b230 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 28623->28625 28629 6fc4ca 28625->28629 28626->28588 28627->28622 28627->28623 28630 6fc515 ISource 28629->28630 28632 6fc622 28629->28632 28631 6fc57b ISource 28630->28631 28643 72a494 42 API calls 2 library calls 28630->28643 28631->28618 28634 72a6ba Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 28632->28634 28636 6fc627 28634->28636 28635 6fc534 28644 6f7620 26 API calls 2 library calls 28635->28644 28638 72a6ba Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 28636->28638 28638->28617 28639 6fc542 RemoveDirectoryA 28639->28631 28641 6fc559 28639->28641 28641->28631 28641->28636 28642->28530 28643->28635 28644->28639 28645 6f8fc2 28646 6f8fc8 GetFileAttributesA 28645->28646 28647 6f8fc6 28645->28647 28648 6f8fd4 28646->28648 28647->28646 28649 6fdec0 28650 6fdeff 28649->28650 28651 6fdf17 28649->28651 28653 6fdf3b 28650->28653 28654 6fdf68 SHFileOperationA 28650->28654 28664 70c830 26 API calls 4 library calls 28650->28664 28651->28650 28663 70c830 26 API calls 4 library calls 28651->28663 28653->28654 28658 6fdfbe ISource 28654->28658 28656 6fe01e ISource 28659 710a41 Concurrency::details::ResourceManager::RetrieveSystemVersionInformation 5 API calls 28656->28659 28657 6fe044 28661 72a6ba Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 28657->28661 28658->28656 28658->28657 28660 6fe040 28659->28660 28662 6fe049 28661->28662 28663->28650 28664->28654 28665 6f8f90 28666 6f8f96 28665->28666 28672 72a179 28666->28672 28669 6f8fb6 28670 72a207 67 API calls 28671 6f8fb0 28670->28671 28675 72a0c2 28672->28675 28676 72a0ce CallCatchBlock 28675->28676 28677 72a0d5 28676->28677 28680 72a0f5 28676->28680 28700 72af63 14 API calls __dosmaperr 28677->28700 28679 72a0da 28701 72a6aa 25 API calls __cftof 28679->28701 28682 72a107 28680->28682 28683 72a0fa 28680->28683 28692 72e2a3 28682->28692 28702 72af63 14 API calls __dosmaperr 28683->28702 28685 6f8fa3 28685->28669 28685->28670 28688 72a117 28703 72af63 14 API calls __dosmaperr 28688->28703 28689 72a124 28704 72a162 LeaveCriticalSection ___scrt_uninitialize_crt 28689->28704 28693 72e2af CallCatchBlock 28692->28693 28705 72c7ab EnterCriticalSection 28693->28705 28695 72e2bd 28706 72e347 28695->28706 28700->28679 28701->28685 28702->28685 28703->28685 28704->28685 28705->28695 28714 72e36a 28706->28714 28707 72e2ca 28720 72e303 28707->28720 28708 72e3c2 28725 731210 14 API calls 2 library calls 28708->28725 28711 72e3cb 28726 72e7d5 14 API calls __dosmaperr 28711->28726 28713 72e3d4 28713->28707 28727 72eea1 6 API calls __dosmaperr 28713->28727 28714->28707 28714->28708 28714->28714 28723 72c742 EnterCriticalSection 28714->28723 28724 72c756 LeaveCriticalSection 28714->28724 28716 72e3f3 28728 72c742 EnterCriticalSection 28716->28728 28719 72e406 28719->28707 28729 72c7f3 LeaveCriticalSection 28720->28729 28722 72a110 28722->28688 28722->28689 28723->28714 28724->28714 28725->28711 28726->28713 28727->28716 28728->28719 28729->28722

                                    Executed Functions

                                    Function 006FB219 Relevance: 50.5, APIs: 24, Strings: 4, Instructions: 1503COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetCurrentDirectoryA.KERNEL32(00000000,17E38E62,00000000), ref: 006FB21C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CurrentDirectory
                                    • String ID: @3P$VUUU$hTru$htsu
                                    • API String ID: 1611563598-4134313468
                                    • Opcode ID: afb49466f8a0e3f6fe24ae64d3e7c55616636e86d32dada623eca660c29ab9e4
                                    • Instruction ID: d25a1898ca24b80e3f63c825fa886c1d972c201e19d12f20d0783f77272fcaf4
                                    • Opcode Fuzzy Hash: afb49466f8a0e3f6fe24ae64d3e7c55616636e86d32dada623eca660c29ab9e4
                                    • Instruction Fuzzy Hash: C9C2F571A0021CDFDB18DF28CD89BEDBBB6EF45304F508298E509AB291D7799A84CF51
                                    Function 006F85E0 Relevance: 7.9, APIs: 5, Instructions: 388libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 659 6f85e0-6f8662 call 727b40 GetVersionExW 662 6f8b5e-6f8b7b call 710a41 659->662 663 6f8668-6f8690 call 70b230 call 6f5ca0 659->663 670 6f8694-6f86b6 call 70b230 call 6f5ca0 663->670 671 6f8692 663->671 676 6f86ba-6f86d3 GetModuleHandleA GetProcAddress 670->676 677 6f86b8 670->677 671->670 678 6f86d5-6f86e4 676->678 679 6f8704-6f872f 676->679 677->676 682 6f86fa-6f8701 call 7110b3 678->682 683 6f86e6-6f86f4 678->683 680 6f8731-6f8740 679->680 681 6f8760-6f8781 679->681 686 6f8756-6f875d call 7110b3 680->686 687 6f8742-6f8750 680->687 688 6f8787 GetSystemInfo 681->688 689 6f8783-6f8785 GetNativeSystemInfo 681->689 682->679 683->682 684 6f8b7c call 72a6ba 683->684 694 6f8b81-6f8b86 call 72a6ba 684->694 686->681 687->684 687->686 693 6f878d-6f8796 688->693 689->693 696 6f8798-6f879f 693->696 697 6f87b4-6f87b7 693->697 701 6f8b59 696->701 702 6f87a5-6f87af 696->702 698 6f8aff-6f8b02 697->698 699 6f87bd-6f87c6 697->699 698->701 705 6f8b04-6f8b0d 698->705 703 6f87d9-6f87dc 699->703 704 6f87c8-6f87d4 699->704 701->662 707 6f8b54 702->707 708 6f8adc-6f8ade 703->708 709 6f87e2-6f87e9 703->709 704->707 710 6f8b0f-6f8b13 705->710 711 6f8b34-6f8b37 705->711 707->701 718 6f8aec-6f8aef 708->718 719 6f8ae0-6f8aea 708->719 712 6f87ef-6f884b call 70b230 call 6f5ca0 call 70b230 call 6f5ca0 call 6f5de0 709->712 713 6f88c9-6f8ac5 call 70b230 call 6f5ca0 call 70b230 call 6f5ca0 call 6f5de0 call 70b230 call 6f5ca0 call 6f57c0 call 70b230 call 6f5ca0 call 70b230 call 6f5ca0 call 6f5de0 call 70b230 call 6f5ca0 call 6f57c0 call 70b230 call 6f5ca0 call 70b230 call 6f5ca0 call 6f5de0 call 70b230 call 6f5ca0 call 6f57c0 709->713 714 6f8b28-6f8b32 710->714 715 6f8b15-6f8b1a 710->715 716 6f8b39-6f8b43 711->716 717 6f8b45-6f8b51 711->717 741 6f8850-6f8857 712->741 754 6f8acb-6f8ad4 713->754 714->701 715->714 722 6f8b1c-6f8b26 715->722 716->701 717->707 718->701 720 6f8af1-6f8afd 718->720 719->707 720->707 722->701 743 6f885b-6f887b call 72c5a1 741->743 744 6f8859 741->744 749 6f887d-6f888c 743->749 750 6f88b2-6f88b4 743->750 744->743 752 6f888e-6f889c 749->752 753 6f88a2-6f88af call 7110b3 749->753 750->754 755 6f88ba-6f88c4 750->755 752->694 752->753 753->750 754->698 759 6f8ad6 754->759 755->754 759->708
                                    APIs
                                    • GetVersionExW.KERNEL32(0000011C,17E38E62), ref: 006F865A
                                    • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 006F86BB
                                    • GetProcAddress.KERNEL32(00000000), ref: 006F86C2
                                    • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 006F8783
                                    • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 006F8787
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: InfoSystem$AddressHandleModuleNativeProcVersion
                                    • String ID:
                                    • API String ID: 374719553-0
                                    • Opcode ID: cc69bd414f54fc80d4459fe20132e81c4e9435b52246177344890dbaaf099c42
                                    • Instruction ID: f1885b8ec6e1646eab7987c1bb156a93e03c8546cb464607245025f8367ecebe
                                    • Opcode Fuzzy Hash: cc69bd414f54fc80d4459fe20132e81c4e9435b52246177344890dbaaf099c42
                                    • Instruction Fuzzy Hash: 4BD1F8B1E00348DBDB14BB68DC4A3ED7B62AB41310F9442CCE9156B3C2DB795E858BD6
                                    Function 00729F7B Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1141 729f7b-729f88 call 72dce2 1144 729faa-729fb6 call 729fbd ExitProcess 1141->1144 1145 729f8a-729f98 GetPEB 1141->1145 1145->1144 1146 729f9a-729fa4 GetCurrentProcess TerminateProcess 1145->1146 1146->1144
                                    APIs
                                    • GetCurrentProcess.KERNEL32(?,?,00729F7A,?,?,?,?,?,0072AFCE), ref: 00729F9D
                                    • TerminateProcess.KERNEL32(00000000,?,00729F7A,?,?,?,?,?,0072AFCE), ref: 00729FA4
                                    • ExitProcess.KERNEL32 ref: 00729FB6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID:
                                    • API String ID: 1703294689-0
                                    • Opcode ID: 4fcc1174758d6690aeaa3d8c6bdb7bf6d2b97d6f8a27ced4c0958c69d9edbe0d
                                    • Instruction ID: 535813a85f74dc43ffc9df66e9c3b6e44ea63c64476906c5028a3ddb9595f9df
                                    • Opcode Fuzzy Hash: 4fcc1174758d6690aeaa3d8c6bdb7bf6d2b97d6f8a27ced4c0958c69d9edbe0d
                                    • Instruction Fuzzy Hash: 1BE046B1004258AFCF116F14EE0DA083B29FB56341F088015F905C6131CB3EEC92EB80
                                    Function 006F5CA0 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 450COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
                                    • API String ID: 0-3963862150
                                    • Opcode ID: 9b7fe48ef2d254a3a8bb24102abf3f81ce7c0b0709b46a7af1262cf99bb9d9ed
                                    • Instruction ID: 882aa3cd9d137d62353b25022d5f1da92196be190b108a7225917dfb6662a778
                                    • Opcode Fuzzy Hash: 9b7fe48ef2d254a3a8bb24102abf3f81ce7c0b0709b46a7af1262cf99bb9d9ed
                                    • Instruction Fuzzy Hash: 7BF1B070A0025CEFEB14DF54CC89BEDBBB6EF44304F508298E509AB281D7B85A84CF95
                                    Function 006FED6C Relevance: 13.9, APIs: 9, Instructions: 446networkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 006FEEE3
                                    • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 006FEFFF
                                    • send.WS2_32(?,?,00000004,00000000), ref: 006FF1FE
                                    • send.WS2_32(?,?,00000008,00000000), ref: 006FF23A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: send$CreateDirectoryFileModuleName
                                    • String ID:
                                    • API String ID: 2319890793-0
                                    • Opcode ID: 939f53b78d425cf430484a871624676c52bf0af6d4cd98c1e6282cdf78148d24
                                    • Instruction ID: 1a154f5af640563da814002fbe69cbba333c09e5de7dd58fdad6b51baa722c2a
                                    • Opcode Fuzzy Hash: 939f53b78d425cf430484a871624676c52bf0af6d4cd98c1e6282cdf78148d24
                                    • Instruction Fuzzy Hash: EEF10471D00218DBDB24DB68CC49BEDBBB6AF45310F1042D9E909A72D2EB759BC4CB91
                                    Function 0073549C Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 582 73549c-7354cc call 7351ea 585 7354e7-7354f3 call 72f82b 582->585 586 7354ce-7354d9 call 72af50 582->586 591 7354f5-73550a call 72af50 call 72af63 585->591 592 73550c-735555 call 735155 585->592 593 7354db-7354e2 call 72af63 586->593 591->593 601 7355c2-7355cb GetFileType 592->601 602 735557-735560 592->602 603 7357c1-7357c5 593->603 604 735614-735617 601->604 605 7355cd-7355fe GetLastError call 72af2d CloseHandle 601->605 607 735562-735566 602->607 608 735597-7355bd GetLastError call 72af2d 602->608 611 735620-735626 604->611 612 735619-73561e 604->612 605->593 619 735604-73560f call 72af63 605->619 607->608 613 735568-735595 call 735155 607->613 608->593 616 73562a-735678 call 72f776 611->616 617 735628 611->617 612->616 613->601 613->608 624 735697-7356bf call 734f02 616->624 625 73567a-735686 call 735364 616->625 617->616 619->593 632 7356c1-7356c2 624->632 633 7356c4-735705 624->633 625->624 631 735688 625->631 634 73568a-735692 call 72e928 631->634 632->634 635 735707-73570b 633->635 636 735726-735734 633->636 634->603 635->636 638 73570d-735721 635->638 639 73573a-73573e 636->639 640 7357bf 636->640 638->636 639->640 641 735740-735773 CloseHandle call 735155 639->641 640->603 645 7357a7-7357bb 641->645 646 735775-7357a1 GetLastError call 72af2d call 72f93e 641->646 645->640 646->645
                                    APIs
                                      • Part of subcall function 00735155: CreateFileW.KERNELBASE(00000000,00000000,?,00735545,?,?,00000000,?,00735545,00000000,0000000C), ref: 00735172
                                    • GetLastError.KERNEL32 ref: 007355B0
                                    • __dosmaperr.LIBCMT ref: 007355B7
                                    • GetFileType.KERNELBASE(00000000), ref: 007355C3
                                    • GetLastError.KERNEL32 ref: 007355CD
                                    • __dosmaperr.LIBCMT ref: 007355D6
                                    • CloseHandle.KERNEL32(00000000), ref: 007355F6
                                    • CloseHandle.KERNEL32(?), ref: 00735743
                                    • GetLastError.KERNEL32 ref: 00735775
                                    • __dosmaperr.LIBCMT ref: 0073577C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                    • String ID:
                                    • API String ID: 4237864984-0
                                    • Opcode ID: 715bc7aa46cfb071a5ce11e95cadf42937233b57ab91cb3c482a004a88913de8
                                    • Instruction ID: aa963856524d761bb2a59ce8977b87a4029139b568d7c3071d1e392e8bdfefaf
                                    • Opcode Fuzzy Hash: 715bc7aa46cfb071a5ce11e95cadf42937233b57ab91cb3c482a004a88913de8
                                    • Instruction Fuzzy Hash: 9AA14632A14658DFDF19DF68DC867AE3BA1AB06320F14015AE815AB3D2D73C9C12CB52
                                    Function 006FB170 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55sleepsynchronizationCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 651 6fb170-6fb1a4 Sleep CreateMutexA GetLastError 652 6fb1b7-6fb1b8 651->652 653 6fb1a6-6fb1a8 651->653 653->652 654 6fb1aa-6fb1b5 GetLastError 653->654 654->652 655 6fb1b9-6fb1ff call 72a079 call 6f9d90 654->655
                                    APIs
                                    • Sleep.KERNELBASE(00000064), ref: 006FB173
                                    • CreateMutexA.KERNELBASE(00000000,00000000,00757224), ref: 006FB191
                                    • GetLastError.KERNEL32 ref: 006FB199
                                    • GetLastError.KERNEL32 ref: 006FB1AA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$CreateMutexSleep
                                    • String ID: $ru
                                    • API String ID: 3645482037-4251167209
                                    • Opcode ID: 04a2c5579ddc1bd1efb9832c2eb21647b095956cfb04e060772170ad7fcb2230
                                    • Instruction ID: ec7e89e8384b9658b3fa76f219e3847d7478e87ab32cf7679a35bd4e3d14c785
                                    • Opcode Fuzzy Hash: 04a2c5579ddc1bd1efb9832c2eb21647b095956cfb04e060772170ad7fcb2230
                                    • Instruction Fuzzy Hash: EF01F435504208EBE3109B68FC09FAA37B6E705B11F508625F715C76E0DB789804CB69
                                    Function 006FE729 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 386COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 793 6fe729-6fe75a GetModuleFileNameA 794 6fe761-6fe766 793->794 794->794 795 6fe768-6fe7c2 call 70ba50 call 70b230 call 6f5ca0 call 6fe050 794->795 804 6fe7db-6fe7f6 call 70c990 795->804 805 6fe7c4-6fe7cf 795->805 809 6fe7f8-6fe86b call 70bc70 804->809 806 6fe7d3-6fe7d9 805->806 807 6fe7d1 805->807 806->809 807->806 813 6fe86f-6fe890 call 70cec0 809->813 814 6fe86d 809->814 817 6fe892-6fe8a1 813->817 818 6fe8c1-6fe8e9 813->818 814->813 821 6fe8b7-6fe8be call 7110b3 817->821 822 6fe8a3-6fe8b1 817->822 819 6fe8eb-6fe8fa 818->819 820 6fe91a-6fe942 818->820 823 6fe8fc-6fe90a 819->823 824 6fe910-6fe917 call 7110b3 819->824 825 6fe944-6fe953 820->825 826 6fe973-6fe99b 820->826 821->818 822->821 827 6feb4c call 72a6ba 822->827 823->824 823->827 824->820 832 6fe969-6fe970 call 7110b3 825->832 833 6fe955-6fe963 825->833 834 6fe99d-6fe9ac 826->834 835 6fe9cc-6fe9ee 826->835 836 6feb51-6fec18 call 72a6ba call 6f9a40 call 70b230 call 6f5ca0 call 70bc70 call 70b230 call 6f5ca0 call 70b230 call 6f5ca0 call 6f5f70 827->836 832->826 833->827 833->832 841 6fe9ae-6fe9bc 834->841 842 6fe9c2-6fe9c9 call 7110b3 834->842 837 6fea1b-6fea22 835->837 838 6fe9f0-6fe9fb 835->838 896 6fec1a-6fec26 836->896 897 6fec42-6fec5a 836->897 847 6feab8-6feac1 837->847 848 6fea28-6feab0 call 70ba50 * 2 call 70b230 * 2 call 6fb9b0 837->848 845 6fe9fd-6fea0b 838->845 846 6fea11-6fea18 call 7110b3 838->846 841->827 841->842 842->835 845->827 845->846 846->837 854 6feaee-6feaf7 847->854 855 6feac3-6fead2 847->855 885 6feab5 848->885 856 6feaf9-6feb08 854->856 857 6feb24-6feb41 call 710a41 854->857 861 6feae4-6feaeb call 7110b3 855->861 862 6fead4-6feae2 855->862 864 6feb1a-6feb21 call 7110b3 856->864 865 6feb0a-6feb18 856->865 861->854 862->836 862->861 864->857 865->836 865->864 885->847 898 6fec38-6fec3f call 7110b3 896->898 899 6fec28-6fec36 896->899 900 6fec5c-6fec68 897->900 901 6fec84-6fec93 897->901 898->897 899->898 902 6fec94-6fec99 call 72a6ba 899->902 904 6fec7a-6fec81 call 7110b3 900->904 905 6fec6a-6fec78 900->905 904->901 905->902 905->904
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 006FE737
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileModuleName
                                    • String ID: h,pu$h8uu$hiu
                                    • API String ID: 514040917-2616940553
                                    • Opcode ID: 02395e9d65157ca185df770ba4a768d330587d93d1f8e477f4253c589021b05c
                                    • Instruction ID: 71032f30cd456f123ad0acebdd70f2dbb5ddbe5a9a58409cb0302fcbd326ae5f
                                    • Opcode Fuzzy Hash: 02395e9d65157ca185df770ba4a768d330587d93d1f8e477f4253c589021b05c
                                    • Instruction Fuzzy Hash: 35E10671A00258DBEB19DB28CD497EDBF72AF45304F5042CDE4096B3D2D77A9B848B92
                                    Function 006FF09C Relevance: 6.2, APIs: 4, Instructions: 168COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 911 6ff09c-6ff0a7 912 6ff0bd-6ff0eb call 7110b3 911->912 913 6ff0a9-6ff0b7 911->913 921 6ff0ed-6ff0fc 912->921 922 6ff11c-6ff139 call 710a41 912->922 913->912 914 6ff19b-6ff1d5 call 72a6ba call 7100fc 913->914 930 6ff2bb-6ff2bc call 70fcba 914->930 931 6ff1db-6ff1ef 914->931 924 6ff0fe-6ff10c 921->924 925 6ff112-6ff119 call 7110b3 921->925 924->914 924->925 925->922 935 6ff2c1-6ff38f call 70fcba call 711ba0 call 727b40 930->935 934 6ff1f4-6ff203 send 931->934 936 6ff205-6ff20f 934->936 937 6ff211-6ff22d 934->937 959 6ff639-6ff664 call 7110b3 call 710a41 935->959 960 6ff395-6ff404 getaddrinfo 935->960 936->934 936->937 939 6ff230-6ff23f send 937->939 941 6ff24d-6ff26e 939->941 942 6ff241-6ff24b 939->942 944 6ff297-6ff2a6 call 710121 941->944 945 6ff270 941->945 942->939 942->941 944->935 954 6ff2a8-6ff2ba call 710a41 944->954 948 6ff272-6ff281 send 945->948 951 6ff294 948->951 952 6ff283-6ff28d 948->952 951->944 952->948 953 6ff28f-6ff292 952->953 953->944 960->959 964 6ff40a-6ff4a7 freeaddrinfo call 710e32 socket connect call 7100fc 960->964 964->959 974 6ff667-6ff689 call 70fcba call 70fc09 call 70fcba * 3 964->974
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bb22adb041d93fb745e5d610718bf34395e8c89037533b4300239d091b5d6173
                                    • Instruction ID: aa43c0cdb62fd9c9e0796deb9ba2b48518a88918022fc4035585c0a225a4e20e
                                    • Opcode Fuzzy Hash: bb22adb041d93fb745e5d610718bf34395e8c89037533b4300239d091b5d6173
                                    • Instruction Fuzzy Hash: 36410872E002189BDB28CBBCCC857EDB7B5AF44324F104669E915E73D1EA749A808B84
                                    Function 0070A530 Relevance: 6.0, APIs: 4, Instructions: 37threadsleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 006FB170: Sleep.KERNELBASE(00000064), ref: 006FB173
                                      • Part of subcall function 006FB170: CreateMutexA.KERNELBASE(00000000,00000000,00757224), ref: 006FB191
                                      • Part of subcall function 006FB170: GetLastError.KERNEL32 ref: 006FB199
                                      • Part of subcall function 006FB170: GetLastError.KERNEL32 ref: 006FB1AA
                                      • Part of subcall function 006F5CA0: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,80000001,0000043f,00000008,00000423,00000008,00000422,00000008,00000419,00000008), ref: 006F620D
                                    • CreateThread.KERNEL32(00000000,00000000,0070A3B0,00000000,00000000,00000000), ref: 0070A4F6
                                    • CreateThread.KERNEL32(00000000,00000000,Function_0001A440,00000000,00000000,00000000), ref: 0070A507
                                    • CreateThread.KERNEL32(00000000,00000000,0070A4D0,00000000,00000000,00000000), ref: 0070A518
                                    • Sleep.KERNEL32(00007530), ref: 0070A525
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Create$Thread$ErrorLastSleep$MutexOpen
                                    • String ID:
                                    • API String ID: 3966068485-0
                                    • Opcode ID: b23587b50b0c1800432bba21212511d0a30cf97689975e46f89c930708b7699f
                                    • Instruction ID: c9d78391563e821a22ae3eb5e89efa9f0f6382a9a7436df5e11468e24213d037
                                    • Opcode Fuzzy Hash: b23587b50b0c1800432bba21212511d0a30cf97689975e46f89c930708b7699f
                                    • Instruction Fuzzy Hash: B5F0E575BE8318F1F1B033E84C0BF5929865B45F54F314256B7197E1E19DC8381056AF
                                    Function 006F8060 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 468sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 998 6f8060-6f80c0 call 70c0d0 call 70bd70 1003 6f80ee-6f816d call 70b230 * 2 call 6f5ca0 call 70ba50 call 6f7b60 998->1003 1004 6f80c2-6f80ce 998->1004 1029 6f816f-6f817b 1003->1029 1030 6f819b-6f81a1 1003->1030 1005 6f80e4-6f80eb call 7110b3 1004->1005 1006 6f80d0-6f80de 1004->1006 1005->1003 1006->1005 1008 6f822a call 72a6ba 1006->1008 1014 6f822f-6f82fa call 72a6ba call 70b230 call 6f5ca0 call 70bd70 call 70b230 call 6f5ca0 call 70ba50 call 6f7b60 1008->1014 1059 6f82fc-6f8308 1014->1059 1060 6f8324-6f8335 Sleep 1014->1060 1032 6f817d-6f818b 1029->1032 1033 6f8191-6f8198 call 7110b3 1029->1033 1034 6f81cb-6f81e3 1030->1034 1035 6f81a3-6f81af 1030->1035 1032->1014 1032->1033 1033->1030 1040 6f820d-6f8229 call 710a41 1034->1040 1041 6f81e5-6f81f1 1034->1041 1038 6f81c1-6f81c8 call 7110b3 1035->1038 1039 6f81b1-6f81bf 1035->1039 1038->1034 1039->1014 1039->1038 1042 6f8203-6f820a call 7110b3 1041->1042 1043 6f81f3-6f8201 1041->1043 1042->1040 1043->1014 1043->1042 1063 6f831a-6f8321 call 7110b3 1059->1063 1064 6f830a-6f8318 1059->1064 1061 6f835f-6f8378 call 710a41 1060->1061 1062 6f8337-6f8343 1060->1062 1065 6f8355-6f835c call 7110b3 1062->1065 1066 6f8345-6f8353 1062->1066 1063->1060 1064->1063 1068 6f8379 call 72a6ba 1064->1068 1065->1061 1066->1065 1070 6f837e-6f83cf call 72a6ba call 6f7620 1066->1070 1068->1070 1080 6f83d3-6f83e0 SetCurrentDirectoryA 1070->1080 1081 6f83d1 1070->1081 1082 6f840e-6f84c8 call 70b230 call 6f5ca0 call 70b230 call 6f5ca0 call 70bd70 call 70bc70 call 70b230 call 6f5ca0 call 70ba50 call 6f7b60 1080->1082 1083 6f83e2-6f83ee 1080->1083 1081->1080 1115 6f84ca-6f84d6 1082->1115 1116 6f84f6-6f850e 1082->1116 1084 6f8404-6f840b call 7110b3 1083->1084 1085 6f83f0-6f83fe 1083->1085 1084->1082 1085->1084 1087 6f85c8 call 72a6ba 1085->1087 1093 6f85cd call 72a6ba 1087->1093 1097 6f85d2-6f85d7 call 72a6ba 1093->1097 1119 6f84ec-6f84f3 call 7110b3 1115->1119 1120 6f84d8-6f84e6 1115->1120 1117 6f853c-6f8554 1116->1117 1118 6f8510-6f851c 1116->1118 1123 6f857e-6f8584 1117->1123 1124 6f8556-6f8562 1117->1124 1121 6f851e-6f852c 1118->1121 1122 6f8532-6f8539 call 7110b3 1118->1122 1119->1116 1120->1093 1120->1119 1121->1093 1121->1122 1122->1117 1130 6f85ae-6f85c7 call 710a41 1123->1130 1131 6f8586-6f8592 1123->1131 1128 6f8574-6f857b call 7110b3 1124->1128 1129 6f8564-6f8572 1124->1129 1128->1123 1129->1093 1129->1128 1135 6f85a4-6f85ab call 7110b3 1131->1135 1136 6f8594-6f85a2 1131->1136 1135->1130 1136->1097 1136->1135
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: runas
                                    • API String ID: 3472027048-4000483414
                                    • Opcode ID: d9b8a3326d26faadb7a22fc08910864b1f12388ed4c239aaaa3f991f525ead72
                                    • Instruction ID: 92299e7008f80c45e1091532797103a6135ced3fdc44b4253b2b5dd6b322f4f8
                                    • Opcode Fuzzy Hash: d9b8a3326d26faadb7a22fc08910864b1f12388ed4c239aaaa3f991f525ead72
                                    • Instruction Fuzzy Hash: A8E12871A10248DFEB08EB78CD4A7AD7B72AF41700F50829CF5159B3C6DB799B848792
                                    Function 0073540E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1149 73540e-735442 call 72a3dd call 72a33d 1154 735444-735447 1149->1154 1155 735449-73545e call 73549c 1149->1155 1156 735468-73546c 1154->1156 1158 735463-735466 1155->1158 1159 735477-73547b 1156->1159 1160 73546e-735476 call 72e7d5 1156->1160 1158->1156 1160->1159
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID: rr
                                    • API String ID: 269201875-3931008020
                                    • Opcode ID: 80acef84d0935978d7b3b780f40a8a3184bb853d0c61c8a024842b98583bcff9
                                    • Instruction ID: 1d53c3d99aaa7599e26e1382b4686df5aba9ef1bcb892ed3f1062622cbe1af6f
                                    • Opcode Fuzzy Hash: 80acef84d0935978d7b3b780f40a8a3184bb853d0c61c8a024842b98583bcff9
                                    • Instruction Fuzzy Hash: EA014F72C00159FFDF01EFA89C059EE7FB5AF08310F144165F914E2152E6358A60DB91
                                    Function 006FD986 Relevance: 3.5, APIs: 2, Instructions: 532sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1163 6fd986-6fd98a 1164 6fde19-6fde61 1163->1164 1165 6fd990-6fda18 call 70b230 call 6f5ca0 call 70ba50 1163->1165 1169 6fde8b-6fdea6 call 710a41 1164->1169 1170 6fde63-6fde6f 1164->1170 1184 6fda1c-6fda3a call 70cec0 1165->1184 1185 6fda1a 1165->1185 1172 6fde81-6fde88 call 7110b3 1170->1172 1173 6fde71-6fde7f 1170->1173 1172->1169 1173->1172 1177 6fdeb6-6fdebb call 72a6ba 1173->1177 1188 6fdad8 1184->1188 1189 6fda40-6fdaab call 70b230 call 6f5ca0 call 70ba50 1184->1189 1185->1184 1190 6fdadb 1188->1190 1218 6fdaaf-6fdad0 call 70cec0 1189->1218 1219 6fdaad 1189->1219 1192 6fdadf-6fdae2 1190->1192 1194 6fdb1a-6fdb24 1192->1194 1195 6fdae4-6fdaed 1192->1195 1198 6fdb6f-6fdb79 1194->1198 1199 6fdb26-6fdb2f 1194->1199 1195->1194 1200 6fdaef-6fdafa 1195->1200 1204 6fdb7b-6fdb84 1198->1204 1205 6fdbb1-6fdbbb 1198->1205 1202 6fdb5d-6fdb6b 1199->1202 1203 6fdb31-6fdb3d 1199->1203 1206 6fdafc-6fdb0a 1200->1206 1207 6fdb10-6fdb17 call 7110b3 1200->1207 1202->1198 1211 6fdb3f-6fdb4d 1203->1211 1212 6fdb53-6fdb5a call 7110b3 1203->1212 1204->1205 1213 6fdb86-6fdb91 1204->1213 1208 6fdbbd-6fdbc3 1205->1208 1209 6fdbf4-6fdbf8 1205->1209 1206->1207 1214 6fdea7 call 72a6ba 1206->1214 1207->1194 1208->1209 1217 6fdbc5-6fdbd4 1208->1217 1222 6fdbfe-6fdc25 call 70b230 call 6f5ca0 1209->1222 1223 6fdcfb-6fdd0d call 70ba50 1209->1223 1211->1212 1211->1214 1212->1202 1224 6fdba7-6fdbae call 7110b3 1213->1224 1225 6fdb93-6fdba1 1213->1225 1230 6fdeac call 72a6ba 1214->1230 1227 6fdbea-6fdbf1 call 7110b3 1217->1227 1228 6fdbd6-6fdbe4 1217->1228 1218->1190 1242 6fdad2-6fdad6 1218->1242 1219->1218 1250 6fdc29-6fdc3a 1222->1250 1251 6fdc27 1222->1251 1234 6fdd12-6fdd2d call 72a179 1223->1234 1224->1205 1225->1214 1225->1224 1227->1209 1228->1214 1228->1227 1243 6fdeb1 1230->1243 1248 6fdd2f-6fdd38 call 72a207 1234->1248 1249 6fdd3d-6fdd45 1234->1249 1242->1192 1243->1177 1246 6fdeb1 call 72a6ba 1243->1246 1246->1177 1262 6fdde5-6fddeb 1248->1262 1253 6fdd50-6fdd6b call 72a179 1249->1253 1254 6fdc5e-6fdc69 call 70c990 1250->1254 1255 6fdc3c-6fdc5c call 727ca0 1250->1255 1251->1250 1267 6fdd7d-6fdda9 call 70b230 * 2 call 6fc3a0 1253->1267 1268 6fdd6d-6fdd7b call 72a207 1253->1268 1261 6fdc6e-6fdc78 1254->1261 1255->1261 1265 6fdc7a-6fdc89 1261->1265 1266 6fdca9-6fdcc5 1261->1266 1262->1164 1264 6fdded-6fddf9 1262->1264 1269 6fde0f-6fde16 call 7110b3 1264->1269 1270 6fddfb-6fde09 1264->1270 1272 6fdc9f-6fdca6 call 7110b3 1265->1272 1273 6fdc8b-6fdc99 1265->1273 1274 6fdce9-6fdcf9 call 70c990 1266->1274 1275 6fdcc7-6fdce7 call 727ca0 1266->1275 1284 6fddac-6fddc7 call 72a179 1267->1284 1268->1284 1269->1164 1270->1243 1270->1269 1272->1266 1273->1230 1273->1272 1274->1234 1275->1234 1294 6fddc9-6fddd2 call 72a207 1284->1294 1295 6fddd4-6fddd9 Sleep 1284->1295 1297 6fdddb-6fdddf 1294->1297 1295->1297 1297->1253 1297->1262
                                    APIs
                                      • Part of subcall function 0070B230: __Cnd_destroy_in_situ.LIBCPMT ref: 0070B328
                                      • Part of subcall function 0070B230: __Mtx_destroy_in_situ.LIBCPMT ref: 0070B331
                                    • Sleep.KERNEL32(00001388), ref: 006FDDD9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Cnd_destroy_in_situMtx_destroy_in_situSleep
                                    • String ID:
                                    • API String ID: 113500496-0
                                    • Opcode ID: fee1787fbbb5d666b6e15bceef772682a87ee5c54e01036d50e785947f87b959
                                    • Instruction ID: 32ee80e98e2f7a3d1d142bd10a33035f6792c18d857de60d21ea3914cb055784
                                    • Opcode Fuzzy Hash: fee1787fbbb5d666b6e15bceef772682a87ee5c54e01036d50e785947f87b959
                                    • Instruction Fuzzy Hash: 1712F471A0020CDBDF04DF68C985BEDBBB7EF49304F54425DE905AB282D779AA84CB91
                                    Function 006FECA0 Relevance: 1.7, APIs: 1, Instructions: 164COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1299 6feca0-6fef0d call 6fe050 call 70b230 call 6f5ca0 call 70c0d0 call 70bc70 GetModuleFileNameA 1314 6fef10-6fef15 1299->1314 1314->1314 1315 6fef17-6ff0eb call 70ba50 call 70cec0 1314->1315 1323 6ff0ed-6ff0fc 1315->1323 1324 6ff11c-6ff139 call 710a41 1315->1324 1325 6ff0fe-6ff10c 1323->1325 1326 6ff112-6ff119 call 7110b3 1323->1326 1325->1326 1328 6ff19b-6ff1d5 call 72a6ba call 7100fc 1325->1328 1326->1324 1337 6ff2bb-6ff2bc call 70fcba 1328->1337 1338 6ff1db-6ff1ef 1328->1338 1341 6ff2c1-6ff38f call 70fcba call 711ba0 call 727b40 1337->1341 1340 6ff1f4-6ff203 send 1338->1340 1342 6ff205-6ff20f 1340->1342 1343 6ff211-6ff22d 1340->1343 1365 6ff639-6ff664 call 7110b3 call 710a41 1341->1365 1366 6ff395-6ff404 getaddrinfo 1341->1366 1342->1340 1342->1343 1345 6ff230-6ff23f send 1343->1345 1347 6ff24d-6ff26e 1345->1347 1348 6ff241-6ff24b 1345->1348 1350 6ff297-6ff2a6 call 710121 1347->1350 1351 6ff270 1347->1351 1348->1345 1348->1347 1350->1341 1360 6ff2a8-6ff2ba call 710a41 1350->1360 1354 6ff272-6ff281 send 1351->1354 1357 6ff294 1354->1357 1358 6ff283-6ff28d 1354->1358 1357->1350 1358->1354 1359 6ff28f-6ff292 1358->1359 1359->1350 1366->1365 1370 6ff40a-6ff4a7 freeaddrinfo call 710e32 socket connect call 7100fc 1366->1370 1370->1365 1380 6ff667-6ff689 call 70fcba call 70fc09 call 70fcba * 3 1370->1380
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ccf56d24196f4cc008fc8439d77faac61fb95d79d2023925b77620ee2ac73b86
                                    • Instruction ID: a9165a39201d95c2d99e01ca46b36832983c1265b43ca53fc4f31ff66ac06859
                                    • Opcode Fuzzy Hash: ccf56d24196f4cc008fc8439d77faac61fb95d79d2023925b77620ee2ac73b86
                                    • Instruction Fuzzy Hash: C351C07090425CDBEB25DB24CC89BEEBBB2AB05300F5042D8D44967292DB765FC8CF91
                                    Function 006FDEC0 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1391 6fdec0-6fdefd 1392 6fdeff-6fdf15 1391->1392 1393 6fdf17-6fdf25 1391->1393 1394 6fdf2c-6fdf39 1392->1394 1393->1394 1395 6fdf27 call 70c830 1393->1395 1396 6fdf3b-6fdf51 1394->1396 1397 6fdf53-6fdf61 1394->1397 1395->1394 1398 6fdf68-6fdfbc SHFileOperationA 1396->1398 1397->1398 1399 6fdf63 call 70c830 1397->1399 1400 6fdfbe-6fdfca 1398->1400 1401 6fdfe6-6fdffe 1398->1401 1399->1398 1404 6fdfdc-6fdfe3 call 7110b3 1400->1404 1405 6fdfcc-6fdfda 1400->1405 1402 6fe028-6fe043 call 710a41 1401->1402 1403 6fe000-6fe00c 1401->1403 1408 6fe01e-6fe025 call 7110b3 1403->1408 1409 6fe00e-6fe01c 1403->1409 1404->1401 1405->1404 1406 6fe044-6fe049 call 72a6ba 1405->1406 1408->1402 1409->1406 1409->1408
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: fffe5ff79e92ac12552c087102262e053a3973a2049e604c1863a76743c0d71a
                                    • Instruction ID: 92a190b6d374ed5b04092bd729a63399dd62207d6cd6bd93c6b997b9d462151e
                                    • Opcode Fuzzy Hash: fffe5ff79e92ac12552c087102262e053a3973a2049e604c1863a76743c0d71a
                                    • Instruction Fuzzy Hash: 21317E7161124CEFDB04DF68C985BDEBBB6FB48304F508619F905A7281D7B9A980CB94
                                    Function 0072E633 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1417 72e633-72e659 call 72e409 1420 72e6b2-72e6b5 1417->1420 1421 72e65b-72e66d call 73547c 1417->1421 1423 72e672-72e677 1421->1423 1423->1420 1424 72e679-72e6b1 1423->1424
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __wsopen_s
                                    • String ID:
                                    • API String ID: 3347428461-0
                                    • Opcode ID: 1af3b2eb1543e4aadf9f52307da1446f0a12d42b16340218c22a31a93dee923f
                                    • Instruction ID: 97dcf03974937560c0c9a94f547b8d40bda2859d3245b5d2b4b959c0afc7194e
                                    • Opcode Fuzzy Hash: 1af3b2eb1543e4aadf9f52307da1446f0a12d42b16340218c22a31a93dee923f
                                    • Instruction Fuzzy Hash: 11111571A0420AAFCB09DF58E94599A7BF4EF48304F144069F809AB251D674EA11CBA4
                                    Function 006FB9B0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetUserNameA.ADVAPI32(?,?), ref: 006FB9FD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: NameUser
                                    • String ID:
                                    • API String ID: 2645101109-0
                                    • Opcode ID: 65783514ccc6010b08adf8609ed11b6b23d955427add5251cc45b3af2136eddd
                                    • Instruction ID: 285224eeb3fbdf3ab1b515355db7fca0bd76df4d1cf933a0174775da1d629dba
                                    • Opcode Fuzzy Hash: 65783514ccc6010b08adf8609ed11b6b23d955427add5251cc45b3af2136eddd
                                    • Instruction Fuzzy Hash: 70212CB181011CDBDB29CF14CC65BEAB7B8FB09704F0042D9A50A63181D7745B88CFA0
                                    Function 00735155 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNELBASE(00000000,00000000,?,00735545,?,?,00000000,?,00735545,00000000,0000000C), ref: 00735172
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 97d9c0494335295cf06572bcbf5b6a1e0f1b8817fedd3af2367aa7e26dc0bf74
                                    • Instruction ID: 681c9f8fb34602c4be1bf2c568caf9ac50398a51cf7ffa9c184c9b2395be98ca
                                    • Opcode Fuzzy Hash: 97d9c0494335295cf06572bcbf5b6a1e0f1b8817fedd3af2367aa7e26dc0bf74
                                    • Instruction Fuzzy Hash: 70D06C3200020DBBDF028F84DD06EDA3BAAFB88714F018000BA5856020C776E821AB94
                                    Function 006F8FC2 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesA.KERNELBASE(?), ref: 006F8FC9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: 001fb0c38faf344a724ed9017bd2de66f882117c823f8f9a28099e47fafc5195
                                    • Instruction ID: 006055240a36e365f3d59018bb840a6891586e3145c95be0e729e2eb2c268a80
                                    • Opcode Fuzzy Hash: 001fb0c38faf344a724ed9017bd2de66f882117c823f8f9a28099e47fafc5195
                                    • Instruction Fuzzy Hash: ECC08C340226081EEE1C0E3868881FA3303A9433E43D40BC4F3768B6F2CB396807E600
                                    Function 006F8FC0 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesA.KERNELBASE(?), ref: 006F8FC9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: ac3d03e81d83eb055ae8aa47b5ba368028002a893d70dd1081c0217259cd0446
                                    • Instruction ID: d4b61d7d8fc3168fbcf256c3cb47e23e529b90a4bb931f47e41e62618aa13c41
                                    • Opcode Fuzzy Hash: ac3d03e81d83eb055ae8aa47b5ba368028002a893d70dd1081c0217259cd0446
                                    • Instruction Fuzzy Hash: D2C080340121045FD61C4F3864481753313A9033953E00BC8F332475F1CB36D503C710

                                    Non-executed Functions

                                    Function 006F77A0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 174processmemorythreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 006F797D
                                    • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 006F79DB
                                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 006F79F4
                                    • GetThreadContext.KERNEL32(?,00000000), ref: 006F7A09
                                    • ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 006F7A29
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$AllocContextCreateFileMemoryModuleNameReadThreadVirtual
                                    • String ID: $VUUU$invalid stoi argument
                                    • API String ID: 338953623-3954507777
                                    • Opcode ID: 425b52d14dbbb794bf443a99ef89a0e99834ab92ba17a2e952a367d57efaa170
                                    • Instruction ID: 91e2925bd31bdc4af842b4c3c5efd5117c64bccbc840806767364a6100130135
                                    • Opcode Fuzzy Hash: 425b52d14dbbb794bf443a99ef89a0e99834ab92ba17a2e952a367d57efaa170
                                    • Instruction Fuzzy Hash: E651C371604305EFD7609F64DC06FAAB7E9FF45704F004529F744EA2E0EBB8A9148B9A
                                    Function 00714865 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00714968
                                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 007149B4
                                      • Part of subcall function 007160AF: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 007161A2
                                    • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00714A20
                                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00714A3C
                                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00714A90
                                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00714ABD
                                    • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00714B13
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
                                    • String ID: (
                                    • API String ID: 2943730970-3887548279
                                    • Opcode ID: 59397745f904712498d3eba80a474aa79d9662ce202d6ada6863fbe68e609b95
                                    • Instruction ID: bfd189107da63c8166cfd53f5e4f6d4b5b684f534d6fe859b94655f70cad4532
                                    • Opcode Fuzzy Hash: 59397745f904712498d3eba80a474aa79d9662ce202d6ada6863fbe68e609b95
                                    • Instruction Fuzzy Hash: 0DB18BB0A00211EFDB28CF58D991BBAB7B5FF44701F14815EE505AB691D378ED81CBA4
                                    Function 00715054 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0071674E: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00716761
                                    • Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 00715066
                                      • Part of subcall function 00716861: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 0071688B
                                      • Part of subcall function 00716861: Concurrency::details::ResourceManager::HandleSharedCores.LIBCONCRT ref: 007168FA
                                    • Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 00715198
                                    • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 007151F8
                                    • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 00715204
                                    • Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 0071523F
                                    • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 00715260
                                    • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 0071526C
                                    • Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 00715275
                                    • Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 0071528D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::Manager::Resource$AllocationCores$Dynamic$AdjustCoreDataDistributeHandlePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalIdleIncreaseInitializeLoadedProcessResetSchedulerShared
                                    • String ID:
                                    • API String ID: 2508902052-0
                                    • Opcode ID: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
                                    • Instruction ID: b1280122cd0fb1aec1c5e885237112667d5db64098a839e26e594ba144f2be77
                                    • Opcode Fuzzy Hash: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
                                    • Instruction Fuzzy Hash: 2D815D71A00615EFCB19DFACC984AADB7F1FF88304B1545ADD445A7741D734AD92CB80
                                    Function 00736B88 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __floor_pentium4
                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                    • API String ID: 4168288129-2761157908
                                    • Opcode ID: b28e9b90b397730e0093af913e3785799ef6fbe55ee8ecf37d5b787beffae00d
                                    • Instruction ID: c54eb7ba305314a2ff80ae58ce60a9efc6f8a70f265140701b90e62dba434d79
                                    • Opcode Fuzzy Hash: b28e9b90b397730e0093af913e3785799ef6fbe55ee8ecf37d5b787beffae00d
                                    • Instruction Fuzzy Hash: 97C21CB1E086298FEB39CE28DD407A9B7B5EB44315F1441EAD44DE7242E778AE81CF40
                                    Function 0072269B Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 007226D4
                                      • Part of subcall function 0071C982: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0071C9A3
                                    • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 0072273A
                                    • Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 00722752
                                    • Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 0072275F
                                      • Part of subcall function 00722202: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0072222A
                                      • Part of subcall function 00722202: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 007222C2
                                      • Part of subcall function 00722202: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 007222CC
                                      • Part of subcall function 00722202: Concurrency::location::_Assign.LIBCMT ref: 00722300
                                      • Part of subcall function 00722202: Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 00722308
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveAssignBindCommitConcurrency::location::_GroupPointsReclaimResolveRunnableSafeScheduleSegmentThrowTokenTraceTrigger
                                    • String ID:
                                    • API String ID: 2363638799-0
                                    • Opcode ID: f191caf7454b0f13b5f4b12419ae85a5b357fc818ca2c695f88fa775ac0f0a61
                                    • Instruction ID: 9200299dd60e29f80cf075d49c4e9694e67095124410037968ae904007297880
                                    • Opcode Fuzzy Hash: f191caf7454b0f13b5f4b12419ae85a5b357fc818ca2c695f88fa775ac0f0a61
                                    • Instruction Fuzzy Hash: E451A435A04224EBCF14DF64D986BADB771AF44710F154059EA067B3D3CB78AE42DBA0
                                    Function 0072A4FE Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0072A5F6
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0072A600
                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0072A60D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                    • String ID:
                                    • API String ID: 3906539128-0
                                    • Opcode ID: c6ca7a1e160543dd68d411a2e6ac7e1634dd653bc718d2d241fbc09b51e90bfa
                                    • Instruction ID: 8a47f70259016984cf571711cbfb3ae4f306c51345b1ac588575e3ae2e697f28
                                    • Opcode Fuzzy Hash: c6ca7a1e160543dd68d411a2e6ac7e1634dd653bc718d2d241fbc09b51e90bfa
                                    • Instruction Fuzzy Hash: 5C319375901229ABCB21DF68DD89BCDBBB8AF18310F5042DAE41CA7290E7749B858F45
                                    Function 007366F0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5bcb9125e46dd260250ceeb7aa5cf0635380794f5829f302e773a8b16c76b392
                                    • Instruction ID: 42d000894aa83be566289278aefa22d809c77e108c76ec9bb283917dc6b49ae1
                                    • Opcode Fuzzy Hash: 5bcb9125e46dd260250ceeb7aa5cf0635380794f5829f302e773a8b16c76b392
                                    • Instruction Fuzzy Hash: B6F12D71E01219AFEF14CFA8C8906ADBBB1FF88314F258269D919EB345D735AD41CB90
                                    Function 0073AA29 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0073AA24,?,?,00000008,?,?,007398AB,00000000), ref: 0073AC56
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionRaise
                                    • String ID:
                                    • API String ID: 3997070919-0
                                    • Opcode ID: 2dff7b9cfd1bdc88554b5b8e5b12232c72a821c4d819f542a1b81d6f1da5d42b
                                    • Instruction ID: 3e5d4742abb5830080191ae5467394ed7503c2adc4707e32d83cf72fe8aa6d95
                                    • Opcode Fuzzy Hash: 2dff7b9cfd1bdc88554b5b8e5b12232c72a821c4d819f542a1b81d6f1da5d42b
                                    • Instruction Fuzzy Hash: A4B14D72610608EFE715CF28C486B657BA1FF45364F258658E8DACF2A2C339E981CB41
                                    Function 007117E1 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 007117F7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FeaturePresentProcessor
                                    • String ID:
                                    • API String ID: 2325560087-0
                                    • Opcode ID: 2afd58856e4ebb4960ae5e2d2b71925d3f60e588f74d6ea34010478ea12cb93d
                                    • Instruction ID: b343c35226e1bf3b1aec1467b5f81d36360a0633694997e78c1fddd8d49912a7
                                    • Opcode Fuzzy Hash: 2afd58856e4ebb4960ae5e2d2b71925d3f60e588f74d6ea34010478ea12cb93d
                                    • Instruction Fuzzy Hash: 6E514B71E003058BEB14CF58D8957EABBF0FB88311F64C52AD516EB290D3B9A980CB54
                                    Function 007105E7 Relevance: 1.5, APIs: 1, Instructions: 9nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtFlushProcessWriteBuffers.NTDLL ref: 007105FA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BuffersFlushProcessWrite
                                    • String ID:
                                    • API String ID: 2982998374-0
                                    • Opcode ID: 6b65be1ee178d2cdb88a4e5dae0a4f45f90a6b85f2afa5616903b71b2df3cdbe
                                    • Instruction ID: 95f9fe2c6f87344aab8ae21b8fc7979cd9129b962c49329770d0f0f9d7bae1b8
                                    • Opcode Fuzzy Hash: 6b65be1ee178d2cdb88a4e5dae0a4f45f90a6b85f2afa5616903b71b2df3cdbe
                                    • Instruction Fuzzy Hash: 95B09232A025348B8A512B18BE05ADD7B66AA45E1230A406A9901A7264CBAC5C815FC8
                                    Function 0072B8A3 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 0
                                    • API String ID: 0-4108050209
                                    • Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                                    • Instruction ID: e2c9c173ca00bbed7a8e09612d3f53f29f79f876713a05002fc428ea6f8c642f
                                    • Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                                    • Instruction Fuzzy Hash: A6516B706007B9DADB388A2DB8DA7BE77A99F12300F54441DE6C6D7282C71DBD89C351
                                    Function 00717843 Relevance: 1.4, Strings: 1, Instructions: 173COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 4
                                    • API String ID: 0-4088798008
                                    • Opcode ID: c24b480354821d6bfb905789ba063c8b5eec545ba9747ba37d4023eaace15726
                                    • Instruction ID: df0260e20dd7e34d7bd35e8fe8a41e6f1de1900e988d913dda111159247cf25b
                                    • Opcode Fuzzy Hash: c24b480354821d6bfb905789ba063c8b5eec545ba9747ba37d4023eaace15726
                                    • Instruction Fuzzy Hash: B361F7B1E04616DFCB18CF59C580AAEB7B1BF48314F2585A9D845AB745C338FE86CB90
                                    Function 006F4E70 Relevance: .7, Instructions: 701COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 342e6c8588cc7957411ff75ba15afcfc4a480528b784e85242cf80fc40993d90
                                    • Instruction ID: fe7520678e584b0d3dffff37de033a70cf1c5a0071d06b1f448e9a0347f2cca1
                                    • Opcode Fuzzy Hash: 342e6c8588cc7957411ff75ba15afcfc4a480528b784e85242cf80fc40993d90
                                    • Instruction Fuzzy Hash: 8E2252B3F516144BDB0CCB9DDCA27EDB2E3AFD821470E803DA40AE3345EA79D9158684
                                    Function 006F4C70 Relevance: .2, Instructions: 158COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bb8f18e6c9984fa2dcc977f4fc0cc70b6690e090e23e3a81e038cfc1208019da
                                    • Instruction ID: bdb8d1a5cb3b24cd1c05a66aaf3ed64f488b1bfc7e6ff9bde856b7ba1ec862ab
                                    • Opcode Fuzzy Hash: bb8f18e6c9984fa2dcc977f4fc0cc70b6690e090e23e3a81e038cfc1208019da
                                    • Instruction Fuzzy Hash: 1651D5712093918FD329CF2D901563ABFE1BFD5200F084A9EE4E687396D778D648CB91
                                    Function 006F4AF0 Relevance: .1, Instructions: 132COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6ca77996ec4b78af8b51ffcb74d35cc866515dd62b673a023e85c8a071f8a6dd
                                    • Instruction ID: ddc4c8d044d6c24421ab7c59a28b2855516b6ec60a482682d5522821cd174cb1
                                    • Opcode Fuzzy Hash: 6ca77996ec4b78af8b51ffcb74d35cc866515dd62b673a023e85c8a071f8a6dd
                                    • Instruction Fuzzy Hash: BF413C71B0A6A14BC71DCE2D8850276BFE79FD9200B08C6FED899CB746D579CA06C790
                                    Function 0073B29B Relevance: .1, Instructions: 104COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ad67da9acfe59fa0947730a3f72414faec19962b6349b334cdad9d5e61cec106
                                    • Instruction ID: cfad1f154da0eb7c57f45659fb5c5e2ddd284c95417cbfcf75dc95834b3dae65
                                    • Opcode Fuzzy Hash: ad67da9acfe59fa0947730a3f72414faec19962b6349b334cdad9d5e61cec106
                                    • Instruction Fuzzy Hash: 8921D373F204394B7B0CC47E8C522BDB6E1C68C601744823AE8A6EA2C1D96CD917E2E4
                                    Function 0073B17B Relevance: .1, Instructions: 81COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: acec10599ee27ae03f9a1138c3a46fd9dbfccffe34586691bebd45528269ff21
                                    • Instruction ID: c938e4cae65d82c216d908c7c7d6dc6e72f6948d3a90b9c1c3ce8f9b875a0ae3
                                    • Opcode Fuzzy Hash: acec10599ee27ae03f9a1138c3a46fd9dbfccffe34586691bebd45528269ff21
                                    • Instruction Fuzzy Hash: 6511CA23F30C295B775C816D8C172BA91D2DBD824070F433AD826E7284E998DE13D290
                                    Function 0073C240 Relevance: .1, Instructions: 76COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                    • Instruction ID: 2466e3b6b41b5733018134d2422dd1902206490b9fb6ebd5a8cde4c74b789d61
                                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                    • Instruction Fuzzy Hash: EC11BDB724018243F6578AFDC4B82B7E385FBD5320F2C43BAE042AB71BD52AE8109700
                                    Function 0072DCE2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                                    • Instruction ID: b4d3fda92c8b5dcd8450a5095690fceb998150da154a7fc2027f5445dccce30f
                                    • Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                                    • Instruction Fuzzy Hash: EFE08C32A21238EBCB24DBD8D90898AF3ECEB89B01F1104A6B501D3210C274DE00C7D0
                                    Function 00732D40 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 113COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___free_lconv_mon.LIBCMT ref: 00732D84
                                      • Part of subcall function 0073291D: _free.LIBCMT ref: 0073293A
                                      • Part of subcall function 0073291D: _free.LIBCMT ref: 0073294C
                                      • Part of subcall function 0073291D: _free.LIBCMT ref: 0073295E
                                      • Part of subcall function 0073291D: _free.LIBCMT ref: 00732970
                                      • Part of subcall function 0073291D: _free.LIBCMT ref: 00732982
                                      • Part of subcall function 0073291D: _free.LIBCMT ref: 00732994
                                      • Part of subcall function 0073291D: _free.LIBCMT ref: 007329A6
                                      • Part of subcall function 0073291D: _free.LIBCMT ref: 007329B8
                                      • Part of subcall function 0073291D: _free.LIBCMT ref: 007329CA
                                      • Part of subcall function 0073291D: _free.LIBCMT ref: 007329DC
                                      • Part of subcall function 0073291D: _free.LIBCMT ref: 007329EE
                                      • Part of subcall function 0073291D: _free.LIBCMT ref: 00732A00
                                      • Part of subcall function 0073291D: _free.LIBCMT ref: 00732A12
                                    • _free.LIBCMT ref: 00732D79
                                      • Part of subcall function 0072E7D5: HeapFree.KERNEL32(00000000,00000000,?,00732AAE,?,00000000,?,?,?,00732AD5,?,00000007,?,?,00732ED7,?), ref: 0072E7EB
                                      • Part of subcall function 0072E7D5: GetLastError.KERNEL32(?,?,00732AAE,?,00000000,?,?,?,00732AD5,?,00000007,?,?,00732ED7,?,?), ref: 0072E7FD
                                    • _free.LIBCMT ref: 00732D9B
                                    • _free.LIBCMT ref: 00732DB0
                                    • _free.LIBCMT ref: 00732DBB
                                    • _free.LIBCMT ref: 00732DDD
                                    • _free.LIBCMT ref: 00732DF0
                                    • _free.LIBCMT ref: 00732DFE
                                    • _free.LIBCMT ref: 00732E09
                                    • _free.LIBCMT ref: 00732E41
                                    • _free.LIBCMT ref: 00732E48
                                    • _free.LIBCMT ref: 00732E65
                                    • _free.LIBCMT ref: 00732E7D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                    • String ID: 8bu$`gu
                                    • API String ID: 161543041-532315711
                                    • Opcode ID: 69d0d7ce2c6c45d9f602882feff2b8bbfe881b48f3c6c0e1cb39ea5d7e2a6cad
                                    • Instruction ID: 9b270e38336cf3d5fb60b143ca38bd5e9c85f537ac664ad79212d15fecf6a8a8
                                    • Opcode Fuzzy Hash: 69d0d7ce2c6c45d9f602882feff2b8bbfe881b48f3c6c0e1cb39ea5d7e2a6cad
                                    • Instruction Fuzzy Hash: F7314D31600715DFFB21AA38E84EB5A77E9EF00720F144829E455D76A3EF78EC428B20
                                    Function 00726121 Relevance: 22.7, APIs: 15, Instructions: 231COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 00726133
                                      • Part of subcall function 00725F31: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00725F54
                                    • Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 00726154
                                    • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 00726161
                                    • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 007261AF
                                    • Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 00726236
                                    • Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 00726249
                                    • Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 00726296
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocal_NextObjectPeriodicRunnablesScanSlot
                                    • String ID:
                                    • API String ID: 2530155754-0
                                    • Opcode ID: 2dd562fef51456b27cd85eb1c9df1b64c13b0d2302c4872736a17368f71d81c0
                                    • Instruction ID: 22ec0074baf09553751298964b957325c5122fa50bd142cc7c99a17f809e24a5
                                    • Opcode Fuzzy Hash: 2dd562fef51456b27cd85eb1c9df1b64c13b0d2302c4872736a17368f71d81c0
                                    • Instruction Fuzzy Hash: C281BE30800269EFDF16DF54E945BFE7BB2AF06304F04009AEC416B292C73A9D65DB61
                                    Function 00717F30 Relevance: 21.2, APIs: 14, Instructions: 189timeregistryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ListArray.LIBCONCRT ref: 00717F8A
                                      • Part of subcall function 00717D6B: InitializeSListHead.KERNEL32(?,?,00000000,?,?), ref: 00717E37
                                      • Part of subcall function 00717D6B: InitializeSListHead.KERNEL32(?), ref: 00717E41
                                    • ListArray.LIBCONCRT ref: 00717FBE
                                    • Hash.LIBCMT ref: 00718027
                                    • Hash.LIBCMT ref: 00718037
                                    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 007180CC
                                    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 007180D9
                                    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 007180E6
                                    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 007180F3
                                      • Part of subcall function 0071D694: std::bad_exception::bad_exception.LIBCMT ref: 0071D6B6
                                    • RegisterWaitForSingleObject.KERNEL32(?,00000000,0071B468,?,000000FF,00000000), ref: 0071817B
                                    • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0071819D
                                    • GetLastError.KERNEL32(00718EDD,?,?,00000000,?,?), ref: 007181AF
                                    • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 007181CC
                                      • Part of subcall function 007135FC: CreateTimerQueueTimer.KERNEL32(?,?,00000000,?,?,00718EDD,00000008,?,007181D1,?,00000000,0071B459,?,7FFFFFFF,7FFFFFFF,00000000), ref: 00713614
                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 007181F6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: List$HeadInitialize$Timer$ArrayCreateHashQueueRegister$AsyncConcurrency::details::Concurrency::details::platform::__Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastLibraryLoadObjectSingleWaitstd::bad_exception::bad_exception
                                    • String ID:
                                    • API String ID: 2750799244-0
                                    • Opcode ID: fe6b75a985002eeb474b64fc497a69bdac920d3ab2fe272362f15b4ee3f668e0
                                    • Instruction ID: 51ca6c2f33c7da292e5946aa802aa94789091088fa7d549905b871ba2cfc1218
                                    • Opcode Fuzzy Hash: fe6b75a985002eeb474b64fc497a69bdac920d3ab2fe272362f15b4ee3f668e0
                                    • Instruction Fuzzy Hash: D68142B0A10A56FBD718DF78C8497D9FBA8BF09700F10421BF52897281DB7865A4CBD1
                                    Function 00716284 Relevance: 19.7, APIs: 13, Instructions: 223COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 00716293
                                      • Part of subcall function 0071757E: GetVersionExW.KERNEL32(?), ref: 007175A2
                                      • Part of subcall function 0071757E: Concurrency::details::WinRT::Initialize.LIBCONCRT ref: 00717641
                                    • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 007162A7
                                    • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 007162C8
                                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00716331
                                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00716365
                                      • Part of subcall function 0071423F: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 0071425F
                                    • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 007163E5
                                      • Part of subcall function 00715DAE: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 00715DC2
                                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 0071642D
                                      • Part of subcall function 00714214: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00714230
                                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00716441
                                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00716452
                                    • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 0071649F
                                    • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 007164C4
                                    • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 007164D0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Manager::Resource$Affinity$Apply$Restrictions$Information$Topology$CaptureProcessRestriction::Version$CleanupConcurrency::details::platform::__FindGroupInitializeLimitsLogicalProcessorRetrieveSystem
                                    • String ID:
                                    • API String ID: 4140532746-0
                                    • Opcode ID: b8cb38dceeb5d5df5e220cd1ade5d1c09962d055670f4c5ef8032345aa91737a
                                    • Instruction ID: ceabeb5ec1e2194cfbd930b090c531f3df313188872365ac5321df8b3752ca7e
                                    • Opcode Fuzzy Hash: b8cb38dceeb5d5df5e220cd1ade5d1c09962d055670f4c5ef8032345aa91737a
                                    • Instruction Fuzzy Hash: 2881A075A00256CFCF18DFACD8955EDB7B5BB48301B24802ED945E3680EBBC9AC1CB64
                                    Function 0072DF39 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 0072DF4F
                                      • Part of subcall function 0072E7D5: HeapFree.KERNEL32(00000000,00000000,?,00732AAE,?,00000000,?,?,?,00732AD5,?,00000007,?,?,00732ED7,?), ref: 0072E7EB
                                      • Part of subcall function 0072E7D5: GetLastError.KERNEL32(?,?,00732AAE,?,00000000,?,?,?,00732AD5,?,00000007,?,?,00732ED7,?,?), ref: 0072E7FD
                                    • _free.LIBCMT ref: 0072DF5B
                                    • _free.LIBCMT ref: 0072DF66
                                    • _free.LIBCMT ref: 0072DF71
                                    • _free.LIBCMT ref: 0072DF7C
                                    • _free.LIBCMT ref: 0072DF87
                                    • _free.LIBCMT ref: 0072DF92
                                    • _free.LIBCMT ref: 0072DF9D
                                    • _free.LIBCMT ref: 0072DFA8
                                    • _free.LIBCMT ref: 0072DFB6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID: 8qt
                                    • API String ID: 776569668-3027603624
                                    • Opcode ID: 48c9737262be0fb8cf29d50352eb28102a8f799c20951a18212b6bfecb23cc15
                                    • Instruction ID: c49f9cd59ba59e22f7be678f6e21771cff969aafba10606d2be0b50adbcc4be2
                                    • Opcode Fuzzy Hash: 48c9737262be0fb8cf29d50352eb28102a8f799c20951a18212b6bfecb23cc15
                                    • Instruction Fuzzy Hash: 8521757A90011CEFCB41EFA4D885DDE7BB9BF08350F0141A6F6159B661EB35EA54CB80
                                    Function 007134C3 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 60libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,00717638), ref: 007134D1
                                    • GetProcAddress.KERNEL32(00000000,SetThreadGroupAffinity), ref: 007134DF
                                    • GetProcAddress.KERNEL32(00000000,GetThreadGroupAffinity), ref: 007134ED
                                    • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumberEx), ref: 0071351B
                                    • GetLastError.KERNEL32(?,?,?,00717638), ref: 00713536
                                    • GetLastError.KERNEL32(?,?,?,00717638), ref: 00713542
                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00713558
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorHandleModule
                                    • String ID: GetCurrentProcessorNumberEx$GetThreadGroupAffinity$SetThreadGroupAffinity$kernel32.dll
                                    • API String ID: 1654681794-465693683
                                    • Opcode ID: 2b670c0ad6eada7e827d35e751deed0037b2c60a40946a7c44deb55476f2aaa7
                                    • Instruction ID: 5379630425c4a66688d728200a78981a9f4e01d662b1316abe1ecaf47d055dd7
                                    • Opcode Fuzzy Hash: 2b670c0ad6eada7e827d35e751deed0037b2c60a40946a7c44deb55476f2aaa7
                                    • Instruction Fuzzy Hash: 4F0108B6604711EB9710AB7D6C4EAEB37ED9E01B11310842AB611D11A2EFBCC9648674
                                    Function 00728CF5 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsInExceptionSpec.LIBVCRUNTIME ref: 00728DF0
                                    • type_info::operator==.LIBVCRUNTIME ref: 00728E17
                                    • ___TypeMatch.LIBVCRUNTIME ref: 00728F23
                                    • CatchIt.LIBVCRUNTIME ref: 00728F78
                                    • IsInExceptionSpec.LIBVCRUNTIME ref: 00728FFE
                                    • _UnwindNestedFrames.LIBCMT ref: 00729085
                                    • CallUnexpected.LIBVCRUNTIME ref: 007290A0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                    • String ID: csm$csm$csm
                                    • API String ID: 4234981820-393685449
                                    • Opcode ID: e256eaba34cbc0ce556cc3262e22e54d7784e2201fcabe90c8e0f67802e10da3
                                    • Instruction ID: 8f5d7f9762960eb9a1e47f7ce300dd59c866d6f602b1cae063bebdce4e14a0de
                                    • Opcode Fuzzy Hash: e256eaba34cbc0ce556cc3262e22e54d7784e2201fcabe90c8e0f67802e10da3
                                    • Instruction Fuzzy Hash: E4C1F471C01229DFCF25DFA4E8849AEB775FF18310F08015AF9146B252DB3ADA91CB92
                                    Function 0070FEA2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 138threadCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CurrentThread$_xtime_get$Xtime_diff_to_millis2
                                    • String ID: y/o
                                    • API String ID: 3943753294-1802554985
                                    • Opcode ID: dea726a67c94fb17384bcea5b5ec3809f7cf0e08de56e0cb598ba2b4ddf4115b
                                    • Instruction ID: 44b797ec2ad0897629e071f0c4aba5ee1193bb632f2a3832e55ddd019fc18f26
                                    • Opcode Fuzzy Hash: dea726a67c94fb17384bcea5b5ec3809f7cf0e08de56e0cb598ba2b4ddf4115b
                                    • Instruction Fuzzy Hash: 4D515F3550020ACFCF20DF28C585AA9B7F1FF09311B24816AE8069B6D6DB78FD81DB95
                                    Function 007263C0 Relevance: 16.7, APIs: 11, Instructions: 222COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 007263D2
                                      • Part of subcall function 00725F31: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00725F54
                                    • Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 007263F3
                                    • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 00726400
                                    • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 0072644E
                                    • Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 007264F6
                                    • Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 00726528
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
                                    • String ID:
                                    • API String ID: 1256429809-0
                                    • Opcode ID: 4237c1c2a84fcd287a5bba52a1a4e46421478e05959bd609ee52a4eff88e6fdf
                                    • Instruction ID: e656da702af9f59c855f85e380672e075c174bdaafcf510336764517f3346189
                                    • Opcode Fuzzy Hash: 4237c1c2a84fcd287a5bba52a1a4e46421478e05959bd609ee52a4eff88e6fdf
                                    • Instruction Fuzzy Hash: 7471D0709002A9EFDF15DF54E880ABE7BB1AF45304F04409AFC816B292C73ADE25DB61
                                    Function 0072247C Relevance: 16.6, APIs: 11, Instructions: 148windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 007224CC
                                      • Part of subcall function 0071C982: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0071C9A3
                                    • Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 007224E5
                                    • Concurrency::location::_Assign.LIBCMT ref: 007224FB
                                    • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedSet.LIBCONCRT ref: 00722568
                                    • Concurrency::details::SchedulerBase::ClearQuickCacheSlot.LIBCMT ref: 00722570
                                    • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00722597
                                    • Concurrency::details::VirtualProcessor::EnsureAllTasksVisible.LIBCONCRT ref: 007225A3
                                    • Concurrency::details::SchedulerBase::VirtualProcessorIdle.LIBCONCRT ref: 007225DB
                                    • Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 007225FA
                                    • Concurrency::details::SchedulerBase::VirtualProcessorIdle.LIBCONCRT ref: 00722608
                                    • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedClear.LIBCONCRT ref: 0072262F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Base::$ContextVirtual$Processor::QuickScheduler$ClearCountedEventIdleInterlockedProcessorReferenceSet::$AssignAvailableBlockedCacheConcurrency::location::_DeactivateEnsureInternalMakeSlotSpinTasksThrowTraceUntilVisible
                                    • String ID:
                                    • API String ID: 3608406545-0
                                    • Opcode ID: c7d076d48d553554eaeff1a4dce6320f4de523b4512bec8a2cf216548b23d2cb
                                    • Instruction ID: 1617bccbe616d0722bcbcae37db851f8775c2dfeefa2eb8ba0127ff2ee97a87c
                                    • Opcode Fuzzy Hash: c7d076d48d553554eaeff1a4dce6320f4de523b4512bec8a2cf216548b23d2cb
                                    • Instruction Fuzzy Hash: C0519270700224DFDB04EF68D4D9BAD77A5BF49710F5840A9ED469B287CB78AD02CBA1
                                    Function 0071A42D Relevance: 15.1, APIs: 10, Instructions: 144COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0071A472
                                    • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 0071A4A4
                                    • List.LIBCONCRT ref: 0071A4DF
                                    • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 0071A4F0
                                    • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 0071A50C
                                    • List.LIBCONCRT ref: 0071A547
                                    • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 0071A558
                                    • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 0071A573
                                    • List.LIBCONCRT ref: 0071A5AE
                                    • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 0071A5BB
                                      • Part of subcall function 00719932: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 0071994A
                                      • Part of subcall function 00719932: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 0071995C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                                    • String ID:
                                    • API String ID: 3403738998-0
                                    • Opcode ID: c275ee57cde17fbc860759eec6b100ad2fb4d7300ee3269d2fc37c5ed532313d
                                    • Instruction ID: b5a32a2ff7f8c106f5c4b700752696a4c0bef19a9736fd6eca7e7dbdd86e8ac0
                                    • Opcode Fuzzy Hash: c275ee57cde17fbc860759eec6b100ad2fb4d7300ee3269d2fc37c5ed532313d
                                    • Instruction Fuzzy Hash: 3C515171A00209ABDF08DF58C499BEDB3B9BF48344F444069E905A7282DB78EE85CB91
                                    Function 0071ADB7 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 80threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 0071AE03
                                    • SwitchToThread.KERNEL32(?), ref: 0071AE26
                                    • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 0071AE45
                                    • Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 0071AE61
                                    • Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 0071AE6C
                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0071AE93
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementSwitchThreadstd::invalid_argument::invalid_argument
                                    • String ID: count$ppVirtualProcessorRoots
                                    • API String ID: 3791123369-3650809737
                                    • Opcode ID: e8474efce7ad9e1907b3f61b20266b792ae357d484c6a28e19f1dce8d99ec35d
                                    • Instruction ID: d8457dd578d316fb8e7b286b71a25a1a737b4825cdc5eb22ddd8aaf2b7b5dd55
                                    • Opcode Fuzzy Hash: e8474efce7ad9e1907b3f61b20266b792ae357d484c6a28e19f1dce8d99ec35d
                                    • Instruction Fuzzy Hash: 9E219474A00218EFCF04EFA8D59A9ED77B5FF09300F4040A9E801A7292DB38AE45CF91
                                    Function 0071A86F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 0071A889
                                    • GetCurrentProcess.KERNEL32 ref: 0071A891
                                    • DuplicateHandle.KERNEL32(00000000,000000FF,00000000,00000000,00000000,00000000,00000002), ref: 0071A8A6
                                    • SafeRWList.LIBCONCRT ref: 0071A8C6
                                      • Part of subcall function 007188C0: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 007188D1
                                      • Part of subcall function 007188C0: List.LIBCMT ref: 007188DB
                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0071A8D8
                                    • GetLastError.KERNEL32 ref: 0071A8E7
                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0071A8FD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorHandleLastLock::_ReaderSafeWriteWriterstd::invalid_argument::invalid_argument
                                    • String ID: eventObject
                                    • API String ID: 165577817-1680012138
                                    • Opcode ID: 39ab2a3d25a0abc598ddfaead40158bc8a32aa606aad61a80e6c463a5a32cbee
                                    • Instruction ID: 310a62004c781e7ff15b0400344ca0e33ed68c94daa77449b2473c8b4a7d5883
                                    • Opcode Fuzzy Hash: 39ab2a3d25a0abc598ddfaead40158bc8a32aa606aad61a80e6c463a5a32cbee
                                    • Instruction Fuzzy Hash: 4F1125B5500208FBCB14EBA8DC4EFEE3778AB01351F208125F516A50D2DBBC9A89D766
                                    Function 006FD472 Relevance: 13.8, APIs: 9, Instructions: 341networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenW.WININET(0074CE10,00000000,00000000,00000000,00000000), ref: 006FD4AC
                                    • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 006FD4D0
                                    • HttpOpenRequestA.WININET(?,00000000), ref: 006FD51A
                                    • HttpSendRequestA.WININET(?,00000000), ref: 006FD5DA
                                    • InternetReadFile.WININET(?,?,000003FF,?), ref: 006FD68C
                                    • InternetReadFile.WININET(?,00000000,000003FF,?), ref: 006FD740
                                    • InternetCloseHandle.WININET(?), ref: 006FD767
                                    • InternetCloseHandle.WININET(?), ref: 006FD76F
                                    • InternetCloseHandle.WININET(?), ref: 006FD777
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSend
                                    • String ID:
                                    • API String ID: 1354133546-0
                                    • Opcode ID: 34cbaa0fcb9468aec20bd2ee7196b43e40937dbf494891d03cdf0adc58140f25
                                    • Instruction ID: f5cc6064ce20dac66385895b95558992de905c349ddf8b575aa52af22c14331a
                                    • Opcode Fuzzy Hash: 34cbaa0fcb9468aec20bd2ee7196b43e40937dbf494891d03cdf0adc58140f25
                                    • Instruction Fuzzy Hash: 55C1D3B1A0011C9BDB28DF28CC88BED7B77EF45304F508298FA1997291D775AAC0CB95
                                    Function 007390B3 Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ad18b2c3e128c5b6f9ba06d30e8bc03cbf23cdcb325fa6d4b073895cac2747e7
                                    • Instruction ID: f0f4401219da85740221f91037599188e3e0b743caf68bd2ab7b61e17c063bdd
                                    • Opcode Fuzzy Hash: ad18b2c3e128c5b6f9ba06d30e8bc03cbf23cdcb325fa6d4b073895cac2747e7
                                    • Instruction Fuzzy Hash: B6C1D2B0E04249EFEF15DF98D884BAEBBB0AF49300F044159E615A7293D7BC9901CB66
                                    Function 0071B334 Relevance: 13.6, APIs: 9, Instructions: 106timeCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 0071B356
                                      • Part of subcall function 0071970B: __EH_prolog3_catch.LIBCMT ref: 00719712
                                      • Part of subcall function 0071970B: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 0071974B
                                    • Concurrency::details::SchedulerBase::NotifyThrottledContext.LIBCONCRT ref: 0071B364
                                      • Part of subcall function 0071A370: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 0071A395
                                      • Part of subcall function 0071A370: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 0071A3B8
                                    • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 0071B37D
                                    • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 0071B389
                                      • Part of subcall function 0071970B: InterlockedPopEntrySList.KERNEL32(?), ref: 00719794
                                      • Part of subcall function 0071970B: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 007197C3
                                      • Part of subcall function 0071970B: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 007197D1
                                    • Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 0071B3D5
                                    • Concurrency::location::_Assign.LIBCMT ref: 0071B3F6
                                    • Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 0071B3FE
                                    • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 0071B410
                                    • Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 0071B440
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Base::$Scheduler$Context$Throttling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_EntryExerciseFoundH_prolog3_catchInterlockedListNextNotifyProcessor::RingSchedulingSpinStartupThrottledTicket::TimerUntilWith
                                    • String ID:
                                    • API String ID: 2678502038-0
                                    • Opcode ID: 615b1b71626394da833ec8b061eddf12f34cf06b472cdda03bebfb07a28b8b74
                                    • Instruction ID: 0434585f61cd79b655bd395a4654728c958eed24f4e7943c644bda171176b508
                                    • Opcode Fuzzy Hash: 615b1b71626394da833ec8b061eddf12f34cf06b472cdda03bebfb07a28b8b74
                                    • Instruction Fuzzy Hash: BF312730B00295ABCF55AA7C88967FEB7B99F45300F084069D856D72C3DB2C4DCA8392
                                    Function 007243D8 Relevance: 13.6, APIs: 9, Instructions: 69threadCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 007243EE
                                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00719701,?), ref: 00724400
                                    • GetCurrentThread.KERNEL32 ref: 00724408
                                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00719701,?), ref: 00724410
                                    • DuplicateHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000002,?,?,?,?,?,?,00719701,?), ref: 00724429
                                    • Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 0072444A
                                      • Part of subcall function 00713C63: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 00713C7D
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00719701,?), ref: 0072445C
                                    • GetLastError.KERNEL32(?,?,?,?,?,00719701,?), ref: 00724487
                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0072449D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThread$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateHandleReferenceRegisterWait
                                    • String ID:
                                    • API String ID: 1293880212-0
                                    • Opcode ID: e19b96c61d62ec7dd3192c49fdb0eb0b4a3d97d0c707e7b940f46dbdecb36278
                                    • Instruction ID: 5d1b187d906244ae29e968bab1a69b1f30dc77105b5a7ca8f8fd2b7da6dee9f7
                                    • Opcode Fuzzy Hash: e19b96c61d62ec7dd3192c49fdb0eb0b4a3d97d0c707e7b940f46dbdecb36278
                                    • Instruction Fuzzy Hash: 9B11E7B5600320EBCB10BBB4BC4EF9A3BA8AF16301F044076F949E6152DB7CC9009775
                                    Function 007128B1 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _SpinWait.LIBCONCRT ref: 0071290E
                                    • Concurrency::details::WaitBlock::WaitBlock.LIBCMT ref: 0071291A
                                    • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 00712933
                                    • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00712961
                                    • Concurrency::Context::Block.LIBCONCRT ref: 00712983
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Wait$BlockConcurrency::details::_Lock::_Scoped_lock$Block::Concurrency::Concurrency::details::Context::ReaderReentrantScoped_lock::_Scoped_lock::~_SpinWriter
                                    • String ID: Wt
                                    • API String ID: 1182035702-1704911172
                                    • Opcode ID: 3fb9f09cf2ace9bb264288ca8e96c756b55dcaba3e38d00863956ae5ef2547d5
                                    • Instruction ID: 2fd2dc43c2029ff81d17423582ef8bbe2fa5f730651b7686aeb56719a8e12978
                                    • Opcode Fuzzy Hash: 3fb9f09cf2ace9bb264288ca8e96c756b55dcaba3e38d00863956ae5ef2547d5
                                    • Instruction Fuzzy Hash: 4C21947080020EDADF25DFACC44A7EEB7B0BF14310F100529E051BA1C2EB795AD6CB50
                                    Function 0073246F Relevance: 12.2, APIs: 8, Instructions: 203COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$___from_strstr_to_strchr
                                    • String ID:
                                    • API String ID: 3409252457-0
                                    • Opcode ID: b285bf814047a810fbe0ab67ce5552375b7b32a3e10c1b6ef2c8c4508c9518ef
                                    • Instruction ID: a613b84ce4a18514e92837933240ba668a91c13bcfe6999efdfad41ac391c635
                                    • Opcode Fuzzy Hash: b285bf814047a810fbe0ab67ce5552375b7b32a3e10c1b6ef2c8c4508c9518ef
                                    • Instruction Fuzzy Hash: EB511B71904315EFFF20AF749C86AAD7BA4AF01320F2441AEE91097683EB7D9943CB55
                                    Function 00728290 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • _ValidateLocalCookies.LIBCMT ref: 007282C7
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 007282CF
                                    • _ValidateLocalCookies.LIBCMT ref: 00728358
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00728383
                                    • _ValidateLocalCookies.LIBCMT ref: 007283D8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                    • String ID: csm
                                    • API String ID: 1170836740-1018135373
                                    • Opcode ID: 204c4b4ec25b2a9584ac77f7c729ee8699a06d3e2f430930107f26c030846b25
                                    • Instruction ID: 5e0958c6809c9f34fba152f875894c1f1a487743e6e462174542181c58a5130f
                                    • Opcode Fuzzy Hash: 204c4b4ec25b2a9584ac77f7c729ee8699a06d3e2f430930107f26c030846b25
                                    • Instruction Fuzzy Hash: 8A410634A01228DFCF50DF28D884A9EBBB0BF45724F048159E8146B393DB3AA941CB92
                                    Function 00725579 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00725592
                                      • Part of subcall function 00725861: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,007252DA), ref: 00725871
                                    • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 007255A7
                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 007255B6
                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0072567A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::std::invalid_argument::invalid_argument$ExecutionFreeIdleObjectProcessorProxy::ResetRoot::SingleSuspendThreadVirtualWait
                                    • String ID: pContext$switchState
                                    • API String ID: 1312548968-2660820399
                                    • Opcode ID: fa9cfa692a0a1a85167d010af4cf8836c5a5f6e75f1c1758dd6cc3455bcddf57
                                    • Instruction ID: a67564783e1687dc6cae6a3c08cf50bcf10afbb4c08ed396ae9a10ab215c6a07
                                    • Opcode Fuzzy Hash: fa9cfa692a0a1a85167d010af4cf8836c5a5f6e75f1c1758dd6cc3455bcddf57
                                    • Instruction Fuzzy Hash: 5B312775A00624EFCF04EF68D985E6D73B6FF55710F2045A9E811AB282DB78EE05CB90
                                    Function 00722202 Relevance: 10.6, APIs: 7, Instructions: 102COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0072222A
                                      • Part of subcall function 00721F97: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 00721FCA
                                      • Part of subcall function 00721F97: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 00721FEC
                                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 007222A7
                                    • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 007222B3
                                    • Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 007222C2
                                    • Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 007222CC
                                    • Concurrency::location::_Assign.LIBCMT ref: 00722300
                                    • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 00722308
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
                                    • String ID:
                                    • API String ID: 1924466884-0
                                    • Opcode ID: 7d77db30d67a27c7d00f0af16807ecaaab3646a362d3e42fe37feb006db7b31b
                                    • Instruction ID: aeac0202e2ddc7836f2921fc2c879fd4059d42d37bab56a01cfa1c9f8c93c1fd
                                    • Opcode Fuzzy Hash: 7d77db30d67a27c7d00f0af16807ecaaab3646a362d3e42fe37feb006db7b31b
                                    • Instruction Fuzzy Hash: 08412C75A00214EFCB05EF64C485BADB7F5BF48310F5580A9DD459B382D738A941CFA1
                                    Function 0071D6E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 79COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3_catch.LIBCMT ref: 0071D6EF
                                    • Concurrency::SchedulerPolicy::_ValidPolicyValue.LIBCONCRT ref: 0071D73B
                                    • std::bad_exception::bad_exception.LIBCMT ref: 0071D751
                                    • Concurrency::SchedulerPolicy::_ResolvePolicyValues.LIBCONCRT ref: 0071D793
                                    • std::bad_exception::bad_exception.LIBCMT ref: 0071D7BD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::PolicyPolicy::_Schedulerstd::bad_exception::bad_exception$H_prolog3_catchResolveValidValueValues
                                    • String ID: |[t
                                    • API String ID: 921398678-2894952860
                                    • Opcode ID: bad02014aa3cc306e2516a05e3ca4db2d576c718d768c12d7e23a5ee57641b43
                                    • Instruction ID: d4b40d521f49652c62afc50edfc63184ae24958e7805641278b9aee02e1523a1
                                    • Opcode Fuzzy Hash: bad02014aa3cc306e2516a05e3ca4db2d576c718d768c12d7e23a5ee57641b43
                                    • Instruction Fuzzy Hash: 242160B5900215DFDB15EFACD48A9EEB7B4EF04710B20402AF405AB1D2DB79AE86CF54
                                    Function 0072EB5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: api-ms-$ext-ms-
                                    • API String ID: 0-537541572
                                    • Opcode ID: bb00846dceac57db048761d42b00b0093590339c20e4e6cf65ca178d2aebf6d7
                                    • Instruction ID: e534e5e8e324c2d47f687c1383dd1159bf11c6e7bc375e67cacec982d732ab16
                                    • Opcode Fuzzy Hash: bb00846dceac57db048761d42b00b0093590339c20e4e6cf65ca178d2aebf6d7
                                    • Instruction Fuzzy Hash: 5521E4B5A05231EBCB218BA4FC45F2A3768AF02770F250551F906A7290D778ED40D6E4
                                    Function 00732ABC Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00732A84: _free.LIBCMT ref: 00732AA9
                                    • _free.LIBCMT ref: 00732B0A
                                      • Part of subcall function 0072E7D5: HeapFree.KERNEL32(00000000,00000000,?,00732AAE,?,00000000,?,?,?,00732AD5,?,00000007,?,?,00732ED7,?), ref: 0072E7EB
                                      • Part of subcall function 0072E7D5: GetLastError.KERNEL32(?,?,00732AAE,?,00000000,?,?,?,00732AD5,?,00000007,?,?,00732ED7,?,?), ref: 0072E7FD
                                    • _free.LIBCMT ref: 00732B15
                                    • _free.LIBCMT ref: 00732B20
                                    • _free.LIBCMT ref: 00732B74
                                    • _free.LIBCMT ref: 00732B7F
                                    • _free.LIBCMT ref: 00732B8A
                                    • _free.LIBCMT ref: 00732B95
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 274dd61fdf06beebb7c8b8f2454822088dbe7c900fd2abe588607240b9dca85f
                                    • Instruction ID: 1acd3b85544032de42aa921ec92e9be05053c5c39bf20300f53017b52367bbb3
                                    • Opcode Fuzzy Hash: 274dd61fdf06beebb7c8b8f2454822088dbe7c900fd2abe588607240b9dca85f
                                    • Instruction Fuzzy Hash: E6115171540B14EBE534BBB0CC4FFCB7B9C5F00750F448825B6AA66553EB6DB5054650
                                    Function 0070A630 Relevance: 9.3, APIs: 6, Instructions: 336COMMON
                                    Download Yara Rule
                                    APIs
                                    • __Mtx_unlock.LIBCPMT ref: 0070A701
                                    • std::_Rethrow_future_exception.LIBCPMT ref: 0070A752
                                    • std::_Rethrow_future_exception.LIBCPMT ref: 0070A762
                                    • __Mtx_unlock.LIBCPMT ref: 0070A805
                                    • __Mtx_unlock.LIBCPMT ref: 0070A90B
                                    • __Mtx_unlock.LIBCPMT ref: 0070A946
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Mtx_unlock$Rethrow_future_exceptionstd::_
                                    • String ID:
                                    • API String ID: 1997747980-0
                                    • Opcode ID: ee9a77fc3c626e0c071469734acf11bffb299d54d8a1afd753031a9baa260a74
                                    • Instruction ID: 2f0c2997194aa29b56fe6f972a1b4a519ea0b62b28ab9e31677f0e7c1eaf8ad7
                                    • Opcode Fuzzy Hash: ee9a77fc3c626e0c071469734acf11bffb299d54d8a1afd753031a9baa260a74
                                    • Instruction Fuzzy Hash: 4BC1C471D00708EFDB21DF64C945BAEBBF4AF04304F00866DE856976C2E779A944CB92
                                    Function 007336A0 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleCP.KERNEL32(?,006F8FB0,00000000), ref: 007336E8
                                    • __fassign.LIBCMT ref: 007338C7
                                    • __fassign.LIBCMT ref: 007338E4
                                    • WriteFile.KERNEL32(?,006F8FB0,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0073392C
                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0073396C
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00733A18
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileWrite__fassign$ConsoleErrorLast
                                    • String ID:
                                    • API String ID: 4031098158-0
                                    • Opcode ID: 485f3027f086ecd5d412a7f8e174c35cd2fd82deeb3eac1c3676b2236076921f
                                    • Instruction ID: 9a4ef30b3768d3d860a23db618972d87b9c62bfcf1d1b424e3383189f7163809
                                    • Opcode Fuzzy Hash: 485f3027f086ecd5d412a7f8e174c35cd2fd82deeb3eac1c3676b2236076921f
                                    • Instruction Fuzzy Hash: F1D18FB5D00258DFDF25CFE8C884AEDBBB5AF48314F28416AE855F7242E734AA45CB50
                                    Function 00722330 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::location::_Assign.LIBCMT ref: 00722371
                                    • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 00722379
                                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 007223A3
                                    • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 007223AC
                                    • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0072242F
                                    • Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00722437
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
                                    • String ID:
                                    • API String ID: 3929269971-0
                                    • Opcode ID: a04eda8085dff45926623c50600766ccd16b5f55fab1254fddf0cd4f961ea044
                                    • Instruction ID: f8e5510f31f590b658b97f95ec76270cd804060b10b7ab3fa09c9d0ba6d69211
                                    • Opcode Fuzzy Hash: a04eda8085dff45926623c50600766ccd16b5f55fab1254fddf0cd4f961ea044
                                    • Instruction Fuzzy Hash: FF414075A00519EFCB09EF68D555AADB7B5FF48310F048159E906AB391CB78AE01CF81
                                    Function 0071DA79 Relevance: 9.1, APIs: 6, Instructions: 73threadCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 0071DABC
                                      • Part of subcall function 0071EFB3: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 0071F002
                                    • GetCurrentThread.KERNEL32 ref: 0071DAC6
                                    • Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 0071DAD2
                                      • Part of subcall function 00713DDA: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 00713DEC
                                      • Part of subcall function 00714266: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 0071426D
                                    • Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 0071DB15
                                      • Part of subcall function 0071EF65: SetEvent.KERNEL32(?,?,0071DB1A,0071E8AE,00000000,?,00000000,0071E8AE,00000004,0071EF5A,?,00000000,?,?,00000000), ref: 0071EFA9
                                    • Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 0071DB1E
                                      • Part of subcall function 0071E594: List.LIBCONCRT ref: 0071E5CA
                                    • Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 0071DB2E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Proxy::Scheduler$AffinityThread$Concurrency::details::platform::__CoreCurrentExecutionGroupHardwareIncrement$Affinity::BorrowedCountEventFixedListResourceResource::StateSubscriptionToggle
                                    • String ID:
                                    • API String ID: 318399070-0
                                    • Opcode ID: 7ceff88e8a926887496e72db925fcb1af910edc31212470ba6ca5c2e7ae052c2
                                    • Instruction ID: 39411be874688812fff57c33d172a6f6c9461a887350558fc69a0c3a5f2658b7
                                    • Opcode Fuzzy Hash: 7ceff88e8a926887496e72db925fcb1af910edc31212470ba6ca5c2e7ae052c2
                                    • Instruction Fuzzy Hash: 92219872500A10DBCB24EF68D9908AAB3F9FF4C700701495EE843976A1DB78B981CBA1
                                    Function 00728987 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,0072897E,00727542,0070EFA5,17E38E62,?,00000000,0073F2B8,000000FF,?,006F23EA,?,?), ref: 00728995
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 007289A3
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007289BC
                                    • SetLastError.KERNEL32(00000000,?,0072897E,00727542,0070EFA5,17E38E62,?,00000000,0073F2B8,000000FF,?,006F23EA,?,?), ref: 00728A0E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: 763d04c8c286f77fe67037606c069f4a762ad252f3332c3f08fb9e8519ab9b17
                                    • Instruction ID: 748a61b0230670d3000553d2f3355dd407ddc9721de02c68516f3dae94f380bf
                                    • Opcode Fuzzy Hash: 763d04c8c286f77fe67037606c069f4a762ad252f3332c3f08fb9e8519ab9b17
                                    • Instruction Fuzzy Hash: 3B01D43310A331AEA66526747C8AFAB2655DB52376B20433FF229530E0FF9F6C416586
                                    Function 0071366D Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0071367B
                                    • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 00713681
                                    • GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 007136AE
                                    • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 007136B8
                                    • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 007136CA
                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 007136E0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error
                                    • String ID:
                                    • API String ID: 2808382621-0
                                    • Opcode ID: 110386fc877de0e2c233482ec83093031d3bc06258d742cf970dd90e5854db7f
                                    • Instruction ID: 034bca0139dfda9df52278a6051ae7fbdae72b2c2de72d7825f2141555217a24
                                    • Opcode Fuzzy Hash: 110386fc877de0e2c233482ec83093031d3bc06258d742cf970dd90e5854db7f
                                    • Instruction Fuzzy Hash: 9501F235700019FBDB11AB69EC0AFEF37ACAF62311B104425F619E21E1DB3CDA959768
                                    Function 006FF1B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: list too long
                                    • API String ID: 0-1124181908
                                    • Opcode ID: e285c2713afa61cf48f31452e510f282f81a13caaf921e2d17a476ed9191bb4a
                                    • Instruction ID: 3540fca55391f68b0fa00608e280b842e1b1107c3b9e4591b33ca4c168b329a2
                                    • Opcode Fuzzy Hash: e285c2713afa61cf48f31452e510f282f81a13caaf921e2d17a476ed9191bb4a
                                    • Instruction Fuzzy Hash: 785198B5D04358DBDB20DF64CD4AB9AB7B8EF04700F1042A6FD0897281E778AA858B95
                                    Function 0071674E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00716761
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BuffersConcurrency::details::InitializeManager::Resource
                                    • String ID: dPq
                                    • API String ID: 3433162309-757507600
                                    • Opcode ID: 0ed33342ac0567caec2749b3ce4d7d181a54ded00f3db2d71b67bb143c1372d6
                                    • Instruction ID: 87122e2586bd60b80edb917811b3a73f11897a8e62aa0d8f5f3bb6702af0762f
                                    • Opcode Fuzzy Hash: 0ed33342ac0567caec2749b3ce4d7d181a54ded00f3db2d71b67bb143c1372d6
                                    • Instruction Fuzzy Hash: 03315A75A00309DFCF10EF98C4C4BEEBBB9BF44304F1444AAD945AB286D734A985DBA0
                                    Function 0072527A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 007252D5
                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 007252F4
                                    • Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 0072533B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$ExecutionFreeIdleProcessorProxy::Root::SpinSuspendThreadUntilVirtualstd::invalid_argument::invalid_argument
                                    • String ID: pContext
                                    • API String ID: 1284976207-2046700901
                                    • Opcode ID: 3ffe6198eed52befc0e1aee81268fc41f07ca8cee9ed3fddaf55a355963a9af7
                                    • Instruction ID: 7fc38d02b89af7ca2e6e1825e110544d28d603e1f16ab0188b48514b2729638e
                                    • Opcode Fuzzy Hash: 3ffe6198eed52befc0e1aee81268fc41f07ca8cee9ed3fddaf55a355963a9af7
                                    • Instruction Fuzzy Hash: 9A21C771700A35DBCB15EF68E899ABD73E5BF94325B04015AE811972D2CBBCAC468AC1
                                    Function 007319C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    Strings
                                    • C:\Users\user\Desktop\I7GcHDtUIF.exe, xrefs: 007319C9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: C:\Users\user\Desktop\I7GcHDtUIF.exe
                                    • API String ID: 0-2037104481
                                    • Opcode ID: 27a1d915b8c3f908f3967de77db3f164d8042bd11a4607921466e7f951c0e630
                                    • Instruction ID: 0d16df1b53c068ad89f58ee29c4e824bfd1b72faf12a2b99b7832005dbc1ed9d
                                    • Opcode Fuzzy Hash: 27a1d915b8c3f908f3967de77db3f164d8042bd11a4607921466e7f951c0e630
                                    • Instruction Fuzzy Hash: 0D21F2B1604215BFFB10AF60DC85D2A7BADEF013A5F108624F92586552EB3CEC0087A1
                                    Function 007188F4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::SchedulingNode::AddVirtualProcessor.LIBCONCRT ref: 00718953
                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00718976
                                    • Concurrency::details::CacheLocalScheduleGroupSegment::CacheLocalScheduleGroupSegment.LIBCONCRT ref: 007189B8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CacheConcurrency::details::GroupLocalSchedule$Node::ProcessorSchedulingSegmentSegment::Virtualstd::invalid_argument::invalid_argument
                                    • String ID: count$ppVirtualProcessorRoots
                                    • API String ID: 18808576-3650809737
                                    • Opcode ID: d462776c7f6003ebbcbb7a9c64537a794d7be0d2872392e13747d2a32d7c9f6c
                                    • Instruction ID: 3420f7a47b2ab23281bde8eb3aa63dca9ee2325376a97ec8a47b75b9e46f8eb6
                                    • Opcode Fuzzy Hash: d462776c7f6003ebbcbb7a9c64537a794d7be0d2872392e13747d2a32d7c9f6c
                                    • Instruction Fuzzy Hash: CE21B035600115EFCB04EF68C886EAD77B5BF48310F404069E506AB692DF79BE41CB92
                                    Function 0072ABE9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _wcsrchr
                                    • String ID: .bat$.cmd$.com$.exe
                                    • API String ID: 1752292252-4019086052
                                    • Opcode ID: 6d903b0f9504bc8531d4e9bf46c7e7b6c4eef725aa8f9b6f6a40d2f9df8f4457
                                    • Instruction ID: a9976770a807365944f18e3f182bc929159bdc88be18f959a0b0f8f66c782f09
                                    • Opcode Fuzzy Hash: 6d903b0f9504bc8531d4e9bf46c7e7b6c4eef725aa8f9b6f6a40d2f9df8f4457
                                    • Instruction Fuzzy Hash: 1501D6776086323767142429BD06667179CCB9ABB0729003FF984F71C1FE5DDC8281B2
                                    Function 0072E051 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,?,0072A39A,?,?,?,?,0072AFCE,?), ref: 0072E056
                                    • _free.LIBCMT ref: 0072E0B3
                                    • _free.LIBCMT ref: 0072E0E9
                                    • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,0072A39A,?,?,?,?,0072AFCE,?), ref: 0072E0F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast_free
                                    • String ID: xau
                                    • API String ID: 2283115069-4180295599
                                    • Opcode ID: e2d6d95dfe119518f41c7329acf75df9b41b889e2e7287a1e4eec9439a399d8a
                                    • Instruction ID: a4b2cf9d4508829e4515f54bf694cadec4003a2e72e91c07e446375910fa40dc
                                    • Opcode Fuzzy Hash: e2d6d95dfe119518f41c7329acf75df9b41b889e2e7287a1e4eec9439a399d8a
                                    • Instruction Fuzzy Hash: 67112972604735ABE63126B4BC89E7F215AEBC1372B750238F614871D2EEED8C035120
                                    Function 0072E1A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,?,0072AF68,006F2207), ref: 0072E1AD
                                    • _free.LIBCMT ref: 0072E20A
                                    • _free.LIBCMT ref: 0072E240
                                    • SetLastError.KERNEL32(00000000,00000006,000000FF,?,0072AF68,006F2207), ref: 0072E24B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast_free
                                    • String ID: xau
                                    • API String ID: 2283115069-4180295599
                                    • Opcode ID: bee656bf9babcc5421180e2fbc33997966c56542174a40bca9a00524ec69fd18
                                    • Instruction ID: 44491cb4a0f6c2c32570187322d15708598743b0b0ae53017ba268788766cfca
                                    • Opcode Fuzzy Hash: bee656bf9babcc5421180e2fbc33997966c56542174a40bca9a00524ec69fd18
                                    • Instruction Fuzzy Hash: 01110872600B24EBE61026B4BC89E6F21AEEBC5372B650239F525871D2EE7D8C065114
                                    Function 00729A07 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: api-ms-
                                    • API String ID: 0-2084034818
                                    • Opcode ID: d9ed5f17acfd082ebcd456e0d1b48b99a23d4f6e18c5b1312d268b80197689d8
                                    • Instruction ID: 350088f52861d48e22e0a28d58b145b410e5e185f4ecabaaf3534eb02d6b0f89
                                    • Opcode Fuzzy Hash: d9ed5f17acfd082ebcd456e0d1b48b99a23d4f6e18c5b1312d268b80197689d8
                                    • Instruction Fuzzy Hash: 2A11E631A01732EBDB218B68AC45AAA37B4BF02770F188521EA06A7290D738DD00D6E0
                                    Function 00725AE7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • StructuredWorkStealingQueue.LIBCMT ref: 00725B07
                                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00725B18
                                    • StructuredWorkStealingQueue.LIBCMT ref: 00725B4E
                                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00725B5F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Work$Concurrency::details::ItemItem::QueueStealingStructured
                                    • String ID: e
                                    • API String ID: 3804418703-4024072794
                                    • Opcode ID: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                                    • Instruction ID: b4248f8ef5677dbe16e13c4358a2a73d8bedda1d7a001fb1a58b30227b38a695
                                    • Opcode Fuzzy Hash: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                                    • Instruction Fuzzy Hash: 5511C671200920EBDB14DE79E895BAB73A5AF01360B24C15AE806DF243DB79ED00CFA1
                                    Function 00729FBD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00729FB2,?,?,00729F7A,?,?,?), ref: 00729FD2
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00729FE5
                                    • FreeLibrary.KERNEL32(00000000,?,?,00729FB2,?,?,00729F7A,?,?,?), ref: 0072A008
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$mscoree.dll
                                    • API String ID: 4061214504-1276376045
                                    • Opcode ID: d0f2a67bb9b51b87372824d962b3b656c811278d47d3f882ecd3bccf1d0b3ac0
                                    • Instruction ID: 663ac6ecaac65dd1977f7cfb1a7da101932da8bdb0f44f0a3543b9170de1f5ce
                                    • Opcode Fuzzy Hash: d0f2a67bb9b51b87372824d962b3b656c811278d47d3f882ecd3bccf1d0b3ac0
                                    • Instruction Fuzzy Hash: CBF0A035600229FBDB219B90EE0AB9E7BB9FB01752F054061F900F21A0DF788E04EB95
                                    Function 006F6E90 Relevance: 7.8, APIs: 5, Instructions: 253COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetUserNameA.ADVAPI32(?,?), ref: 006F6EEA
                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,000000FF,?,?,?), ref: 006F6F30
                                    • GetSidIdentifierAuthority.ADVAPI32(?), ref: 006F6F3D
                                    • GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 006F7051
                                    • GetSidSubAuthority.ADVAPI32(?,00000000), ref: 006F7078
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Authority$Name$AccountCountIdentifierLookupUser
                                    • String ID:
                                    • API String ID: 4230999276-0
                                    • Opcode ID: ac9f94264550b542cf665065894e19cd3f36deabd5054318067f66ada37dc5b8
                                    • Instruction ID: 13a779e1245099764bf67d846cb41a4e00ff625f1cb57bdbfd23e19de377526a
                                    • Opcode Fuzzy Hash: ac9f94264550b542cf665065894e19cd3f36deabd5054318067f66ada37dc5b8
                                    • Instruction Fuzzy Hash: 4C91C6B190011C9BDB28DF28DC85BEDB77AEF45300F4085E9E61997281DB359BC88F64
                                    Function 006FF4AE Relevance: 7.6, APIs: 5, Instructions: 142networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __Mtx_unlock.LIBCPMT ref: 006FF51D
                                    • recv.WS2_32(?,?,00001F40,00000000), ref: 006FF556
                                    • recv.WS2_32(?,?,00001F40,00000000), ref: 006FF584
                                    • closesocket.WS2_32(?), ref: 006FF5F8
                                    • __Mtx_unlock.LIBCPMT ref: 006FF62D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Mtx_unlockrecv$closesocket
                                    • String ID:
                                    • API String ID: 1157980791-0
                                    • Opcode ID: f644dcaacdebc0f7338abdb5fdbd5e6a2b270ffbef2b47bb4e3c0d0dd25e91d2
                                    • Instruction ID: 5b681c0979c73cf6234cba8e1349f999526f2749756b748c086aa616f93ecd76
                                    • Opcode Fuzzy Hash: f644dcaacdebc0f7338abdb5fdbd5e6a2b270ffbef2b47bb4e3c0d0dd25e91d2
                                    • Instruction Fuzzy Hash: 7051D275900208DFDB11DF24CD0ABA9B7B1EF14300F2082A9ED09973A1EB75AD94CB44
                                    Function 0072A921 Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetFileType.KERNEL32(?,?,00000000,00000000), ref: 0072A943
                                    • GetFileInformationByHandle.KERNEL32(?,?), ref: 0072A99D
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0072A853,?,000000FF), ref: 0072AA2B
                                    • __dosmaperr.LIBCMT ref: 0072AA32
                                    • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0072AA6F
                                      • Part of subcall function 0072AC97: __dosmaperr.LIBCMT ref: 0072ACCC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
                                    • String ID:
                                    • API String ID: 1206951868-0
                                    • Opcode ID: e00053d4ac2fa1b2be9cdaaa4f55087a06d70bcb87f6857ad57618f1a4551cd9
                                    • Instruction ID: 639f804ee5e2273c5c1093cca9bfbbcd3aad38e47e88a0a57844b1717719e0da
                                    • Opcode Fuzzy Hash: e00053d4ac2fa1b2be9cdaaa4f55087a06d70bcb87f6857ad57618f1a4551cd9
                                    • Instruction Fuzzy Hash: A2414A75900254BFCB24DFA5ED499AFBBF9EF89300B00852AF956D3210E7389944CB61
                                    Function 00721583 Relevance: 7.6, APIs: 5, Instructions: 123COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 007215B7
                                      • Part of subcall function 0071C982: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0071C9A3
                                    • Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00721616
                                    • Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0072163C
                                    • Concurrency::details::SchedulerBase::ReleaseInternalContext.LIBCONCRT ref: 0072165C
                                    • Concurrency::location::_Assign.LIBCMT ref: 007216A9
                                      • Part of subcall function 00724D82: Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 00724DC7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Context$Base::Concurrency::details::$Internal$Event$AssignBlockingConcurrency::location::_FindNestingPrepareReleaseSchedulerStealerThrowTraceWork
                                    • String ID:
                                    • API String ID: 1879022333-0
                                    • Opcode ID: 7ee29ff2e8fb5b2b6f7c385213f2ec74509f1aca4b4e928ceffbd07304502753
                                    • Instruction ID: 3e9258116d7ccd39e6ccd713df9c2b497a821156361303219bc6662f0db22e95
                                    • Opcode Fuzzy Hash: 7ee29ff2e8fb5b2b6f7c385213f2ec74509f1aca4b4e928ceffbd07304502753
                                    • Instruction Fuzzy Hash: 2641D770A00220EBCB15DB24D88ABBDBB65BF55710F484099E5065B3C2CF789E45CBD1
                                    Function 006FF39F Relevance: 7.6, APIs: 5, Instructions: 80networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • getaddrinfo.WS2_32(?,00000000,?,?), ref: 006FF3FC
                                    • freeaddrinfo.WS2_32(?), ref: 006FF41D
                                    • socket.WS2_32(00000002,00000001,00000000), ref: 006FF445
                                    • connect.WS2_32(00000000,?,00000010), ref: 006FF457
                                    • closesocket.WS2_32(00000000), ref: 006FF471
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: closesocketconnectfreeaddrinfogetaddrinfosocket
                                    • String ID:
                                    • API String ID: 1398928706-0
                                    • Opcode ID: cd7d3731b21225ae674915294056fcbf8faba7bf5208d90bc5712b830091876f
                                    • Instruction ID: 5caa1cf0adbf7bc1fafc7c0f2060d7b2139547e97fcbd245b1b708f910a1a4ad
                                    • Opcode Fuzzy Hash: cd7d3731b21225ae674915294056fcbf8faba7bf5208d90bc5712b830091876f
                                    • Instruction Fuzzy Hash: CC21BA76D082189BDB149B90DC4ABFD7378EF04700F1041ABFA09D62C1D7B85D819F96
                                    Function 00732A1B Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00732A33
                                      • Part of subcall function 0072E7D5: HeapFree.KERNEL32(00000000,00000000,?,00732AAE,?,00000000,?,?,?,00732AD5,?,00000007,?,?,00732ED7,?), ref: 0072E7EB
                                      • Part of subcall function 0072E7D5: GetLastError.KERNEL32(?,?,00732AAE,?,00000000,?,?,?,00732AD5,?,00000007,?,?,00732ED7,?,?), ref: 0072E7FD
                                    • _free.LIBCMT ref: 00732A45
                                    • _free.LIBCMT ref: 00732A57
                                    • _free.LIBCMT ref: 00732A69
                                    • _free.LIBCMT ref: 00732A7B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: e8b2970f24fb9a23d5ced4c1aa2a958b3d8e9c99a982878920b4a254aac96227
                                    • Instruction ID: 19e0973d3127a6b650f314185feb6583514da0de74c85619ae353f9f988e4eaf
                                    • Opcode Fuzzy Hash: e8b2970f24fb9a23d5ced4c1aa2a958b3d8e9c99a982878920b4a254aac96227
                                    • Instruction Fuzzy Hash: C0F01272504310E7D630DB64F5C5C5677E9EB44724FA48C15F849D7A12DB7CFC828664
                                    Function 007385F4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 199COMMON
                                    Download Yara Rule
                                    APIs
                                    • __freea.LIBCMT ref: 007387AA
                                      • Part of subcall function 0072EA2B: HeapAlloc.KERNEL32(00000000,?,?,?,00731ECE,00000220,?,?,?,?,?,?,0072AFCE,?), ref: 0072EA5D
                                    • __freea.LIBCMT ref: 007387B3
                                    • __freea.LIBCMT ref: 007387D6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __freea$AllocHeap
                                    • String ID: ;!s
                                    • API String ID: 85559729-2464998918
                                    • Opcode ID: f5ce3203e6762d7cc010a7d7df2c7eed4e58552ee8ab0052efb48320ee357f6f
                                    • Instruction ID: ba45d1e3c21eacdb8030914c58983aa492d7c02e2d9ddcc9a1093fbee278f359
                                    • Opcode Fuzzy Hash: f5ce3203e6762d7cc010a7d7df2c7eed4e58552ee8ab0052efb48320ee357f6f
                                    • Instruction Fuzzy Hash: DC51C672500316EFFB615FA4DC45EBB36AAEF84750F254129FD04AB242DB7CDC5086A2
                                    Function 007290AB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 007290D0
                                    • CatchIt.LIBVCRUNTIME ref: 007291B6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CatchEncodePointer
                                    • String ID: MOC$RCC
                                    • API String ID: 1435073870-2084237596
                                    • Opcode ID: 0459ff83c791504fe77242699c48e394478c54acf158152ca8762afd42dae6cf
                                    • Instruction ID: bf6a06c2dd66fe56e0bc5e2969221c226df59325382224179e3234ec94b364de
                                    • Opcode Fuzzy Hash: 0459ff83c791504fe77242699c48e394478c54acf158152ca8762afd42dae6cf
                                    • Instruction Fuzzy Hash: AD415B7290011EEFCF15CF95ED89AAEBBB5FF48304F188059FA0866211D3399960DB61
                                    Function 00738927 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetEnvironmentVariableW.KERNEL32(?,?,?,?,?,?,00000000,00000000), ref: 00738992
                                    • _free.LIBCMT ref: 007389A1
                                    • _free.LIBCMT ref: 007389B0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$EnvironmentVariable
                                    • String ID: i&s
                                    • API String ID: 1464849758-2996144671
                                    • Opcode ID: af5c4874b96e2e01d85545233511f1f2129dc4670caf5d284c86e544618cd64c
                                    • Instruction ID: 706b24835b6bb31568f63a553a70ff127ce690f5517a633d2e99356ca4930777
                                    • Opcode Fuzzy Hash: af5c4874b96e2e01d85545233511f1f2129dc4670caf5d284c86e544618cd64c
                                    • Instruction Fuzzy Hash: 40113071C05228EBDF019F999C856EEFFB8BF08350F54406AF805B2212D77859558B96
                                    Function 0071DB41 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0071DB55
                                    • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0071DB79
                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0071DB8C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Resource$Concurrency::details::Execution$CurrentManager::Proxy::RemoveSchedulerThreadstd::invalid_argument::invalid_argument
                                    • String ID: pScheduler
                                    • API String ID: 246774199-923244539
                                    • Opcode ID: ddbdf44eea992cb1db723786faa1e0c5b09aebe37348d3bc68d2d6092942fd34
                                    • Instruction ID: 2daa4630dc01c8fcbf010abeab19b809e79226619499a77ac5b7bd30bb8cfb1e
                                    • Opcode Fuzzy Hash: ddbdf44eea992cb1db723786faa1e0c5b09aebe37348d3bc68d2d6092942fd34
                                    • Instruction Fuzzy Hash: 9EF059B1504204E3C734FA5CDC56CDEB3B99E91710711416DF403230C2DB7CAD8ACA91
                                    Function 0071386C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29registryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • RegisterWaitForSingleObject.KERNEL32(?,?,00000001,xDr,000000FF,0000000C), ref: 00713883
                                    • GetLastError.KERNEL32(?,00724478,?,00724378,?,?,?,?,?,?,00719701,?), ref: 00713892
                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 007138A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastObjectRegisterSingleWait
                                    • String ID: xDr
                                    • API String ID: 2296417588-2411559659
                                    • Opcode ID: cf4548bb12c97d3d8d42c6dccc1d14321c50aeb7aa16905837641220c05e247b
                                    • Instruction ID: fa131a038b0f8b140a0d9ab04f8d09fe6e1c3d8bd34240ad3cf628cb7ccc2b4f
                                    • Opcode Fuzzy Hash: cf4548bb12c97d3d8d42c6dccc1d14321c50aeb7aa16905837641220c05e247b
                                    • Instruction Fuzzy Hash: 2AF0307560010AFBCF10EFA8CE0AEEE77BCAB00711F504555B625E50E1DB78DA149775
                                    Function 007304D1 Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _strrchr
                                    • String ID:
                                    • API String ID: 3213747228-0
                                    • Opcode ID: f29d928ae47408e1de63442ff607e58013e3970ed8a845dc5c8910df8058d850
                                    • Instruction ID: f62f017a357011a3df5e8e980b8010ca153b08a77abfa8b72b4265649f8c77a4
                                    • Opcode Fuzzy Hash: f29d928ae47408e1de63442ff607e58013e3970ed8a845dc5c8910df8058d850
                                    • Instruction Fuzzy Hash: A3B12432901255DFEF11CF28C8A1BAEBBE5EF95350F1441AAE855EB243D63C9D11CBA0
                                    Function 00728A9E Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AdjustPointer
                                    • String ID:
                                    • API String ID: 1740715915-0
                                    • Opcode ID: 7f1c1974f777cd0984d22424646b275724e3a442afbedcd1ba1800845c885a88
                                    • Instruction ID: 8a68039f7b365a9715966d7adf34fff8a1716a939a2ec7904c41071f7b25470a
                                    • Opcode Fuzzy Hash: 7f1c1974f777cd0984d22424646b275724e3a442afbedcd1ba1800845c885a88
                                    • Instruction Fuzzy Hash: 3E5103F2602222EFDB688F14E845BBA77A4FF10310F14852DED0557291EB3AEC80C792
                                    Function 006F8B90 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetVersionExW.KERNEL32(0000011C,?,17E38E62), ref: 006F8C09
                                    • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 006F8C70
                                    • GetProcAddress.KERNEL32(00000000), ref: 006F8C77
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleModuleProcVersion
                                    • String ID:
                                    • API String ID: 3310240892-0
                                    • Opcode ID: 37936b851218fda8ea9ef32b9c753a3581c07ad1e4b34fd713474494984a5de1
                                    • Instruction ID: 325e23cc9336ebf4b149c507edc7d4165b140312f6aaac1cd0da970030109743
                                    • Opcode Fuzzy Hash: 37936b851218fda8ea9ef32b9c753a3581c07ad1e4b34fd713474494984a5de1
                                    • Instruction Fuzzy Hash: F5510471D002089FDB14EB28CD497EDBB76EF55310F9042D9E909AB2D1EF355AC48BA1
                                    Function 00728665 Relevance: 6.1, APIs: 4, Instructions: 141COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EqualOffsetTypeids
                                    • String ID:
                                    • API String ID: 1707706676-0
                                    • Opcode ID: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
                                    • Instruction ID: 433f8d0bbf48e5575bae2d55a9f20494a36676f330115b42529b197c41c66280
                                    • Opcode Fuzzy Hash: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
                                    • Instruction Fuzzy Hash: 6F51B0399052299FDF50CFA8E4806AEFBF5EF15360F28445AD840A7351DB3BAD04CB92
                                    Function 007399AE Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00739A7E
                                    • _free.LIBCMT ref: 00739AA7
                                    • SetEndOfFile.KERNEL32(00000000,007353EA,00000000,00735681,?,?,?,?,?,?,?,007353EA,00735681,00000000), ref: 00739AD9
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,007353EA,00735681,00000000,?,?,?,?,00000000), ref: 00739AF5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFileLast
                                    • String ID:
                                    • API String ID: 1547350101-0
                                    • Opcode ID: 1ffa008f643413379d4c2a7ab98d91da422429b6152946d150a70a89c03e0f3c
                                    • Instruction ID: 964d1f495f227c31d9fa8e864bf6d9cbfe878415f20ae91b79bfc1dcf4b31094
                                    • Opcode Fuzzy Hash: 1ffa008f643413379d4c2a7ab98d91da422429b6152946d150a70a89c03e0f3c
                                    • Instruction Fuzzy Hash: 1741D572900615EBFB11ABB8DC4AB9E7765AF44320F244251F624E7293E7BCDC40C761
                                    Function 006F2E80 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Mtx_unlock$Cnd_broadcastCurrentThread
                                    • String ID:
                                    • API String ID: 3264154886-0
                                    • Opcode ID: 94b8d4ba322ca8aaa705eb5ef6c9610663b092a3670c07769884f76f34bd621a
                                    • Instruction ID: 4e7b616fb939f42a3707bd4cf8081e882d51d25ae9f01e12a662b50725894c88
                                    • Opcode Fuzzy Hash: 94b8d4ba322ca8aaa705eb5ef6c9610663b092a3670c07769884f76f34bd621a
                                    • Instruction Fuzzy Hash: 1641FFB1A4120ADBDB20DF64C945BAAB7F9FF14310F004629E915D7780EB38E900CB91
                                    Function 00712738 Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3_GS.LIBCMT ref: 0071273F
                                    • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 00712769
                                      • Part of subcall function 00712E2F: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00712E4C
                                    • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 007127E6
                                    • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00712818
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3_Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter
                                    • String ID:
                                    • API String ID: 1207923566-0
                                    • Opcode ID: df91bd6211d8be6c0664ca9b4cbff66ab6970e2cbb0d05cd0657ee144e86bc28
                                    • Instruction ID: 0b7a5ce395c44c7a844d4aeb0e5e1637619075c5aa9f87666d130b0de2d61782
                                    • Opcode Fuzzy Hash: df91bd6211d8be6c0664ca9b4cbff66ab6970e2cbb0d05cd0657ee144e86bc28
                                    • Instruction Fuzzy Hash: C8315C75A0010ACBDB15DFACC9455EEB7F5AF58310F24406AE505EB2C2DB389D92CBA0
                                    Function 00731330 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0072A41C: _free.LIBCMT ref: 0072A42A
                                      • Part of subcall function 00732307: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,007387A0,?,00000000,00000000), ref: 007323A9
                                    • GetLastError.KERNEL32 ref: 00731398
                                    • __dosmaperr.LIBCMT ref: 0073139F
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 007313DE
                                    • __dosmaperr.LIBCMT ref: 007313E5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                    • String ID:
                                    • API String ID: 167067550-0
                                    • Opcode ID: c1b8bfe4ed5f20a26270680c0e470dc154d836945dc338b2d119928e90f046eb
                                    • Instruction ID: 6154de4698e073ca75e4502d34ede33fd5977496d88962aa58ba789a23a7f8d4
                                    • Opcode Fuzzy Hash: c1b8bfe4ed5f20a26270680c0e470dc154d836945dc338b2d119928e90f046eb
                                    • Instruction Fuzzy Hash: D72134B1604215FFFB20AF65DC84D6BB7ACEF00364B508218F92A83542D73DEC018BA1
                                    Function 007244EB Relevance: 6.1, APIs: 4, Instructions: 80threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetEvent.KERNEL32(?,00000000,?), ref: 0072453C
                                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00724524
                                      • Part of subcall function 0071C982: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0071C9A3
                                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0072459F
                                    • SwitchToThread.KERNEL32(00000005,00000004,00000000,?,?,?,?,?,?,?,00753B00), ref: 007245A4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Context$Event$Base::Concurrency::details::$Trace$SwitchThreadThrow
                                    • String ID:
                                    • API String ID: 2734100425-0
                                    • Opcode ID: a84aa5a936be8f3da8acb925aadf199f982883e56c589dbb24b43b0aa98d0c03
                                    • Instruction ID: 6931c1aa2ec533ed2ee97e1b25f03606c6fbec5767bdd5877214824f6df8bb67
                                    • Opcode Fuzzy Hash: a84aa5a936be8f3da8acb925aadf199f982883e56c589dbb24b43b0aa98d0c03
                                    • Instruction Fuzzy Hash: 3921F675600124EFCB00EB69DC4ADBDB7ECEB48760B14405AFA16A32D1CB74AE018A94
                                    Function 00724D82 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00724E16
                                    • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 00724DC7
                                      • Part of subcall function 0071BD6E: SafeRWList.LIBCONCRT ref: 0071BD7F
                                    • SafeRWList.LIBCONCRT ref: 00724E0C
                                    • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 00724E2C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Base::Concurrency::details::ContextListSafeStealer$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                                    • String ID:
                                    • API String ID: 336577199-0
                                    • Opcode ID: 663d7d8586b9f9f36285dd2c24fada105ef6164f05d44dbbb8d6c6f6e8b93314
                                    • Instruction ID: a7e2688b1d5a2da754934d9d90241b6715395c4fbc6863b0be6fcd487cdd06e8
                                    • Opcode Fuzzy Hash: 663d7d8586b9f9f36285dd2c24fada105ef6164f05d44dbbb8d6c6f6e8b93314
                                    • Instruction Fuzzy Hash: E321D47160020ADFC704DF24D885FA5FBE9BF84718F14D2AAD5054B582D739E999CBC0
                                    Function 00712D3F Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00712D61
                                      • Part of subcall function 00712F1D: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 00718ED8
                                    • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00712D82
                                      • Part of subcall function 00713C04: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 00713C20
                                    • Concurrency::details::GetSharedTimerQueue.LIBCONCRT ref: 00712D9E
                                    • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 00712DA5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Timer$Scheduler$Base::LibraryLoadQueue$AsyncConcurrency::details::platform::__ContextCreateCurrentDefaultReferenceRegisterShared
                                    • String ID:
                                    • API String ID: 1684785560-0
                                    • Opcode ID: 0a3dfa75b069b30721463943dfc6c17c0d73fe89d62ef39c00213a3d3edc5cce
                                    • Instruction ID: af8de96ef40c7d04301ff13efb1f2eb957f04c34d4ea5669ea1c561189e028ac
                                    • Opcode Fuzzy Hash: 0a3dfa75b069b30721463943dfc6c17c0d73fe89d62ef39c00213a3d3edc5cce
                                    • Instruction Fuzzy Hash: EA012BB1600305EFC7206F6CDC8A8DBFBBCDF10740B108529F554921C2D77999A687A1
                                    Function 00726E11 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00726E2B
                                    • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 00726E3F
                                    • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00726E57
                                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00726E6F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                                    • String ID:
                                    • API String ID: 78362717-0
                                    • Opcode ID: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                                    • Instruction ID: 26e003308b722c0f7b2a5ff95f60da5c85e413eef29af1566892deedc374897e
                                    • Opcode Fuzzy Hash: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                                    • Instruction Fuzzy Hash: 3D01263AB00124E7CF12EE68D855AEF77A9BF80750F010056FD11A7281DA74ED1086A0
                                    Function 0072F12C Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetFullPathNameW.KERNEL32(?,?,?,00000000,0072F291,00000000,?,0073598B,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0072F142
                                    • GetLastError.KERNEL32(?,0073598B,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0072F291,00000000,00000104,?), ref: 0072F14C
                                    • __dosmaperr.LIBCMT ref: 0072F153
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorFullLastNamePath__dosmaperr
                                    • String ID:
                                    • API String ID: 2398240785-0
                                    • Opcode ID: 0046e6d9e4537c6b98b22ca6df1a849be01085f6706cde6fb9a01c990a7941a5
                                    • Instruction ID: 712ff86a33c33f7ae5644c6eafdbb7f51a4a6f4bb08d12cbfa57a7e6a9f1e97c
                                    • Opcode Fuzzy Hash: 0046e6d9e4537c6b98b22ca6df1a849be01085f6706cde6fb9a01c990a7941a5
                                    • Instruction Fuzzy Hash: 42F06D36600129FBDB205BA2EC0895AFF79FF4A7A07408135F519C6120D739E8619BD0
                                    Function 0072F195 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetFullPathNameW.KERNEL32(?,?,?,00000000,0072F291,00000000,?,00735916,00000000,00000000,0072F291,?,?,00000000,00000000,00000001), ref: 0072F1AB
                                    • GetLastError.KERNEL32(?,00735916,00000000,00000000,0072F291,?,?,00000000,00000000,00000001,00000000,00000000,?,0072F291,00000000,00000104), ref: 0072F1B5
                                    • __dosmaperr.LIBCMT ref: 0072F1BC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorFullLastNamePath__dosmaperr
                                    • String ID:
                                    • API String ID: 2398240785-0
                                    • Opcode ID: b35b5899288788d397937ac706c75b5e417d5b85410de5537444231d52b51ad7
                                    • Instruction ID: 2699d2cd69f5cd29670f79dfe69646e329f56622d4ac6c7a9bb95de02c968d2e
                                    • Opcode Fuzzy Hash: b35b5899288788d397937ac706c75b5e417d5b85410de5537444231d52b51ad7
                                    • Instruction Fuzzy Hash: EEF0FF36600229FBCB205BA2EC08D56BF79FF457A03508635F629C6120DB39E861DBD0
                                    Function 00718A57 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 007139B8: TlsGetValue.KERNEL32(?,?,00712F39,00712D66,?,?), ref: 007139BE
                                    • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 00718A81
                                      • Part of subcall function 00721D61: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00721D88
                                      • Part of subcall function 00721D61: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00721DA1
                                      • Part of subcall function 00721D61: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00721E17
                                      • Part of subcall function 00721D61: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00721E1F
                                    • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00718A8F
                                    • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00718A99
                                    • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 00718AA3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceValueVirtualWork
                                    • String ID:
                                    • API String ID: 2616382602-0
                                    • Opcode ID: 0c67b4f684b37305da7f6afaa5adbbc329f540c011c0e432b1c333f66c1599b7
                                    • Instruction ID: d54614e07ca671114793e75847c98816a48b04d39a79ce8fdd58fe83a7da6e19
                                    • Opcode Fuzzy Hash: 0c67b4f684b37305da7f6afaa5adbbc329f540c011c0e432b1c333f66c1599b7
                                    • Instruction Fuzzy Hash: A4F0F631600514E7CB26B77D981A8EDB72A5F81B50B44402AF901573D2DF6C9ED587D2
                                    Function 0073A4AF Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • WriteConsoleW.KERNEL32(006F8FB0,0000000F,00754160,00000000,006F8FB0,?,00738B9A,006F8FB0,00000001,006F8FB0,006F8FB0,?,00733A75,00000000,?,006F8FB0), ref: 0073A4C6
                                    • GetLastError.KERNEL32(?,00738B9A,006F8FB0,00000001,006F8FB0,006F8FB0,?,00733A75,00000000,?,006F8FB0,00000000,006F8FB0,?,00733FC9,006F8FB0), ref: 0073A4D2
                                      • Part of subcall function 0073A498: CloseHandle.KERNEL32(FFFFFFFE,0073A4E2,?,00738B9A,006F8FB0,00000001,006F8FB0,006F8FB0,?,00733A75,00000000,?,006F8FB0,00000000,006F8FB0), ref: 0073A4A8
                                    • ___initconout.LIBCMT ref: 0073A4E2
                                      • Part of subcall function 0073A45A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0073A489,00738B87,006F8FB0,?,00733A75,00000000,?,006F8FB0,00000000), ref: 0073A46D
                                    • WriteConsoleW.KERNEL32(006F8FB0,0000000F,00754160,00000000,?,00738B9A,006F8FB0,00000001,006F8FB0,006F8FB0,?,00733A75,00000000,?,006F8FB0,00000000), ref: 0073A4F7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                    • String ID:
                                    • API String ID: 2744216297-0
                                    • Opcode ID: 528481dc5424acb16b05ef1bcf0ac051e702284d4912b0f5c64db023d40a0088
                                    • Instruction ID: 37a4bd74421f6e6fe6ddb36912ebab71495be8e74fa898d84acfde916eafcbf4
                                    • Opcode Fuzzy Hash: 528481dc5424acb16b05ef1bcf0ac051e702284d4912b0f5c64db023d40a0088
                                    • Instruction Fuzzy Hash: B6F0303A001255BBDF221FA9DC0DE8D3F66FB4A3A1F058015FB1986131D7B68860EB95
                                    Function 00710BE9 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • SleepConditionVariableCS.KERNELBASE(?,00710B86,00000064), ref: 00710C0C
                                    • LeaveCriticalSection.KERNEL32(00759720,0075C650,?,00710B86,00000064,?,74DF0F00,?,006F7E9D,0075C650), ref: 00710C16
                                    • WaitForSingleObjectEx.KERNEL32(0075C650,00000000,?,00710B86,00000064,?,74DF0F00,?,006F7E9D,0075C650), ref: 00710C27
                                    • EnterCriticalSection.KERNEL32(00759720,?,00710B86,00000064,?,74DF0F00,?,006F7E9D,0075C650), ref: 00710C2E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                    • String ID:
                                    • API String ID: 3269011525-0
                                    • Opcode ID: 01afbc225f93c24c49c10eb504e160ce15b98c48fee75d89faf5faada206a0e3
                                    • Instruction ID: 4296e7542bd67bb0c8423b9c37c823b597f9fc033394fc3a8deb33778c151d41
                                    • Opcode Fuzzy Hash: 01afbc225f93c24c49c10eb504e160ce15b98c48fee75d89faf5faada206a0e3
                                    • Instruction Fuzzy Hash: 9BE0E535551628E7CF011F54AC05BDD7F54EB0DB52B158412FA0555160C7FD1890ABE9
                                    Function 00731D10 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 127COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCPInfo.KERNEL32(0000FDE9,?,?,?,00000000), ref: 00731D42
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Info
                                    • String ID: $;!s
                                    • API String ID: 1807457897-1159651172
                                    • Opcode ID: 865c9f7b2b6168c973c4a159a3b81a13be832fb5b425d6669444aac5fc17cf6a
                                    • Instruction ID: adfeecd46a5c1149c00fbb6f913341e0ca3eaf6f2b43c5f62c6ac5caf3201232
                                    • Opcode Fuzzy Hash: 865c9f7b2b6168c973c4a159a3b81a13be832fb5b425d6669444aac5fc17cf6a
                                    • Instruction Fuzzy Hash: 6A416D716042589BFB218B68CC84BFB7BFDAB15704FA408ADE58AC7043D2799D45DB20
                                    Function 0072C9FA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: C:\Users\user\Desktop\I7GcHDtUIF.exe
                                    • API String ID: 0-2037104481
                                    • Opcode ID: 885614a53dd77e06255e6fbb8ccad4655d5afbcf0893771433fdd6da0e4078a0
                                    • Instruction ID: 7cf5c5846183b4a5f6685b9f4626d1d6a31125d0d4abfcf018e00dbf238e1530
                                    • Opcode Fuzzy Hash: 885614a53dd77e06255e6fbb8ccad4655d5afbcf0893771433fdd6da0e4078a0
                                    • Instruction Fuzzy Hash: BA4196B1A00228EBDB12DF99EC85D9EBBB8EF94710F144066E504D7251D7B98A41CB50
                                    Function 00731E91 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00731C3A: GetOEMCP.KERNEL32(00000000,00731EAC,?,?,0072AFCE,0072AFCE,?), ref: 00731C65
                                    • _free.LIBCMT ref: 00731F09
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID: @bu
                                    • API String ID: 269201875-4169128004
                                    • Opcode ID: 2d007797dabf2f8277ca68df44ee24201dfbb6a3fa3b5be58f92fd4156273554
                                    • Instruction ID: 974af65932543133d84557fbe4ecbe6295a85af018ca4117929115a81ac27372
                                    • Opcode Fuzzy Hash: 2d007797dabf2f8277ca68df44ee24201dfbb6a3fa3b5be58f92fd4156273554
                                    • Instruction Fuzzy Hash: 3731BE7190420AAFEB01DF68D884ADE7BF4FF44325F5140A9F8109B2A2EB7ADD51CB51
                                    Function 00732BA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,0000FDE9), ref: 00732C70
                                    • __freea.LIBCMT ref: 00732C79
                                      • Part of subcall function 0072EA2B: HeapAlloc.KERNEL32(00000000,?,?,?,00731ECE,00000220,?,?,?,?,?,?,0072AFCE,?), ref: 0072EA5D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocHeapStringType__freea
                                    • String ID: ;!s
                                    • API String ID: 2523373117-2464998918
                                    • Opcode ID: 750e7d78e3222d03567f38dfcbfa92aaf65ea81990c7f204239424f592ea20f0
                                    • Instruction ID: 5fcbd1d5bbd353480a55772fa0a23d174b5124e644eed365372729633f016c6e
                                    • Opcode Fuzzy Hash: 750e7d78e3222d03567f38dfcbfa92aaf65ea81990c7f204239424f592ea20f0
                                    • Instruction Fuzzy Hash: 7431BE7190021AABEB21AF65DC45EEF7BB9EF44310F058128F914A7252D738CD52D7A0
                                    Function 00725154 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 007251B4
                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 007251FF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::FreeIdleProcessorRoot::SpinUntilVirtualstd::invalid_argument::invalid_argument
                                    • String ID: pContext
                                    • API String ID: 3390424672-2046700901
                                    • Opcode ID: 417788757c60653de1292f93f6b9ef8522559e0caf9f5446e6b65318ff872808
                                    • Instruction ID: e28a6e7f0b4e13675549c5303d866b8e22fcaf4f82e95fea33d6c0210773c73e
                                    • Opcode Fuzzy Hash: 417788757c60653de1292f93f6b9ef8522559e0caf9f5446e6b65318ff872808
                                    • Instruction Fuzzy Hash: 1C110635A00628DBCF19AF68E899A6D73A5BF54321B154069EC12AB242DB7CDD05CBC0
                                    Function 0072E10E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free
                                    • String ID: xau
                                    • API String ID: 269201875-4180295599
                                    • Opcode ID: 23d03f2ae09ea6c82a32ce3aba6b152c07188dbecff7d3c479f446bfed450cbb
                                    • Instruction ID: 4824441a1e958b76a05c166b9159fd0f7b5e679f386395b2724dbb590359fb68
                                    • Opcode Fuzzy Hash: 23d03f2ae09ea6c82a32ce3aba6b152c07188dbecff7d3c479f446bfed450cbb
                                    • Instruction Fuzzy Hash: 9201F771E01B39A7E52532747C0AABF22199F00731F650730FD14A62E6EA7D9C228194
                                    Function 0071F37F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0071F3A1
                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0071F3B4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::FreeIdleProxyProxy::ReturnThreadstd::invalid_argument::invalid_argument
                                    • String ID: pContext
                                    • API String ID: 548886458-2046700901
                                    • Opcode ID: 756bcd4eee95aed5c45dfdd708bb5df8e4d30a86443bbadbf2cbb6ed47071467
                                    • Instruction ID: 15f4defa3d3127ea1480feb017794e5cb4a471d92ae0e5baef9cd1183b730baa
                                    • Opcode Fuzzy Hash: 756bcd4eee95aed5c45dfdd708bb5df8e4d30a86443bbadbf2cbb6ed47071467
                                    • Instruction Fuzzy Hash: 57E02279B00114A7CB04BB79E84EC9DB7BAAEC0B103000069F811A3282DBB8AE058AC0
                                    Function 00716F1E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00716F4E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1665054167.00000000006F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 006F0000, based on PE: true
                                    • Associated: 00000000.00000002.1665041149.00000000006F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665083683.0000000000744000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665101058.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665113891.0000000000758000.00000008.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665126290.0000000000759000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1665138705.000000000075D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_6f0000_I7GcHDtUIF.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::invalid_argument::invalid_argument
                                    • String ID: pScheduler$version
                                    • API String ID: 2141394445-3154422776
                                    • Opcode ID: e60e1494984e86de75183a7043b50e2a258228e3675c70d089f467ec99d7eeb2
                                    • Instruction ID: 7ea9d2a159903184b499f5c78f070595e39e37ad5abe01cf8eceeb10f7f7e93a
                                    • Opcode Fuzzy Hash: e60e1494984e86de75183a7043b50e2a258228e3675c70d089f467ec99d7eeb2
                                    • Instruction Fuzzy Hash: F3E0867054420CF7CB14EA68ED4AEDC77AC6B20309F00C061B811214D297FC9ACECA41

                                    Execution Graph

                                    Execution Coverage:0.4%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:0%
                                    Total number of Nodes:56
                                    Total number of Limit Nodes:6
                                    execution_graph 26688 15a530 26699 14b170 Sleep CreateMutexA GetLastError 26688->26699 26700 14b1a6 26699->26700 26701 14b1b7 26699->26701 26700->26701 26702 14b1aa GetLastError 26700->26702 26706 14e410 35 API calls Concurrency::details::_CancellationTokenState::_RegisterCallback 26701->26706 26702->26701 26703 14b1b9 26702->26703 26707 17a079 26703->26707 26705 14b1c0 26710 179f17 26707->26710 26711 179f37 26710->26711 26712 179f25 26710->26712 26722 179dbe 26711->26722 26738 161717 GetModuleHandleW 26712->26738 26715 179f2a 26715->26711 26739 179fbd GetModuleHandleExW 26715->26739 26717 179f70 26717->26705 26721 179f7a 26723 179dca __FrameHandler3::FrameUnwindToState 26722->26723 26745 17c7ab EnterCriticalSection 26723->26745 26725 179dd4 26746 179e2a 26725->26746 26727 179de1 26750 179dff 26727->26750 26730 179f7b 26755 17dce2 GetPEB 26730->26755 26733 179faa 26736 179fbd _unexpected 3 API calls 26733->26736 26734 179f8a GetPEB 26734->26733 26735 179f9a GetCurrentProcess TerminateProcess 26734->26735 26735->26733 26737 179fb2 ExitProcess 26736->26737 26738->26715 26740 179fff 26739->26740 26741 179fdc GetProcAddress 26739->26741 26743 17a005 FreeLibrary 26740->26743 26744 179f36 26740->26744 26742 179ff1 26741->26742 26742->26740 26743->26744 26744->26711 26745->26725 26747 179e36 __FrameHandler3::FrameUnwindToState 26746->26747 26748 179e97 _unexpected 26747->26748 26753 17d285 14 API calls _unexpected 26747->26753 26748->26727 26754 17c7f3 LeaveCriticalSection 26750->26754 26752 179ded 26752->26717 26752->26730 26753->26748 26754->26752 26756 17dcfc 26755->26756 26757 179f85 26755->26757 26759 17eca7 26756->26759 26757->26733 26757->26734 26762 17ec24 26759->26762 26763 17ec52 26762->26763 26767 17ec4e 26762->26767 26763->26767 26769 17eb5d 26763->26769 26766 17ec6c GetProcAddress 26766->26767 26768 17ec7c __dosmaperr 26766->26768 26767->26757 26768->26767 26774 17eb6e ___vcrt_FlsGetValue 26769->26774 26770 17ec19 26770->26766 26770->26767 26771 17eb8c LoadLibraryExW 26772 17eba7 GetLastError 26771->26772 26771->26774 26772->26774 26773 17ec02 FreeLibrary 26773->26774 26774->26770 26774->26771 26774->26773 26775 17ebda LoadLibraryExW 26774->26775 26775->26774

                                    Executed Functions

                                    Function 00179F7B Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcess.KERNEL32(?,?,00179F7A,?,?,?,?,?,0017AFCE), ref: 00179F9D
                                    • TerminateProcess.KERNEL32(00000000,?,00179F7A,?,?,?,?,?,0017AFCE), ref: 00179FA4
                                    • ExitProcess.KERNEL32 ref: 00179FB6
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$CurrentExitTerminate
                                    • String ID:
                                    • API String ID: 1703294689-0
                                    • Opcode ID: 27eaf627788dddb0d2fcc4ad9b8a7974bb009d17394aad0daef8e79cf544ca24
                                    • Instruction ID: a254320194cab05c9b36947ec9743eb5b9a07b6758b95f8c5fd09e9680645a08
                                    • Opcode Fuzzy Hash: 27eaf627788dddb0d2fcc4ad9b8a7974bb009d17394aad0daef8e79cf544ca24
                                    • Instruction Fuzzy Hash: 1AE0B671005548AFCB126F64ED09E587F79FB65345B14842AF809C6531CB3AED96DB80
                                    Function 0017EB5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 0 17eb5d-17eb69 1 17ec10-17ec13 0->1 2 17eb6e-17eb7f 1->2 3 17ec19 1->3 4 17eb81-17eb84 2->4 5 17eb8c-17eba5 LoadLibraryExW 2->5 6 17ec1b-17ec1f 3->6 7 17ec0d 4->7 8 17eb8a 4->8 9 17ebf7-17ec00 5->9 10 17eba7-17ebb0 GetLastError 5->10 7->1 12 17ec09-17ec0b 8->12 11 17ec02-17ec03 FreeLibrary 9->11 9->12 13 17ebe7 10->13 14 17ebb2-17ebc4 call 17dca8 10->14 11->12 12->7 16 17ec20-17ec22 12->16 15 17ebe9-17ebeb 13->15 14->13 20 17ebc6-17ebd8 call 17dca8 14->20 15->9 18 17ebed-17ebf5 15->18 16->6 18->7 20->13 23 17ebda-17ebe5 LoadLibraryExW 20->23 23->15
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: api-ms-$ext-ms-
                                    • API String ID: 0-537541572
                                    • Opcode ID: 23015e68e5fb672fa8f69c405af41ab2ba5e6992221e66b42edb256d127c60ae
                                    • Instruction ID: 26da1acc4c195c677e3a1258580b1be0dce35cff8330a186ce2053cd68d62dda
                                    • Opcode Fuzzy Hash: 23015e68e5fb672fa8f69c405af41ab2ba5e6992221e66b42edb256d127c60ae
                                    • Instruction Fuzzy Hash: ED21E775A05221ABDB224B68AC45E2A3BF89F4D760F258591F80EA7290D730ED00C6E0
                                    Function 0014B170 Relevance: 6.1, APIs: 4, Instructions: 55sleepsynchronizationCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • Sleep.KERNELBASE(00000064), ref: 0014B173
                                    • CreateMutexA.KERNELBASE(00000000,00000000,001A7224), ref: 0014B191
                                    • GetLastError.KERNEL32 ref: 0014B199
                                    • GetLastError.KERNEL32 ref: 0014B1AA
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$CreateMutexSleep
                                    • String ID:
                                    • API String ID: 3645482037-0
                                    • Opcode ID: 7f4e3eaab5d75d6f08ff50238af20f08c9612c5a88b9dab433c344bdd2ffb2d3
                                    • Instruction ID: 4e447bed95e34203cc93f4cb2e520a2d0c9c8988fcce508288cfb9a19b6bd327
                                    • Opcode Fuzzy Hash: 7f4e3eaab5d75d6f08ff50238af20f08c9612c5a88b9dab433c344bdd2ffb2d3
                                    • Instruction Fuzzy Hash: 5C01283550C200DBE7106B68FD49F9E37B6E751B10F540626F715C7DE0CB3099808B51
                                    Function 0017EC24 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 40 17ec24-17ec4c 41 17ec52-17ec54 40->41 42 17ec4e-17ec50 40->42 44 17ec56-17ec58 41->44 45 17ec5a-17ec61 call 17eb5d 41->45 43 17eca3-17eca6 42->43 44->43 47 17ec66-17ec6a 45->47 48 17ec6c-17ec7a GetProcAddress 47->48 49 17ec89-17eca0 47->49 48->49 51 17ec7c-17ec87 call 179e0b 48->51 50 17eca2 49->50 50->43 51->50
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 05aded05b2a3c3db716efd12dbceb01275f1a45dc172a9b286fe10bc27a10fb5
                                    • Instruction ID: 7a77e4dbcc09f77782ed211860149ee305dd8d54593158f9b5f73f922ab22519
                                    • Opcode Fuzzy Hash: 05aded05b2a3c3db716efd12dbceb01275f1a45dc172a9b286fe10bc27a10fb5
                                    • Instruction Fuzzy Hash: 2D01B53B6002119F9B278E6EED4095A37F6AB89330729C160FA1CCB594DB3198819791

                                    Non-executed Functions

                                    Function 001477A0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 174processmemorythreadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0014797D
                                    • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 001479DB
                                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 001479F4
                                    • GetThreadContext.KERNEL32(?,00000000), ref: 00147A09
                                    • ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 00147A29
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$AllocContextCreateFileMemoryModuleNameReadThreadVirtual
                                    • String ID: $VUUU$invalid stoi argument
                                    • API String ID: 338953623-3954507777
                                    • Opcode ID: 5031fc3f111554fb563de889776b715aab76c562ad6ca7ca46c14fdda6ff0b21
                                    • Instruction ID: 6420086fa37353237d13254a4274e748c3efa8349d794368b01da396069c00ba
                                    • Opcode Fuzzy Hash: 5031fc3f111554fb563de889776b715aab76c562ad6ca7ca46c14fdda6ff0b21
                                    • Instruction Fuzzy Hash: 8651B271644301AFD7209F64CC06FAABBF8FF94704F444529FA48DB6E0DB70A9458B9A
                                    Function 00164865 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00164968
                                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 001649B4
                                      • Part of subcall function 001660AF: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 001661A2
                                    • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00164A20
                                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00164A3C
                                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00164A90
                                    • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00164ABD
                                    • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00164B13
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
                                    • String ID: (
                                    • API String ID: 2943730970-3887548279
                                    • Opcode ID: f142f0e21df7ac80d9b6b105af198753d21edef420de7d7cf2f355027638f586
                                    • Instruction ID: 86b872bc13c456e757e67a6b845fc42a71edf0c333ac9d9139d412803ff90887
                                    • Opcode Fuzzy Hash: f142f0e21df7ac80d9b6b105af198753d21edef420de7d7cf2f355027638f586
                                    • Instruction Fuzzy Hash: 15B14970A00212EFDB28CF58DD91B7AB7B5FB49304F14816EE8069B695D730EDA1CB94
                                    Function 00165054 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0016674E: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00166761
                                    • Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 00165066
                                      • Part of subcall function 00166861: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 0016688B
                                      • Part of subcall function 00166861: Concurrency::details::ResourceManager::HandleSharedCores.LIBCONCRT ref: 001668FA
                                    • Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 00165198
                                    • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 001651F8
                                    • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 00165204
                                    • Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 0016523F
                                    • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 00165260
                                    • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 0016526C
                                    • Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 00165275
                                    • Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 0016528D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::Manager::Resource$AllocationCores$Dynamic$AdjustCoreDataDistributeHandlePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalIdleIncreaseInitializeLoadedProcessResetSchedulerShared
                                    • String ID:
                                    • API String ID: 2508902052-0
                                    • Opcode ID: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
                                    • Instruction ID: 0c9f4869cb6316975febbf2818d348f3018b3a6a76e7284c1a9fe45db5673257
                                    • Opcode Fuzzy Hash: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
                                    • Instruction Fuzzy Hash: 4D814B71A006259FCB18DFA8C994A7DBBB2FF49304F1586ADE455A7701C731AD62CB80
                                    Function 0017269B Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 001726D4
                                      • Part of subcall function 0016C982: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0016C9A3
                                    • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 0017273A
                                    • Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 00172752
                                    • Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 0017275F
                                      • Part of subcall function 00172202: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0017222A
                                      • Part of subcall function 00172202: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 001722C2
                                      • Part of subcall function 00172202: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 001722CC
                                      • Part of subcall function 00172202: Concurrency::location::_Assign.LIBCMT ref: 00172300
                                      • Part of subcall function 00172202: Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 00172308
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveAssignBindCommitConcurrency::location::_GroupPointsReclaimResolveRunnableSafeScheduleSegmentThrowTokenTraceTrigger
                                    • String ID:
                                    • API String ID: 2363638799-0
                                    • Opcode ID: 92a3706c232a2cb94688282d3c76b29b9913c07845ab14ec29976d31a2bca840
                                    • Instruction ID: 5a02c9cdf6067e31c73d89360fa2ca0951b1cb18cb23c1584903f3a478fa6945
                                    • Opcode Fuzzy Hash: 92a3706c232a2cb94688282d3c76b29b9913c07845ab14ec29976d31a2bca840
                                    • Instruction Fuzzy Hash: B051A535A00215DBCF18DF64C985FADB775AF64314F198069E90A7B382CB70AE03DBA1
                                    Function 00176121 Relevance: 22.7, APIs: 15, Instructions: 231COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 119 176121-17613a call 175f31 122 176143-176168 call 163852 call 175ef8 call 175ab1 119->122 123 17613c-17613e 119->123 131 1761d5-1761e1 122->131 132 17616a-176174 122->132 124 1763b3-1763b6 123->124 135 1761e7-1761eb 131->135 136 176358-176378 call 176cf7 131->136 133 176176 132->133 134 1761cf-1761d1 132->134 137 1761af-1761b6 call 169855 133->137 134->131 139 176200 135->139 140 1761ed-1761f4 call 16ffd9 135->140 147 17639b-1763af call 170a12 136->147 148 17637a-176395 call 16b80c call 175967 136->148 150 176178-17617b 137->150 151 1761b8 137->151 144 176202-176205 139->144 140->139 155 1761f6-1761f9 140->155 146 176209-17620c 144->146 152 176354-176356 146->152 153 176212-17622a 146->153 159 1763b2 147->159 148->147 179 176397 148->179 160 176197-17619b 150->160 161 17617d-176193 call 175f6d 150->161 151->134 152->136 152->159 157 176230-17623d call 1759d9 153->157 158 17634b-17634e 153->158 155->139 163 1761fb-1761fe 155->163 174 176256-17625a 157->174 175 17623f-176250 call 175f6d 157->175 158->146 158->152 159->124 167 17619d-1761aa call 176e80 160->167 168 1761ac 160->168 176 176195 161->176 177 1761cb 161->177 163->144 167->168 183 1761ba-1761c8 call 1759b3 167->183 168->137 181 176276-17627f 174->181 182 17625c-176260 174->182 175->174 192 1763b9-1763be 175->192 176->168 177->134 179->147 187 1762a3-1762a7 181->187 188 176281-17629d call 17671c 181->188 182->181 186 176262-176270 call 175ae7 182->186 183->177 186->181 186->192 189 1762d3-1762d7 187->189 190 1762a9-1762cd call 176620 187->190 188->187 188->192 197 176304-176308 189->197 198 1762d9-1762fe call 17682a 189->198 190->189 190->192 192->158 202 176327-176342 call 1698c6 197->202 203 17630a-17630d 197->203 198->192 198->197 202->157 209 176348 202->209 203->202 205 17630f-176321 call 176e11 203->205 205->192 205->202 209->158
                                    APIs
                                    • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 00176133
                                      • Part of subcall function 00175F31: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00175F54
                                    • Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 00176154
                                    • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 00176161
                                    • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 001761AF
                                    • Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 00176236
                                    • Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 00176249
                                    • Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 00176296
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocal_NextObjectPeriodicRunnablesScanSlot
                                    • String ID:
                                    • API String ID: 2530155754-0
                                    • Opcode ID: 80a930e4fd601112212437d12dfac164c765236ace1985841044514f816dcbd5
                                    • Instruction ID: a108f7abf8e33530ee1bae89d70c495d2bb9db0d0eaf4d3dba5cfc1430d5f055
                                    • Opcode Fuzzy Hash: 80a930e4fd601112212437d12dfac164c765236ace1985841044514f816dcbd5
                                    • Instruction Fuzzy Hash: 5B81BF30804649AFDF16DF94C955BFE7BB2AF56308F048098EC496B292C7728D29DB61
                                    Function 00145CA0 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 450COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
                                    • API String ID: 0-3963862150
                                    • Opcode ID: 0d2e514c86ae649b1dccc1f54ea09e47dee04cd89e28da305c07da096caf5e60
                                    • Instruction ID: f04beeecc7dca776da8f92d1a6c872156d7fe4664d1723ad82eb87d0a43d9e19
                                    • Opcode Fuzzy Hash: 0d2e514c86ae649b1dccc1f54ea09e47dee04cd89e28da305c07da096caf5e60
                                    • Instruction Fuzzy Hash: 30F1B270A00258EFEF24DF94CC89BEDBBB5EF45304F508199E819AB291D7749A84CF91
                                    Function 00167F30 Relevance: 21.2, APIs: 14, Instructions: 189timeregistryCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • ListArray.LIBCONCRT ref: 00167F8A
                                      • Part of subcall function 00167D6B: InitializeSListHead.KERNEL32(?,?,00000000,?,?), ref: 00167E37
                                      • Part of subcall function 00167D6B: InitializeSListHead.KERNEL32(?), ref: 00167E41
                                    • ListArray.LIBCONCRT ref: 00167FBE
                                    • Hash.LIBCMT ref: 00168027
                                    • Hash.LIBCMT ref: 00168037
                                    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 001680CC
                                    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 001680D9
                                    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 001680E6
                                    • InitializeSListHead.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00001001), ref: 001680F3
                                      • Part of subcall function 0016D694: std::bad_exception::bad_exception.LIBCMT ref: 0016D6B6
                                    • RegisterWaitForSingleObject.KERNEL32(?,00000000,0016B468,?,000000FF,00000000), ref: 0016817B
                                    • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0016819D
                                    • GetLastError.KERNEL32(00168EDD,?,?,00000000,?,?), ref: 001681AF
                                    • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 001681CC
                                      • Part of subcall function 001635FC: CreateTimerQueueTimer.KERNEL32(?,?,00000000,?,?,00168EDD,00000008,?,001681D1,?,00000000,0016B459,?,7FFFFFFF,7FFFFFFF,00000000), ref: 00163614
                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 001681F6
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: List$HeadInitialize$Timer$ArrayCreateHashQueueRegister$AsyncConcurrency::details::Concurrency::details::platform::__Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastLibraryLoadObjectSingleWaitstd::bad_exception::bad_exception
                                    • String ID:
                                    • API String ID: 2750799244-0
                                    • Opcode ID: a61bf01884bee785a5a19b2480b652de47603bec5ea993c5a2b92dd2259af5f5
                                    • Instruction ID: 5321f30fab2c2dd45d8da61f496af679c9679823e68c09807e8b5399923b43b3
                                    • Opcode Fuzzy Hash: a61bf01884bee785a5a19b2480b652de47603bec5ea993c5a2b92dd2259af5f5
                                    • Instruction Fuzzy Hash: 0F816FB0A11A52BBD718DF78CC45BD9FBA8BF19700F10421BF42997281DBB46664CBD0
                                    Function 00166284 Relevance: 19.7, APIs: 13, Instructions: 223COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 514 166284-166291 515 166293 514->515 516 16629d-1662a5 514->516 517 166293 call 16757e 515->517 518 1662b7-1662bd 516->518 519 1662a7-1662b1 call 164278 516->519 520 166298 517->520 522 1663d7-1663da 518->522 523 1662c3-1662f1 call 165dae 518->523 519->518 520->516 524 1664a6-1664ba 522->524 525 1663e0-166418 call 165dae 522->525 535 1662f7-1662fb 523->535 536 1663b9-1663c2 523->536 530 1664c4-1664db call 164278 call 165aea 524->530 531 1664bc-1664c2 524->531 542 16641a-16641f 525->542 543 166479-166482 525->543 532 1664dd-1664e1 530->532 531->532 540 1664e3-1664e9 532->540 541 1664eb-1664f3 532->541 544 166382-166392 call 16423f 535->544 545 166301-166304 535->545 537 1663c6-1663d2 536->537 538 1663c4 536->538 546 166494-16649d 537->546 538->537 540->540 540->541 550 1664fd-166505 541->550 548 166451-16645e call 164214 542->548 549 166421-166424 542->549 551 166486-16648e 543->551 552 166484 543->552 574 166394-16639a 544->574 575 16639c-1663a7 544->575 554 166306-16630a 545->554 555 166361-166380 call 16423f 545->555 546->550 564 16649f-1664a4 call 16439d 546->564 580 166460-166466 548->580 581 166468-16646e 548->581 559 166426-16642a 549->559 560 166440-16644c call 164214 549->560 561 166507-166509 call 1640bf 550->561 562 16650e-166518 550->562 551->546 552->551 565 166310-166323 554->565 566 1663aa 554->566 578 1663ad-1663b3 555->578 571 166471-166477 559->571 572 16642c-166438 call 164214 559->572 560->571 585 16644e-16644f 560->585 561->562 564->550 567 166357-16635f 565->567 568 166325-16634f call 16423f 565->568 566->578 567->566 588 166351-166354 568->588 571->542 571->543 572->571 589 16643a-16643e 572->589 574->574 574->575 575->566 578->535 578->536 580->580 580->581 581->571 585->571 588->567 589->571
                                    APIs
                                    • Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 00166293
                                      • Part of subcall function 0016757E: GetVersionExW.KERNEL32(?), ref: 001675A2
                                      • Part of subcall function 0016757E: Concurrency::details::WinRT::Initialize.LIBCONCRT ref: 00167641
                                    • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 001662A7
                                    • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 001662C8
                                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00166331
                                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00166365
                                      • Part of subcall function 0016423F: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 0016425F
                                    • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 001663E5
                                      • Part of subcall function 00165DAE: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 00165DC2
                                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 0016642D
                                      • Part of subcall function 00164214: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00164230
                                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00166441
                                    • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00166452
                                    • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 0016649F
                                    • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 001664C4
                                    • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 001664D0
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Manager::Resource$Affinity$Apply$Restrictions$Information$Topology$CaptureProcessRestriction::Version$CleanupConcurrency::details::platform::__FindGroupInitializeLimitsLogicalProcessorRetrieveSystem
                                    • String ID:
                                    • API String ID: 4140532746-0
                                    • Opcode ID: abfbfcdad5deb8ad79c312fbbd855f192bdd59c08c63b50edf55dc0455c28bfb
                                    • Instruction ID: b45714ef949dbfe132de14edb19e0bd8e234a761035932c9260de89044698736
                                    • Opcode Fuzzy Hash: abfbfcdad5deb8ad79c312fbbd855f192bdd59c08c63b50edf55dc0455c28bfb
                                    • Instruction Fuzzy Hash: 20819071A001269FCF18DFA9ECA15BDBBB5BB59304B24402EE445E7B90DB34ADE4CB50
                                    Function 00182D40 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 590 182d40-182d54 591 182dc2-182dca 590->591 592 182d56-182d5b 590->592 593 182dcc-182dcf 591->593 594 182e11-182e29 call 182eb1 591->594 592->591 595 182d5d-182d62 592->595 593->594 596 182dd1-182e0e call 17e7d5 * 4 593->596 603 182e2c-182e33 594->603 595->591 598 182d64-182d67 595->598 596->594 598->591 601 182d69-182d71 598->601 604 182d8b-182d93 601->604 605 182d73-182d76 601->605 609 182e52-182e56 603->609 610 182e35-182e39 603->610 607 182dad-182dc1 call 17e7d5 * 2 604->607 608 182d95-182d98 604->608 605->604 611 182d78-182d8a call 17e7d5 call 18291d 605->611 607->591 608->607 616 182d9a-182dac call 17e7d5 call 182a1b 608->616 617 182e58-182e5d 609->617 618 182e6e-182e7a 609->618 612 182e3b-182e3e 610->612 613 182e4f 610->613 611->604 612->613 620 182e40-182e4e call 17e7d5 * 2 612->620 613->609 616->607 624 182e6b 617->624 625 182e5f-182e62 617->625 618->603 627 182e7c-182e87 call 17e7d5 618->627 620->613 624->618 625->624 633 182e64-182e6a call 17e7d5 625->633 633->624
                                    APIs
                                    • ___free_lconv_mon.LIBCMT ref: 00182D84
                                      • Part of subcall function 0018291D: _free.LIBCMT ref: 0018293A
                                      • Part of subcall function 0018291D: _free.LIBCMT ref: 0018294C
                                      • Part of subcall function 0018291D: _free.LIBCMT ref: 0018295E
                                      • Part of subcall function 0018291D: _free.LIBCMT ref: 00182970
                                      • Part of subcall function 0018291D: _free.LIBCMT ref: 00182982
                                      • Part of subcall function 0018291D: _free.LIBCMT ref: 00182994
                                      • Part of subcall function 0018291D: _free.LIBCMT ref: 001829A6
                                      • Part of subcall function 0018291D: _free.LIBCMT ref: 001829B8
                                      • Part of subcall function 0018291D: _free.LIBCMT ref: 001829CA
                                      • Part of subcall function 0018291D: _free.LIBCMT ref: 001829DC
                                      • Part of subcall function 0018291D: _free.LIBCMT ref: 001829EE
                                      • Part of subcall function 0018291D: _free.LIBCMT ref: 00182A00
                                      • Part of subcall function 0018291D: _free.LIBCMT ref: 00182A12
                                    • _free.LIBCMT ref: 00182D79
                                      • Part of subcall function 0017E7D5: HeapFree.KERNEL32(00000000,00000000,?,00182AAE,?,00000000,?,?,?,00182AD5,?,00000007,?,?,00182ED7,?), ref: 0017E7EB
                                      • Part of subcall function 0017E7D5: GetLastError.KERNEL32(?,?,00182AAE,?,00000000,?,?,?,00182AD5,?,00000007,?,?,00182ED7,?,?), ref: 0017E7FD
                                    • _free.LIBCMT ref: 00182D9B
                                    • _free.LIBCMT ref: 00182DB0
                                    • _free.LIBCMT ref: 00182DBB
                                    • _free.LIBCMT ref: 00182DDD
                                    • _free.LIBCMT ref: 00182DF0
                                    • _free.LIBCMT ref: 00182DFE
                                    • _free.LIBCMT ref: 00182E09
                                    • _free.LIBCMT ref: 00182E41
                                    • _free.LIBCMT ref: 00182E48
                                    • _free.LIBCMT ref: 00182E65
                                    • _free.LIBCMT ref: 00182E7D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                    • String ID:
                                    • API String ID: 161543041-0
                                    • Opcode ID: a7c791ff5c4b2a6b64e840982a9dd76ed0fd19bdc4028d60cff3adc8dbc1a8f9
                                    • Instruction ID: 53333c2d3c88d16eddf946f9440bdd6c358297c4b542f4d1db8e15591c01ce68
                                    • Opcode Fuzzy Hash: a7c791ff5c4b2a6b64e840982a9dd76ed0fd19bdc4028d60cff3adc8dbc1a8f9
                                    • Instruction Fuzzy Hash: 75317C32600604DFEB26BA78D885B5A77E8EF14320F54886AE459D7591EF31EE80CF64
                                    Function 001634C3 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 60libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,00167638), ref: 001634D1
                                    • GetProcAddress.KERNEL32(00000000,SetThreadGroupAffinity), ref: 001634DF
                                    • GetProcAddress.KERNEL32(00000000,GetThreadGroupAffinity), ref: 001634ED
                                    • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumberEx), ref: 0016351B
                                    • GetLastError.KERNEL32(?,?,?,00167638), ref: 00163536
                                    • GetLastError.KERNEL32(?,?,?,00167638), ref: 00163542
                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00163558
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorHandleModule
                                    • String ID: GetCurrentProcessorNumberEx$GetThreadGroupAffinity$SetThreadGroupAffinity$kernel32.dll
                                    • API String ID: 1654681794-465693683
                                    • Opcode ID: 700e4ab8f4a35392bc4f0294c507011db5502cd8af219a4613c42b601dcce973
                                    • Instruction ID: 12d95862cf3e63458eea2b44144d186de7baea21d58c2ede82380d5d6ded794a
                                    • Opcode Fuzzy Hash: 700e4ab8f4a35392bc4f0294c507011db5502cd8af219a4613c42b601dcce973
                                    • Instruction Fuzzy Hash: CE0149726043116BD7107BBA6C4ADAB37ECEB41B11714042BF526D3592EF70CAA54760
                                    Function 00178CF5 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • IsInExceptionSpec.LIBVCRUNTIME ref: 00178DF0
                                    • type_info::operator==.LIBVCRUNTIME ref: 00178E17
                                    • ___TypeMatch.LIBVCRUNTIME ref: 00178F23
                                    • CatchIt.LIBVCRUNTIME ref: 00178F78
                                    • IsInExceptionSpec.LIBVCRUNTIME ref: 00178FFE
                                    • _UnwindNestedFrames.LIBCMT ref: 00179085
                                    • CallUnexpected.LIBVCRUNTIME ref: 001790A0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                    • String ID: csm$csm$csm
                                    • API String ID: 4234981820-393685449
                                    • Opcode ID: 5f00ed4bbfd025c1a0c89295c328c565af92a3a00ca3924d37bbd3b43b7c6d2a
                                    • Instruction ID: 5a0f9a342523f717ea08bb2c61b4fb2ae50021d3bbe5cbbde21bd2fadb45749f
                                    • Opcode Fuzzy Hash: 5f00ed4bbfd025c1a0c89295c328c565af92a3a00ca3924d37bbd3b43b7c6d2a
                                    • Instruction Fuzzy Hash: 4CC1CE71840209DFCF29DFA4C8859AEBBB9FF24310F14815AF8196B252CB35DA95CB91
                                    Function 0018549C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00185155: CreateFileW.KERNEL32(00000000,00000000,?,00185545,?,?,00000000,?,00185545,00000000,0000000C), ref: 00185172
                                    • GetLastError.KERNEL32 ref: 001855B0
                                    • __dosmaperr.LIBCMT ref: 001855B7
                                    • GetFileType.KERNEL32(00000000), ref: 001855C3
                                    • GetLastError.KERNEL32 ref: 001855CD
                                    • __dosmaperr.LIBCMT ref: 001855D6
                                    • CloseHandle.KERNEL32(00000000), ref: 001855F6
                                    • CloseHandle.KERNEL32(0017E672), ref: 00185743
                                    • GetLastError.KERNEL32 ref: 00185775
                                    • __dosmaperr.LIBCMT ref: 0018577C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                    • String ID: H
                                    • API String ID: 4237864984-2852464175
                                    • Opcode ID: fef47ec6ec03a0fc6cb38a4217c936418d703df9a166a3d11687f0bfd7218cb9
                                    • Instruction ID: 0db741f963d04a5c7d5c5ad88b3484377f5182ed8279cb17dfbe1b327375d72d
                                    • Opcode Fuzzy Hash: fef47ec6ec03a0fc6cb38a4217c936418d703df9a166a3d11687f0bfd7218cb9
                                    • Instruction Fuzzy Hash: A0A11532A145448FCF19AF68DC51BAE3BB2EF06320F284159F815AB291DB349E46CF52
                                    Function 001763C0 Relevance: 16.7, APIs: 11, Instructions: 222COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 001763D2
                                      • Part of subcall function 00175F31: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00175F54
                                    • Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 001763F3
                                    • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 00176400
                                    • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 0017644E
                                    • Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 001764F6
                                    • Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 00176528
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
                                    • String ID:
                                    • API String ID: 1256429809-0
                                    • Opcode ID: 9ecfdd6b6f3c7a537811aa039f44f5e2bdafa1621f2773dd47f11e6015c6fa0e
                                    • Instruction ID: 640a709479f6b94d04f25d76cd84aa9e150481817183b5d9a026648c9b3a261a
                                    • Opcode Fuzzy Hash: 9ecfdd6b6f3c7a537811aa039f44f5e2bdafa1621f2773dd47f11e6015c6fa0e
                                    • Instruction Fuzzy Hash: 1571D070900649AFDF15CF94C881BBEBBB6AF55344F048098FC496B296C732DD26EB61
                                    Function 0017247C Relevance: 16.6, APIs: 11, Instructions: 148windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 001724CC
                                      • Part of subcall function 0016C982: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0016C9A3
                                    • Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 001724E5
                                    • Concurrency::location::_Assign.LIBCMT ref: 001724FB
                                    • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedSet.LIBCONCRT ref: 00172568
                                    • Concurrency::details::SchedulerBase::ClearQuickCacheSlot.LIBCMT ref: 00172570
                                    • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00172597
                                    • Concurrency::details::VirtualProcessor::EnsureAllTasksVisible.LIBCONCRT ref: 001725A3
                                    • Concurrency::details::SchedulerBase::VirtualProcessorIdle.LIBCONCRT ref: 001725DB
                                    • Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 001725FA
                                    • Concurrency::details::SchedulerBase::VirtualProcessorIdle.LIBCONCRT ref: 00172608
                                    • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedClear.LIBCONCRT ref: 0017262F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Base::$ContextVirtual$Processor::QuickScheduler$ClearCountedEventIdleInterlockedProcessorReferenceSet::$AssignAvailableBlockedCacheConcurrency::location::_DeactivateEnsureInternalMakeSlotSpinTasksThrowTraceUntilVisible
                                    • String ID:
                                    • API String ID: 3608406545-0
                                    • Opcode ID: 2e4ec269c39c17059638ddc126dea93bc332eb835099612c4be0cb61a84a7488
                                    • Instruction ID: bcfee674a492d23aacff7920d4197cd049673da3d1264172d71038bf0ae84726
                                    • Opcode Fuzzy Hash: 2e4ec269c39c17059638ddc126dea93bc332eb835099612c4be0cb61a84a7488
                                    • Instruction Fuzzy Hash: A45181707002149FDB04EF64C8D5BAD77B5BF59310F5980A9ED4A9B287CB70AD42CBA2
                                    Function 0014C200 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 130comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitialize.OLE32(00000000), ref: 0014C267
                                    • CoCreateInstance.OLE32(0019D068,00000000,00000001,0019D078,?), ref: 0014C283
                                    • CoUninitialize.OLE32 ref: 0014C291
                                    • CoUninitialize.OLE32 ref: 0014C350
                                    • CoUninitialize.OLE32 ref: 0014C364
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Uninitialize$CreateInitializeInstance
                                    • String ID: $($invalid stoi argument$stoi argument out of range
                                    • API String ID: 1968832861-2618398775
                                    • Opcode ID: 259221f369fc5d02b00868e8e78701c496a8c831da5b4e15df5c29ad5fcfb728
                                    • Instruction ID: fa0f5eb7914341b6d5d67f9e41ffc33a2213ba5ecb90d5130fb7708e0efc9539
                                    • Opcode Fuzzy Hash: 259221f369fc5d02b00868e8e78701c496a8c831da5b4e15df5c29ad5fcfb728
                                    • Instruction Fuzzy Hash: C0418D71A011189FDB08DFA8CC85FEE7BB5FB59714F108119F405EB6A0D7B4AA81CBA1
                                    Function 0016A42D Relevance: 15.1, APIs: 10, Instructions: 144COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0016A472
                                    • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 0016A4A4
                                    • List.LIBCONCRT ref: 0016A4DF
                                    • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 0016A4F0
                                    • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 0016A50C
                                    • List.LIBCONCRT ref: 0016A547
                                    • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 0016A558
                                    • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 0016A573
                                    • List.LIBCONCRT ref: 0016A5AE
                                    • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 0016A5BB
                                      • Part of subcall function 00169932: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 0016994A
                                      • Part of subcall function 00169932: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 0016995C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                                    • String ID:
                                    • API String ID: 3403738998-0
                                    • Opcode ID: c275ee57cde17fbc860759eec6b100ad2fb4d7300ee3269d2fc37c5ed532313d
                                    • Instruction ID: 90256a02b3aed2ff753bd3759a21b3ca078fb3812bcf63f5567ba89cc941f068
                                    • Opcode Fuzzy Hash: c275ee57cde17fbc860759eec6b100ad2fb4d7300ee3269d2fc37c5ed532313d
                                    • Instruction Fuzzy Hash: B2516D71A00209ABDF08DF54C995BEDB3B8FF58344F4440A9E906AB282DB74EE15CF91
                                    Function 0017DF39 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 0017DF4F
                                      • Part of subcall function 0017E7D5: HeapFree.KERNEL32(00000000,00000000,?,00182AAE,?,00000000,?,?,?,00182AD5,?,00000007,?,?,00182ED7,?), ref: 0017E7EB
                                      • Part of subcall function 0017E7D5: GetLastError.KERNEL32(?,?,00182AAE,?,00000000,?,?,?,00182AD5,?,00000007,?,?,00182ED7,?,?), ref: 0017E7FD
                                    • _free.LIBCMT ref: 0017DF5B
                                    • _free.LIBCMT ref: 0017DF66
                                    • _free.LIBCMT ref: 0017DF71
                                    • _free.LIBCMT ref: 0017DF7C
                                    • _free.LIBCMT ref: 0017DF87
                                    • _free.LIBCMT ref: 0017DF92
                                    • _free.LIBCMT ref: 0017DF9D
                                    • _free.LIBCMT ref: 0017DFA8
                                    • _free.LIBCMT ref: 0017DFB6
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 6e36e216f6e195d168ff73fba67d240a9ce56a43d9748ec2f4bc33459ce951f8
                                    • Instruction ID: ffe3391ace9e0673886cc96081a740064ec808ee32b3e1d7db97ee70209fadd7
                                    • Opcode Fuzzy Hash: 6e36e216f6e195d168ff73fba67d240a9ce56a43d9748ec2f4bc33459ce951f8
                                    • Instruction Fuzzy Hash: 3921667A90010CEFCB45EF94C881DDE7BF9AF18350F4181A6F5199B561EB32EA94CB80
                                    Function 0016ADB7 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 80threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 0016AE03
                                    • SwitchToThread.KERNEL32(?), ref: 0016AE26
                                    • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 0016AE45
                                    • Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 0016AE61
                                    • Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 0016AE6C
                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0016AE93
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementSwitchThreadstd::invalid_argument::invalid_argument
                                    • String ID: count$ppVirtualProcessorRoots
                                    • API String ID: 3791123369-3650809737
                                    • Opcode ID: 0acaff0cb7882160efa315244a80e432666856bb8c662d78005ba6bee2592555
                                    • Instruction ID: 9ff24d69f4422f012182ce45c77072f736e0476d251c3132007c9f08f0890e38
                                    • Opcode Fuzzy Hash: 0acaff0cb7882160efa315244a80e432666856bb8c662d78005ba6bee2592555
                                    • Instruction Fuzzy Hash: 88216D34A00218EFCF14EFA9CD959ADBBB5FF59301F5040A9E905A7291CB31AE15CF91
                                    Function 0016A86F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 0016A889
                                    • GetCurrentProcess.KERNEL32 ref: 0016A891
                                    • DuplicateHandle.KERNEL32(00000000,000000FF,00000000,00000000,00000000,00000000,00000002), ref: 0016A8A6
                                    • SafeRWList.LIBCONCRT ref: 0016A8C6
                                      • Part of subcall function 001688C0: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 001688D1
                                      • Part of subcall function 001688C0: List.LIBCMT ref: 001688DB
                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0016A8D8
                                    • GetLastError.KERNEL32 ref: 0016A8E7
                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0016A8FD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorHandleLastLock::_ReaderSafeWriteWriterstd::invalid_argument::invalid_argument
                                    • String ID: eventObject
                                    • API String ID: 165577817-1680012138
                                    • Opcode ID: c9ef5eeec1e69e03a7297c32245f6c3635a1028dd663b6bb9046c20c63a746f1
                                    • Instruction ID: 8d48ef45bba199cad370c8ee3c2435189de2f040e9e4f06cff8d918becfe2cdd
                                    • Opcode Fuzzy Hash: c9ef5eeec1e69e03a7297c32245f6c3635a1028dd663b6bb9046c20c63a746f1
                                    • Instruction Fuzzy Hash: 6C110271500204EBCB14EBA8DC4AFEE377CAF10311F604029F61AA60E2DB709A95CBA1
                                    Function 001890B3 Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bbbca81dd3dd3b50217247e64c90f9992def39c3ac5e393905a5afa1715e61fc
                                    • Instruction ID: 5445029d0285c39fa844dd7ee3c45f8cda895d791beaf8ba0cfb3e1603b0d153
                                    • Opcode Fuzzy Hash: bbbca81dd3dd3b50217247e64c90f9992def39c3ac5e393905a5afa1715e61fc
                                    • Instruction Fuzzy Hash: E5C1D2B0E04245AFDF19EFA8C880BBE7BB0BF59310F584159F915AB292D7709A41CF61
                                    Function 0015FEA2 Relevance: 13.6, APIs: 9, Instructions: 138threadCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CurrentThread$_xtime_get$Xtime_diff_to_millis2
                                    • String ID:
                                    • API String ID: 3943753294-0
                                    • Opcode ID: 5ad383b612f39a46a9e72f0719aa40c8aab732e127fced5a16bd1d2bed111fbe
                                    • Instruction ID: bea09b859e234e0cece8fb48eb8c3b06900d06453fe5d66d4a6d836089074a8d
                                    • Opcode Fuzzy Hash: 5ad383b612f39a46a9e72f0719aa40c8aab732e127fced5a16bd1d2bed111fbe
                                    • Instruction Fuzzy Hash: 70517F32900205CFCF21DF64C98596AB7B1EF19312B2540AEEC26DF696D730ED86CB64
                                    Function 0016B334 Relevance: 13.6, APIs: 9, Instructions: 106timeCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 0016B356
                                      • Part of subcall function 0016970B: __EH_prolog3_catch.LIBCMT ref: 00169712
                                      • Part of subcall function 0016970B: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 0016974B
                                    • Concurrency::details::SchedulerBase::NotifyThrottledContext.LIBCONCRT ref: 0016B364
                                      • Part of subcall function 0016A370: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 0016A395
                                      • Part of subcall function 0016A370: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 0016A3B8
                                    • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 0016B37D
                                    • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 0016B389
                                      • Part of subcall function 0016970B: InterlockedPopEntrySList.KERNEL32(?), ref: 00169794
                                      • Part of subcall function 0016970B: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 001697C3
                                      • Part of subcall function 0016970B: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 001697D1
                                    • Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 0016B3D5
                                    • Concurrency::location::_Assign.LIBCMT ref: 0016B3F6
                                    • Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 0016B3FE
                                    • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 0016B410
                                    • Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 0016B440
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Base::$Scheduler$Context$Throttling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_EntryExerciseFoundH_prolog3_catchInterlockedListNextNotifyProcessor::RingSchedulingSpinStartupThrottledTicket::TimerUntilWith
                                    • String ID:
                                    • API String ID: 2678502038-0
                                    • Opcode ID: 615b1b71626394da833ec8b061eddf12f34cf06b472cdda03bebfb07a28b8b74
                                    • Instruction ID: 5c3e1bfc564927dff617056da6d29d4aa58674ecbd28b87f59c592d6b4e05cf6
                                    • Opcode Fuzzy Hash: 615b1b71626394da833ec8b061eddf12f34cf06b472cdda03bebfb07a28b8b74
                                    • Instruction Fuzzy Hash: BD310930B082555BCF15AB784CD27FE7BB9AF51300F040169D856D7243DF295DA6C791
                                    Function 001743D8 Relevance: 13.6, APIs: 9, Instructions: 69threadCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 001743EE
                                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00169701,?), ref: 00174400
                                    • GetCurrentThread.KERNEL32 ref: 00174408
                                    • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00169701,?), ref: 00174410
                                    • DuplicateHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000002,?,?,?,?,?,?,00169701,?), ref: 00174429
                                    • Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 0017444A
                                      • Part of subcall function 00163C63: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 00163C7D
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00169701,?), ref: 0017445C
                                    • GetLastError.KERNEL32(?,?,?,?,?,00169701,?), ref: 00174487
                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0017449D
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThread$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateHandleReferenceRegisterWait
                                    • String ID:
                                    • API String ID: 1293880212-0
                                    • Opcode ID: 9ba108bc06e3117cd02290bef0c0af04ac5e3694f2bb1eadf4f2f9ef8db40a44
                                    • Instruction ID: e02bcf4310b20d6d958dd95a195b670517ff5d27a8d1d63a99962f17e9d3b84a
                                    • Opcode Fuzzy Hash: 9ba108bc06e3117cd02290bef0c0af04ac5e3694f2bb1eadf4f2f9ef8db40a44
                                    • Instruction Fuzzy Hash: ED11E975A40310ABDB10AFB4AC8AF9A3BBCAF15701F148036FA4ED6152DB70D940D771
                                    Function 0018246F Relevance: 12.2, APIs: 8, Instructions: 203COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$___from_strstr_to_strchr
                                    • String ID:
                                    • API String ID: 3409252457-0
                                    • Opcode ID: 3166b09ad3bb9b487b0ff85c4440e8a497097c57aacae1f543fa86cfd120fe41
                                    • Instruction ID: 99af6a481d9f675dcbedc29f3b61726156c6220a938bfc473b30dd56a80f118a
                                    • Opcode Fuzzy Hash: 3166b09ad3bb9b487b0ff85c4440e8a497097c57aacae1f543fa86cfd120fe41
                                    • Instruction Fuzzy Hash: EA511A71A04201AFDF26FF749881AAD77F4AF15320F2481AEE91497682FB7187808F51
                                    Function 0014F1B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 185COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: list too long
                                    • API String ID: 0-1124181908
                                    • Opcode ID: 1c7c441932bb284c525981cf55c15d92ce9fbe7e6ce4c8d30e715d1db16b2d13
                                    • Instruction ID: 7ecd42fd5983f0880206e4cc2fb4c4748d40325944f82e1a271ce26eae78d5cc
                                    • Opcode Fuzzy Hash: 1c7c441932bb284c525981cf55c15d92ce9fbe7e6ce4c8d30e715d1db16b2d13
                                    • Instruction Fuzzy Hash: 22616EB5D047189BDB10DF64CD45B9AB7B4FB15700F0042AAFC08AB291E771AA96CF91
                                    Function 00178290 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                    Download Yara Rule
                                    APIs
                                    • _ValidateLocalCookies.LIBCMT ref: 001782C7
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 001782CF
                                    • _ValidateLocalCookies.LIBCMT ref: 00178358
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00178383
                                    • _ValidateLocalCookies.LIBCMT ref: 001783D8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                    • String ID: csm
                                    • API String ID: 1170836740-1018135373
                                    • Opcode ID: e9bc1a18530769230751318bff581c4b9c2da50bdc2b899869552fc97d389021
                                    • Instruction ID: 82025936815bcac7e2f833c5f62c66976ccfa673ebdbe95f91676c9a2c2dd9af
                                    • Opcode Fuzzy Hash: e9bc1a18530769230751318bff581c4b9c2da50bdc2b899869552fc97d389021
                                    • Instruction Fuzzy Hash: 0E41A134A40208DFCF10DF6CC889A9EBBB5BF45718F14C159E9196B392DB31DA45CBA1
                                    Function 00175579 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00175592
                                      • Part of subcall function 00175861: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,001752DA), ref: 00175871
                                    • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 001755A7
                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 001755B6
                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0017567A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::std::invalid_argument::invalid_argument$ExecutionFreeIdleObjectProcessorProxy::ResetRoot::SingleSuspendThreadVirtualWait
                                    • String ID: pContext$switchState
                                    • API String ID: 1312548968-2660820399
                                    • Opcode ID: 9725bfde2e1f912bc4fbca0ff3ba341e8231312760a8ca8772b92edd245399cb
                                    • Instruction ID: 1b51c9c02fcac929e79d5f37e33b1de31600e59ea3c010e2b01883b82dbb34f9
                                    • Opcode Fuzzy Hash: 9725bfde2e1f912bc4fbca0ff3ba341e8231312760a8ca8772b92edd245399cb
                                    • Instruction Fuzzy Hash: 7331B435A006149BCF14EF68C891D6D77B7FF65310F2484A9EC199B292DBB0EE06CB90
                                    Function 00172202 Relevance: 10.6, APIs: 7, Instructions: 102COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0017222A
                                      • Part of subcall function 00171F97: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 00171FCA
                                      • Part of subcall function 00171F97: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 00171FEC
                                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 001722A7
                                    • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 001722B3
                                    • Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 001722C2
                                    • Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 001722CC
                                    • Concurrency::location::_Assign.LIBCMT ref: 00172300
                                    • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 00172308
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
                                    • String ID:
                                    • API String ID: 1924466884-0
                                    • Opcode ID: a64db80706eebd32aa859afa1d95f48863b31ab69bac74b7a1457d6415e9e3f0
                                    • Instruction ID: cda38b8b7554ff6789610e08d5303b1fe2d8453943c4a16667d60eab2dff759f
                                    • Opcode Fuzzy Hash: a64db80706eebd32aa859afa1d95f48863b31ab69bac74b7a1457d6415e9e3f0
                                    • Instruction Fuzzy Hash: 71412935A00214DFCB05EF64C885AADB7B5BF48314F1880A9ED499B346DB74AA42CFA1
                                    Function 00182ABC Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00182A84: _free.LIBCMT ref: 00182AA9
                                    • _free.LIBCMT ref: 00182B0A
                                      • Part of subcall function 0017E7D5: HeapFree.KERNEL32(00000000,00000000,?,00182AAE,?,00000000,?,?,?,00182AD5,?,00000007,?,?,00182ED7,?), ref: 0017E7EB
                                      • Part of subcall function 0017E7D5: GetLastError.KERNEL32(?,?,00182AAE,?,00000000,?,?,?,00182AD5,?,00000007,?,?,00182ED7,?,?), ref: 0017E7FD
                                    • _free.LIBCMT ref: 00182B15
                                    • _free.LIBCMT ref: 00182B20
                                    • _free.LIBCMT ref: 00182B74
                                    • _free.LIBCMT ref: 00182B7F
                                    • _free.LIBCMT ref: 00182B8A
                                    • _free.LIBCMT ref: 00182B95
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 274dd61fdf06beebb7c8b8f2454822088dbe7c900fd2abe588607240b9dca85f
                                    • Instruction ID: 191b052f93eede1447f0cf240c7a2d58f206254835d3422a9114ef0bccd67806
                                    • Opcode Fuzzy Hash: 274dd61fdf06beebb7c8b8f2454822088dbe7c900fd2abe588607240b9dca85f
                                    • Instruction Fuzzy Hash: 83112C72540B04EAD539FBB0CC46FCB77EC5F14B10F844825B2AE66952EBB5A6444B90
                                    Function 0015A630 Relevance: 9.3, APIs: 6, Instructions: 336COMMON
                                    Download Yara Rule
                                    APIs
                                    • __Mtx_unlock.LIBCPMT ref: 0015A701
                                    • std::_Rethrow_future_exception.LIBCPMT ref: 0015A752
                                    • std::_Rethrow_future_exception.LIBCPMT ref: 0015A762
                                    • __Mtx_unlock.LIBCPMT ref: 0015A805
                                    • __Mtx_unlock.LIBCPMT ref: 0015A90B
                                    • __Mtx_unlock.LIBCPMT ref: 0015A946
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Mtx_unlock$Rethrow_future_exceptionstd::_
                                    • String ID:
                                    • API String ID: 1997747980-0
                                    • Opcode ID: 719416e4a383ba90e8c99a1a8d1ffb7117915d518ce11109616f00264cb75aa8
                                    • Instruction ID: aa93d1822857120a305e71d7bf674f4aebd65d7d58d626b208910b5ec4ae5da4
                                    • Opcode Fuzzy Hash: 719416e4a383ba90e8c99a1a8d1ffb7117915d518ce11109616f00264cb75aa8
                                    • Instruction Fuzzy Hash: B5C1F271D40208DFDB20DF64C945BAFBBF4AF15306F40462DEC669B682D731A949CB92
                                    Function 001836A0 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetConsoleCP.KERNEL32(?,00148FB0,00000000), ref: 001836E8
                                    • __fassign.LIBCMT ref: 001838C7
                                    • __fassign.LIBCMT ref: 001838E4
                                    • WriteFile.KERNEL32(?,00148FB0,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0018392C
                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0018396C
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00183A18
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileWrite__fassign$ConsoleErrorLast
                                    • String ID:
                                    • API String ID: 4031098158-0
                                    • Opcode ID: 59509d7e791459b6746b30845b2843423a4deace6a1902a1c21eee923fddb917
                                    • Instruction ID: dc1c034f036d1e8d05dd1385ccc4b2b8a3b66c0e636f191d2a3f09767712303b
                                    • Opcode Fuzzy Hash: 59509d7e791459b6746b30845b2843423a4deace6a1902a1c21eee923fddb917
                                    • Instruction Fuzzy Hash: 87D18BB5D002589FCF15DFE8C8809EDBBB5AF49714F28416AE865FB241D730AA46CF60
                                    Function 00172330 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::location::_Assign.LIBCMT ref: 00172371
                                    • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 00172379
                                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 001723A3
                                    • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 001723AC
                                    • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0017242F
                                    • Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00172437
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
                                    • String ID:
                                    • API String ID: 3929269971-0
                                    • Opcode ID: 42be7aac7b98a72aee334de08c0ce75d81bbb83e28c9f376afa39e2916832d62
                                    • Instruction ID: a2a07b31783b9ee3f1871e03209ee73a77de7aef8970be3db166203ec880e041
                                    • Opcode Fuzzy Hash: 42be7aac7b98a72aee334de08c0ce75d81bbb83e28c9f376afa39e2916832d62
                                    • Instruction Fuzzy Hash: 7F414F75A00519EFCB09DF64C994A6DBBB5FF8C310F048159E80AAB391CB74AE02CF91
                                    Function 001628B1 Relevance: 9.1, APIs: 6, Instructions: 73COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _SpinWait.LIBCONCRT ref: 0016290E
                                    • Concurrency::details::WaitBlock::WaitBlock.LIBCMT ref: 0016291A
                                    • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 00162933
                                    • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00162961
                                    • Concurrency::Context::Block.LIBCONCRT ref: 00162983
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Wait$BlockConcurrency::details::_Lock::_Scoped_lock$Block::Concurrency::Concurrency::details::Context::ReaderReentrantScoped_lock::_Scoped_lock::~_SpinWriter
                                    • String ID:
                                    • API String ID: 1182035702-0
                                    • Opcode ID: c30800c9d26c550b38b6a3a4b5cccf6912294b8728c4eb1de779109806f69f36
                                    • Instruction ID: 2772d1f22dfe1a8c3709b243ccd93f219e9c4cb993464de337f780353340a48f
                                    • Opcode Fuzzy Hash: c30800c9d26c550b38b6a3a4b5cccf6912294b8728c4eb1de779109806f69f36
                                    • Instruction Fuzzy Hash: 0721A17080061ADADF29DFA4CC457EEB7F0BF24324F240A2DE062A62D1E7B58A54CB51
                                    Function 0016DA79 Relevance: 9.1, APIs: 6, Instructions: 73threadCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 0016DABC
                                      • Part of subcall function 0016EFB3: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 0016F002
                                    • GetCurrentThread.KERNEL32 ref: 0016DAC6
                                    • Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 0016DAD2
                                      • Part of subcall function 00163DDA: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 00163DEC
                                      • Part of subcall function 00164266: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 0016426D
                                    • Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 0016DB15
                                      • Part of subcall function 0016EF65: SetEvent.KERNEL32(?,?,0016DB1A,0016E8AE,00000000,?,00000000,0016E8AE,00000004,0016EF5A,?,00000000,?,?,00000000), ref: 0016EFA9
                                    • Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 0016DB1E
                                      • Part of subcall function 0016E594: List.LIBCONCRT ref: 0016E5CA
                                    • Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 0016DB2E
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Proxy::Scheduler$AffinityThread$Concurrency::details::platform::__CoreCurrentExecutionGroupHardwareIncrement$Affinity::BorrowedCountEventFixedListResourceResource::StateSubscriptionToggle
                                    • String ID:
                                    • API String ID: 318399070-0
                                    • Opcode ID: 19a963cdda81d7f841b67ca794e0ebabc171ae3b11fd57c2ddaec6fd3f89c530
                                    • Instruction ID: 621f9c79ad24158447196cf3ef61b4686b4594c0e6a3671e745b8a6e170950fa
                                    • Opcode Fuzzy Hash: 19a963cdda81d7f841b67ca794e0ebabc171ae3b11fd57c2ddaec6fd3f89c530
                                    • Instruction Fuzzy Hash: 3521AC32A00B109FCB25EF64D9908ABB3F5FF5C7007014A5DE44297651DB74E911CB91
                                    Function 00178987 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,0017897E,00177542,0015EFA5,5AF7439D,?,00000000,0018F2B8,000000FF,?,001423EA,?,?), ref: 00178995
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001789A3
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 001789BC
                                    • SetLastError.KERNEL32(00000000,?,0017897E,00177542,0015EFA5,5AF7439D,?,00000000,0018F2B8,000000FF,?,001423EA,?,?), ref: 00178A0E
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: 6d67e8a4a1c77bd36d3e20fb92706ffcd71aa1510551c95d7a8522ebe4e85dbd
                                    • Instruction ID: 1700b8fffc2019d55d7867ff61b3db1e38991fc9be1dacfded67a41115eae4b1
                                    • Opcode Fuzzy Hash: 6d67e8a4a1c77bd36d3e20fb92706ffcd71aa1510551c95d7a8522ebe4e85dbd
                                    • Instruction Fuzzy Hash: C801F7332492116EE62427B47C8DE6A2675DBA2375324833FF22D925E0FF125C825280
                                    Function 0016366D Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0016367B
                                    • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 00163681
                                    • GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 001636AE
                                    • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 001636B8
                                    • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 001636CA
                                    • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 001636E0
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error
                                    • String ID:
                                    • API String ID: 2808382621-0
                                    • Opcode ID: 9e8e19f546359579346a33e91aae2ee6f78512848c8c0c496f74fdd10d8e4a0f
                                    • Instruction ID: 611b6ab5beb2c7e80cc4032034c0f9d587dfdd030fa3b9f554892709f8a07c86
                                    • Opcode Fuzzy Hash: 9e8e19f546359579346a33e91aae2ee6f78512848c8c0c496f74fdd10d8e4a0f
                                    • Instruction Fuzzy Hash: A9012635B04105BBCB20AB65DC49EAF377CEF60351F100426F52AD21A1DB30EB9687A0
                                    Function 0017527A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 001752D5
                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 001752F4
                                    • Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 0017533B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$ExecutionFreeIdleProcessorProxy::Root::SpinSuspendThreadUntilVirtualstd::invalid_argument::invalid_argument
                                    • String ID: pContext
                                    • API String ID: 1284976207-2046700901
                                    • Opcode ID: 65f39eecb7177db5c75fa13cabf8c9ac208d4a9409428fa0e78477733cc75b94
                                    • Instruction ID: 07e6bece2654d7732173355269027d101e2bb61f98bdde0b3382fe6bec9d931c
                                    • Opcode Fuzzy Hash: 65f39eecb7177db5c75fa13cabf8c9ac208d4a9409428fa0e78477733cc75b94
                                    • Instruction Fuzzy Hash: 86210B31700A15DBCB19AF68C895ABD73B7BFA4324F05405AE419872E2CBF4AC46CBD1
                                    Function 001819C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    Strings
                                    • C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe, xrefs: 001819C9
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe
                                    • API String ID: 0-1988637054
                                    • Opcode ID: c1f9b108a188e429e89a92a00b79ea5b1d7ec2e927aa80aa40c009dac2c9e09d
                                    • Instruction ID: dbb23c01adbf7506f195551b414868a7e09ee1bbdd5ddf36890122662ea67e04
                                    • Opcode Fuzzy Hash: c1f9b108a188e429e89a92a00b79ea5b1d7ec2e927aa80aa40c009dac2c9e09d
                                    • Instruction Fuzzy Hash: 4821C2B2605145BFDB28BF60CC80D6B776DEF603A4B108615F929C7140E730ED428FA0
                                    Function 001688F4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::SchedulingNode::AddVirtualProcessor.LIBCONCRT ref: 00168953
                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00168976
                                    • Concurrency::details::CacheLocalScheduleGroupSegment::CacheLocalScheduleGroupSegment.LIBCONCRT ref: 001689B8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CacheConcurrency::details::GroupLocalSchedule$Node::ProcessorSchedulingSegmentSegment::Virtualstd::invalid_argument::invalid_argument
                                    • String ID: count$ppVirtualProcessorRoots
                                    • API String ID: 18808576-3650809737
                                    • Opcode ID: 54264dc4ff924cf0ee614f2cf6ab46176c638cdd3a79e5bff784b6c669585018
                                    • Instruction ID: 7e1cff0294bcb898b3c1f22e8df158a02dfb0c875c81ce12b982808c89048ef1
                                    • Opcode Fuzzy Hash: 54264dc4ff924cf0ee614f2cf6ab46176c638cdd3a79e5bff784b6c669585018
                                    • Instruction Fuzzy Hash: FF21CF35600215AFCB18EFA8CC91EBD77B5BF59314F10406DE506AB691CF71AE12CB91
                                    Function 0017ABE9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _wcsrchr
                                    • String ID: .bat$.cmd$.com$.exe
                                    • API String ID: 1752292252-4019086052
                                    • Opcode ID: 349b51d9ae627da49d7a5c665f7c119647b58c8feecf08ee1f694c55a5eba1d9
                                    • Instruction ID: 000a5fcbc2d5a617439180445d181ea68c414e6379e905a48cad541a55afafc9
                                    • Opcode Fuzzy Hash: 349b51d9ae627da49d7a5c665f7c119647b58c8feecf08ee1f694c55a5eba1d9
                                    • Instruction Fuzzy Hash: 4E01DB37608612365A152438AD4266F1BBC8FE5BB0715802EF84CF71C1EF54DC4381A1
                                    Function 00179A07 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: api-ms-
                                    • API String ID: 0-2084034818
                                    • Opcode ID: 93ea0b6aa8ae203b366fd0047fdae8ea51f303209998bd35b9a63378dcc7f3fc
                                    • Instruction ID: da90797142a2d3b57b453fe9c123501fda93c38fbe0d62c1d38edb04c9e0b8e1
                                    • Opcode Fuzzy Hash: 93ea0b6aa8ae203b366fd0047fdae8ea51f303209998bd35b9a63378dcc7f3fc
                                    • Instruction Fuzzy Hash: A8112B35E03626ABDB328B28DC41E5E3774AF017B0B118111F90EAB290D730DD04C6E0
                                    Function 00175AE7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
                                    Download Yara Rule
                                    APIs
                                    • StructuredWorkStealingQueue.LIBCMT ref: 00175B07
                                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00175B18
                                    • StructuredWorkStealingQueue.LIBCMT ref: 00175B4E
                                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00175B5F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Work$Concurrency::details::ItemItem::QueueStealingStructured
                                    • String ID: e
                                    • API String ID: 3804418703-4024072794
                                    • Opcode ID: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                                    • Instruction ID: 82a6355b7226975f635920b4cdc85af705681a377891fffb59a06fd86e99401f
                                    • Opcode Fuzzy Hash: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                                    • Instruction Fuzzy Hash: DC11A331200905DBDB09DE79C891ABB73B7AF11364B28C15AE80E8F242DBF1D901CFA1
                                    Function 00179FBD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00179FB2,?,?,00179F7A,?,?,?), ref: 00179FD2
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00179FE5
                                    • FreeLibrary.KERNEL32(00000000,?,?,00179FB2,?,?,00179F7A,?,?,?), ref: 0017A008
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$mscoree.dll
                                    • API String ID: 4061214504-1276376045
                                    • Opcode ID: 8c289d21ddbc654e140fa61917c620c2af221d365c5e57bc8d752e939e1f24d4
                                    • Instruction ID: 59884f9893368be3da08c032c23f614070bcb568b04cd44d1bebb506093b0b9e
                                    • Opcode Fuzzy Hash: 8c289d21ddbc654e140fa61917c620c2af221d365c5e57bc8d752e939e1f24d4
                                    • Instruction Fuzzy Hash: 98F08C32544219FBDB119B50ED0AF9E7E7AEB00756F004061F804A21A0CB708E85DA90
                                    Function 00146E90 Relevance: 7.8, APIs: 5, Instructions: 253COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetUserNameA.ADVAPI32(?,?), ref: 00146EEA
                                    • LookupAccountNameA.ADVAPI32(00000000,?,?,000000FF,?,?,?), ref: 00146F30
                                    • GetSidIdentifierAuthority.ADVAPI32(?), ref: 00146F3D
                                    • GetSidSubAuthorityCount.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00147051
                                    • GetSidSubAuthority.ADVAPI32(?,00000000), ref: 00147078
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Authority$Name$AccountCountIdentifierLookupUser
                                    • String ID:
                                    • API String ID: 4230999276-0
                                    • Opcode ID: 16f7e4bd8c1ee1d6e4cd6eb103f83e9934015b7464278747272f56af8a8d05fe
                                    • Instruction ID: a9b8502efb4d36942af558bd40acdda5cf5b1f8f3eb8b68987b8ecc69ebec48a
                                    • Opcode Fuzzy Hash: 16f7e4bd8c1ee1d6e4cd6eb103f83e9934015b7464278747272f56af8a8d05fe
                                    • Instruction Fuzzy Hash: 9391E1B1A001189BDB28DF28CC85BEDB779EB49300F4045E9F51997292DB319FC88FA5
                                    Function 0017A921 Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetFileType.KERNEL32(?,?,00000000,00000000), ref: 0017A943
                                    • GetFileInformationByHandle.KERNEL32(?,?), ref: 0017A99D
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0017A853,?,000000FF), ref: 0017AA2B
                                    • __dosmaperr.LIBCMT ref: 0017AA32
                                    • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 0017AA6F
                                      • Part of subcall function 0017AC97: __dosmaperr.LIBCMT ref: 0017ACCC
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
                                    • String ID:
                                    • API String ID: 1206951868-0
                                    • Opcode ID: 396134d8ac008b7ca642e7e895865117fd1d9f5663ca6aca9406d0c105692fa3
                                    • Instruction ID: 4449b0c2fa7c3dd5d1dcb5ffcce85529c272cb82cd38047474f6cccefc392ef2
                                    • Opcode Fuzzy Hash: 396134d8ac008b7ca642e7e895865117fd1d9f5663ca6aca9406d0c105692fa3
                                    • Instruction Fuzzy Hash: EB414976900344AFCB24DFA5DD459AFBBF9EF98300B40842EF95AD3650E730A944CB62
                                    Function 00171583 Relevance: 7.6, APIs: 5, Instructions: 123COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 001715B7
                                      • Part of subcall function 0016C982: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0016C9A3
                                    • Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00171616
                                    • Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0017163C
                                    • Concurrency::details::SchedulerBase::ReleaseInternalContext.LIBCONCRT ref: 0017165C
                                    • Concurrency::location::_Assign.LIBCMT ref: 001716A9
                                      • Part of subcall function 00174D82: Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 00174DC7
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Context$Base::Concurrency::details::$Internal$Event$AssignBlockingConcurrency::location::_FindNestingPrepareReleaseSchedulerStealerThrowTraceWork
                                    • String ID:
                                    • API String ID: 1879022333-0
                                    • Opcode ID: 09105924defe83d8c9fd7fe225f32800637f4035554001593e4c070124ae054f
                                    • Instruction ID: 43875f3e633542261a30b95aeee9c06d8b272edac164dfdb2c350399d0e1f65b
                                    • Opcode Fuzzy Hash: 09105924defe83d8c9fd7fe225f32800637f4035554001593e4c070124ae054f
                                    • Instruction Fuzzy Hash: D841E970600210BBCF2A9B28CC86BBDBB7AAF55714F18805DF40A5B382CB749E45CBD1
                                    Function 0016D6E8 Relevance: 7.6, APIs: 5, Instructions: 79COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3_catch.LIBCMT ref: 0016D6EF
                                    • Concurrency::SchedulerPolicy::_ValidPolicyValue.LIBCONCRT ref: 0016D73B
                                    • std::bad_exception::bad_exception.LIBCMT ref: 0016D751
                                    • Concurrency::SchedulerPolicy::_ResolvePolicyValues.LIBCONCRT ref: 0016D793
                                    • std::bad_exception::bad_exception.LIBCMT ref: 0016D7BD
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::PolicyPolicy::_Schedulerstd::bad_exception::bad_exception$H_prolog3_catchResolveValidValueValues
                                    • String ID:
                                    • API String ID: 921398678-0
                                    • Opcode ID: 56142ca87ffcba74295d636ac7f8492cd5222f34110aa5a22f0b74a53deca222
                                    • Instruction ID: cf655c4060cf9ed4d970d9f268444293968618ca206ce1216be98b23903eb6ef
                                    • Opcode Fuzzy Hash: 56142ca87ffcba74295d636ac7f8492cd5222f34110aa5a22f0b74a53deca222
                                    • Instruction Fuzzy Hash: FE21C576E00214DFDB05EFA4EC86DAEB7B8FF15314B204029F405AB251DB316E66CB51
                                    Function 00182A1B Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00182A33
                                      • Part of subcall function 0017E7D5: HeapFree.KERNEL32(00000000,00000000,?,00182AAE,?,00000000,?,?,?,00182AD5,?,00000007,?,?,00182ED7,?), ref: 0017E7EB
                                      • Part of subcall function 0017E7D5: GetLastError.KERNEL32(?,?,00182AAE,?,00000000,?,?,?,00182AD5,?,00000007,?,?,00182ED7,?,?), ref: 0017E7FD
                                    • _free.LIBCMT ref: 00182A45
                                    • _free.LIBCMT ref: 00182A57
                                    • _free.LIBCMT ref: 00182A69
                                    • _free.LIBCMT ref: 00182A7B
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 22e43875c1522b67f6527534bd84a1c7d422ca04f858ed6201ee9c74f9fff8bd
                                    • Instruction ID: 398ed292e9d7bce6cd2ea195285a978c36e266d900b96b0cff5c901abbcc0198
                                    • Opcode Fuzzy Hash: 22e43875c1522b67f6527534bd84a1c7d422ca04f858ed6201ee9c74f9fff8bd
                                    • Instruction Fuzzy Hash: 2CF03733514200AB8629EB98E9C2C1A77F9AF55320BA84809F408D7D40DB31FDC18AA0
                                    Function 0017C9FA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: C:\Users\user\AppData\Local\Temp\28c5e5ba36\Hkbsse.exe$p3j
                                    • API String ID: 0-3885825041
                                    • Opcode ID: 1de254c287ff4cc62c0e8e8c8acb8f1353aa857de19a5f6439bca68a325e9370
                                    • Instruction ID: 757e56e1e84d5e40350729a6cf8022cfd2d85dd6bd5063c29718993b0195ef51
                                    • Opcode Fuzzy Hash: 1de254c287ff4cc62c0e8e8c8acb8f1353aa857de19a5f6439bca68a325e9370
                                    • Instruction Fuzzy Hash: 26418371A00218AFCB15DB99DC81D9EBBF8EF99350F1480AAF408E7251E7708A81CBD0
                                    Function 001790AB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 001790D0
                                    • CatchIt.LIBVCRUNTIME ref: 001791B6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CatchEncodePointer
                                    • String ID: MOC$RCC
                                    • API String ID: 1435073870-2084237596
                                    • Opcode ID: 2c1c506f57753824253f82400413f35b0eb84d89e68c11ae1714a59deaad95fb
                                    • Instruction ID: bb19a505c7203ee133cd1fa5abe4d03ce0628f3823c76a270442adf3a560bdf3
                                    • Opcode Fuzzy Hash: 2c1c506f57753824253f82400413f35b0eb84d89e68c11ae1714a59deaad95fb
                                    • Instruction Fuzzy Hash: 50418C7290020AAFCF15DF98CC85AEEBBB5FF48314F158159F908A7261D3359960DB50
                                    Function 0016DB41 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0016DB55
                                    • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0016DB79
                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0016DB8C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Resource$Concurrency::details::Execution$CurrentManager::Proxy::RemoveSchedulerThreadstd::invalid_argument::invalid_argument
                                    • String ID: pScheduler
                                    • API String ID: 246774199-923244539
                                    • Opcode ID: dd14387ab6880db459af116f11b0231c08150863115431253473a7a468c4fe31
                                    • Instruction ID: 1985d35780729880e1615c9f7092892c7caeda0146f21ecf0b7533e65483ee21
                                    • Opcode Fuzzy Hash: dd14387ab6880db459af116f11b0231c08150863115431253473a7a468c4fe31
                                    • Instruction Fuzzy Hash: 17F02E35A00104A7C724FF54EC52C9EB37A9EA3710722416DF416571C5DB71AD1AC7E1
                                    Function 001485E0 Relevance: 6.4, APIs: 4, Instructions: 388libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetVersionExW.KERNEL32(0000011C,5AF7439D), ref: 0014865A
                                    • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001486BB
                                    • GetProcAddress.KERNEL32(00000000), ref: 001486C2
                                    • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00148787
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleInfoModuleProcSystemVersion
                                    • String ID:
                                    • API String ID: 1456109104-0
                                    • Opcode ID: 0e9e89f0834c739e393b931835996357fa3fbe7ffdbd67c21e50193752ea742d
                                    • Instruction ID: 220e555719e6cf3622f0eff3275e5b8e4dcea5f69923fe7c7b556676a39f2ade
                                    • Opcode Fuzzy Hash: 0e9e89f0834c739e393b931835996357fa3fbe7ffdbd67c21e50193752ea742d
                                    • Instruction Fuzzy Hash: BBD10771E002049BDF14BB68DC5A39E7B72EB52314F94428CE815AB3E2DB355E858BD2
                                    Function 001804D1 Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _strrchr
                                    • String ID:
                                    • API String ID: 3213747228-0
                                    • Opcode ID: f29d928ae47408e1de63442ff607e58013e3970ed8a845dc5c8910df8058d850
                                    • Instruction ID: a5e24ce4b90d88208c71ff6c4481fb2436ce17d2fac9be64e6d1d1df087d3806
                                    • Opcode Fuzzy Hash: f29d928ae47408e1de63442ff607e58013e3970ed8a845dc5c8910df8058d850
                                    • Instruction Fuzzy Hash: A3B157329002499FDB56EF28C8917BEBBE5EF99340F24806AE844EB241D7349F45CF60
                                    Function 00178A9E Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AdjustPointer
                                    • String ID:
                                    • API String ID: 1740715915-0
                                    • Opcode ID: 4aef1d81de105a344ff9885d589e9795d98853ae460336bf2f4eb6ea3b8328fa
                                    • Instruction ID: c39942fe2ce10b1f1829c13aa399f5e478f161e1331266deff7430f56d5d8843
                                    • Opcode Fuzzy Hash: 4aef1d81de105a344ff9885d589e9795d98853ae460336bf2f4eb6ea3b8328fa
                                    • Instruction Fuzzy Hash: 005106B2A44602AFDB299F14D849BBA77B4FF24310F14C52DE90D97291EB31ED81C7A0
                                    Function 00148B90 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetVersionExW.KERNEL32(0000011C,?,5AF7439D), ref: 00148C09
                                    • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00148C70
                                    • GetProcAddress.KERNEL32(00000000), ref: 00148C77
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressHandleModuleProcVersion
                                    • String ID:
                                    • API String ID: 3310240892-0
                                    • Opcode ID: 2e04623ef12ffdecf532f666485acd92843c9a37613dcd02fa0fa10e7a1b7ee5
                                    • Instruction ID: 75346dc9762c4dc649c4e769e87d38433fd2162264bc5761942db56a58c2a0f4
                                    • Opcode Fuzzy Hash: 2e04623ef12ffdecf532f666485acd92843c9a37613dcd02fa0fa10e7a1b7ee5
                                    • Instruction Fuzzy Hash: 32512970D012489BDB18EF64CD897EDBB75EB55310F5042A9E808A72E2DB315AC48BA1
                                    Function 00178665 Relevance: 6.1, APIs: 4, Instructions: 141COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EqualOffsetTypeids
                                    • String ID:
                                    • API String ID: 1707706676-0
                                    • Opcode ID: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
                                    • Instruction ID: d283dd3c859805eee702cff9992a350fa4a5ef6b4010b1aa737668a5a19f3f48
                                    • Opcode Fuzzy Hash: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
                                    • Instruction Fuzzy Hash: 8E51B0399442099FDF18CF69C4846EEFBF5EF15350F28849AE846A7351DB32AD44CB90
                                    Function 001899AE Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 00189A7E
                                    • _free.LIBCMT ref: 00189AA7
                                    • SetEndOfFile.KERNEL32(00000000,001853EA,00000000,00185681,?,?,?,?,?,?,?,001853EA,00185681,00000000), ref: 00189AD9
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,001853EA,00185681,00000000,?,?,?,?,00000000), ref: 00189AF5
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFileLast
                                    • String ID:
                                    • API String ID: 1547350101-0
                                    • Opcode ID: cb6105b60d9b5d0a3a66b5f2792837229c1b20b0fa829ed4ad0b59e8777b19be
                                    • Instruction ID: 1cf0583a449c43549307e57a568cb1e575e7aed9674c4ea4a22f46fdfd491690
                                    • Opcode Fuzzy Hash: cb6105b60d9b5d0a3a66b5f2792837229c1b20b0fa829ed4ad0b59e8777b19be
                                    • Instruction Fuzzy Hash: D541C7729006059BDB19BBB8CC82BBE37B9AF94320F2D0550F528E7191E770DE408F61
                                    Function 00142E80 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Mtx_unlock$Cnd_broadcastCurrentThread
                                    • String ID:
                                    • API String ID: 3264154886-0
                                    • Opcode ID: f6d44c6eb640d7a837b39298943f225e4c513b5e66df57d66289ff21913d67c7
                                    • Instruction ID: f765cf86739682bbada19640d893d0ceabb9eb50b714fcc495702adbd1a8b89c
                                    • Opcode Fuzzy Hash: f6d44c6eb640d7a837b39298943f225e4c513b5e66df57d66289ff21913d67c7
                                    • Instruction Fuzzy Hash: 7C41ACB1A006099BDB21DB64C944B5AB7F8BF25310F80453DFC25D7791EB34E949CB81
                                    Function 00162738 Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __EH_prolog3_GS.LIBCMT ref: 0016273F
                                    • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 00162769
                                      • Part of subcall function 00162E2F: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00162E4C
                                    • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 001627E6
                                    • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00162818
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3_Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter
                                    • String ID:
                                    • API String ID: 1207923566-0
                                    • Opcode ID: a4aeba1883c61c6ab75e4d6b87a57caa43b28fd0a5afdf549b5cb4bec80df952
                                    • Instruction ID: 3dda9b4af206726e980d9ccd39fb467e7ed3ef1b1670ade80d41295e4f69a41b
                                    • Opcode Fuzzy Hash: a4aeba1883c61c6ab75e4d6b87a57caa43b28fd0a5afdf549b5cb4bec80df952
                                    • Instruction Fuzzy Hash: 39319076A0060A8FCB15DFA8CD419ADB7F5AF69310F25406EE405FB341DB349E12CBA1
                                    Function 0016674E Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00166761
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BuffersConcurrency::details::InitializeManager::Resource
                                    • String ID:
                                    • API String ID: 3433162309-0
                                    • Opcode ID: 2d0e5aa91cfa1ccaad93b407b8265a66458218d177ad003e4d6a7668da30db82
                                    • Instruction ID: 1deb5572279b6927c7c6b9d54f1f0ae260e85d7dbe59d3cbc3a0e7a8e7417391
                                    • Opcode Fuzzy Hash: 2d0e5aa91cfa1ccaad93b407b8265a66458218d177ad003e4d6a7668da30db82
                                    • Instruction Fuzzy Hash: 60314775A00309EFCF14DFA4C8C0AAEBBB9BF54315F1404AAD945AB246D770AE55CBA0
                                    Function 00181330 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0017A41C: _free.LIBCMT ref: 0017A42A
                                      • Part of subcall function 00182307: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,001887A0,?,00000000,00000000), ref: 001823A9
                                    • GetLastError.KERNEL32 ref: 00181398
                                    • __dosmaperr.LIBCMT ref: 0018139F
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 001813DE
                                    • __dosmaperr.LIBCMT ref: 001813E5
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                    • String ID:
                                    • API String ID: 167067550-0
                                    • Opcode ID: 672207ad442cca2dbf64cbeadb247a2e3d89d7c927b3d73bb551f7163c363074
                                    • Instruction ID: c3585f8357b60e688289286aeb5087af78b200dce7b09ffdf837672c963948f2
                                    • Opcode Fuzzy Hash: 672207ad442cca2dbf64cbeadb247a2e3d89d7c927b3d73bb551f7163c363074
                                    • Instruction Fuzzy Hash: F121AEB2604205BF9B20BF65888196EB7ACFF243747108615FD6997540D731EE428FA1
                                    Function 001744EB Relevance: 6.1, APIs: 4, Instructions: 80threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetEvent.KERNEL32(?,00000000,?), ref: 0017453C
                                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00174524
                                      • Part of subcall function 0016C982: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0016C9A3
                                    • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0017459F
                                    • SwitchToThread.KERNEL32(00000005,00000004,00000000,?,?,?,?,?,?,?,001A3B00), ref: 001745A4
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Context$Event$Base::Concurrency::details::$Trace$SwitchThreadThrow
                                    • String ID:
                                    • API String ID: 2734100425-0
                                    • Opcode ID: fd5357e865659ec1827126a47a9a7f3f9aa0a7045985787714bc6732ab7c4c2b
                                    • Instruction ID: 4e019554638da0824182883ec644fa14a2eb37c0c0c8282def9e347cca9fa174
                                    • Opcode Fuzzy Hash: fd5357e865659ec1827126a47a9a7f3f9aa0a7045985787714bc6732ab7c4c2b
                                    • Instruction Fuzzy Hash: 3121C375700124AFCB10EB68DC85D7EB7FCEB58720B15445AFA26E3291CB70AE018AA1
                                    Function 0017E051 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,?,0017A39A,?,?,?,?,0017AFCE,?), ref: 0017E056
                                    • _free.LIBCMT ref: 0017E0B3
                                    • _free.LIBCMT ref: 0017E0E9
                                    • SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,0017A39A,?,?,?,?,0017AFCE,?), ref: 0017E0F4
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast_free
                                    • String ID:
                                    • API String ID: 2283115069-0
                                    • Opcode ID: 1e5caeb5d1598e9388f65b05a49c7677c4aa24aefcd8fcadd3180875d1087422
                                    • Instruction ID: 70833bc6322c18bf0203f5940edbce337cadb887b2ccc2edd1f1d33ea3fcc147
                                    • Opcode Fuzzy Hash: 1e5caeb5d1598e9388f65b05a49c7677c4aa24aefcd8fcadd3180875d1087422
                                    • Instruction Fuzzy Hash: E7114C723046016FDA2167B85C85D2B25FEEBEE37572986B4F22C865D2EFB58C424610
                                    Function 00174D82 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00174E16
                                    • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 00174DC7
                                      • Part of subcall function 0016BD6E: SafeRWList.LIBCONCRT ref: 0016BD7F
                                    • SafeRWList.LIBCONCRT ref: 00174E0C
                                    • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 00174E2C
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Base::Concurrency::details::ContextListSafeStealer$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                                    • String ID:
                                    • API String ID: 336577199-0
                                    • Opcode ID: fb88ba2dd4f3345f8e29b4a75093c7bf861700748f74b02421f5518e2f6fec53
                                    • Instruction ID: b031591ca0b7b0f758ea54feb6f36b7d14b345f420ae097492e5cac7a9f44e3b
                                    • Opcode Fuzzy Hash: fb88ba2dd4f3345f8e29b4a75093c7bf861700748f74b02421f5518e2f6fec53
                                    • Instruction Fuzzy Hash: E921C27161420ADFC704DF64C881FA9FBF9FB90718F14D2AAD4098B542DB35E995CB80
                                    Function 0017E1A8 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,?,0017AF68,00142207), ref: 0017E1AD
                                    • _free.LIBCMT ref: 0017E20A
                                    • _free.LIBCMT ref: 0017E240
                                    • SetLastError.KERNEL32(00000000,00000006,000000FF,?,0017AF68,00142207), ref: 0017E24B
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast_free
                                    • String ID:
                                    • API String ID: 2283115069-0
                                    • Opcode ID: e9c0d7e5f00cd3772be4642c7e34eb4eb2f9b08f79d74fd3bbe26593f1c13eea
                                    • Instruction ID: 649e053b3352859a1f7d77accd890eb8aa9ee09570e4082e48a318d0ff043b9b
                                    • Opcode Fuzzy Hash: e9c0d7e5f00cd3772be4642c7e34eb4eb2f9b08f79d74fd3bbe26593f1c13eea
                                    • Instruction Fuzzy Hash: 71116B722046006FD61077B45C82D2B25FEEBDE375BA986B5F53C875D2EF328C424510
                                    Function 00162D3F Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00162D61
                                      • Part of subcall function 00162F1D: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 00168ED8
                                    • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00162D82
                                      • Part of subcall function 00163C04: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 00163C20
                                    • Concurrency::details::GetSharedTimerQueue.LIBCONCRT ref: 00162D9E
                                    • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 00162DA5
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Timer$Scheduler$Base::LibraryLoadQueue$AsyncConcurrency::details::platform::__ContextCreateCurrentDefaultReferenceRegisterShared
                                    • String ID:
                                    • API String ID: 1684785560-0
                                    • Opcode ID: 2ae62ea4503c5a210f2b9f16ab33e644f0d319602cb708fe3d5f9956e9b300bd
                                    • Instruction ID: 4bfc6ee567d6f5e39afc3e07c4caad1dc10741004a3095f0cb3f2d702a0bfc23
                                    • Opcode Fuzzy Hash: 2ae62ea4503c5a210f2b9f16ab33e644f0d319602cb708fe3d5f9956e9b300bd
                                    • Instruction Fuzzy Hash: 5301F971900705BFD7206FA8CC85C9BFBBCDF21350B10856EF965D2191D77199248BA1
                                    Function 00176E11 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00176E2B
                                    • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 00176E3F
                                    • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00176E57
                                    • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00176E6F
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                                    • String ID:
                                    • API String ID: 78362717-0
                                    • Opcode ID: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                                    • Instruction ID: a725528143909a59eb32e4126a62f156bc1eae0330ef07690bb13bd9d3ffbd0b
                                    • Opcode Fuzzy Hash: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                                    • Instruction Fuzzy Hash: C201D63A600914A7CF16EE65C851AAF77BDAF94750F008055FD59A7281DF70ED109AF0
                                    Function 0017F12C Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetFullPathNameW.KERNEL32(?,?,?,00000000,0017F291,00000000,?,0018598B,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0017F142
                                    • GetLastError.KERNEL32(?,0018598B,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0017F291,00000000,00000104,?), ref: 0017F14C
                                    • __dosmaperr.LIBCMT ref: 0017F153
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorFullLastNamePath__dosmaperr
                                    • String ID:
                                    • API String ID: 2398240785-0
                                    • Opcode ID: 9bc8ac35c92951d7b21c1a9e7559574ad8288d81fb19cb3f049fc12e448da08b
                                    • Instruction ID: a7030a334748816d1b45150065db34e7f3f2ace42bd21ad17bdf6b7dc8594946
                                    • Opcode Fuzzy Hash: 9bc8ac35c92951d7b21c1a9e7559574ad8288d81fb19cb3f049fc12e448da08b
                                    • Instruction Fuzzy Hash: 28F04632600115BB8A205BA2CC08C5BBF79FF993A0B40C129F52DC6520DB31E862DBE0
                                    Function 0017F195 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetFullPathNameW.KERNEL32(?,?,?,00000000,0017F291,00000000,?,00185916,00000000,00000000,0017F291,?,?,00000000,00000000,00000001), ref: 0017F1AB
                                    • GetLastError.KERNEL32(?,00185916,00000000,00000000,0017F291,?,?,00000000,00000000,00000001,00000000,00000000,?,0017F291,00000000,00000104), ref: 0017F1B5
                                    • __dosmaperr.LIBCMT ref: 0017F1BC
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorFullLastNamePath__dosmaperr
                                    • String ID:
                                    • API String ID: 2398240785-0
                                    • Opcode ID: c2d2a5353e45c52bfb209c2c28d5a7a3aabb6b70fbc6ec0fa53d8207b8310a0f
                                    • Instruction ID: dcd0c39ec7801970f774e235466973191b2afe4355b61b22af5dcc77438563ae
                                    • Opcode Fuzzy Hash: c2d2a5353e45c52bfb209c2c28d5a7a3aabb6b70fbc6ec0fa53d8207b8310a0f
                                    • Instruction Fuzzy Hash: 27F04B32200116BB8A206BB2CC08D4BBFB9FF543A0751C129F51DD6520DB31E852DBD0
                                    Function 00168A57 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 001639B8: TlsGetValue.KERNEL32(?,?,00162F39,00162D66,?,?), ref: 001639BE
                                    • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 00168A81
                                      • Part of subcall function 00171D61: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00171D88
                                      • Part of subcall function 00171D61: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00171DA1
                                      • Part of subcall function 00171D61: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00171E17
                                      • Part of subcall function 00171D61: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00171E1F
                                    • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00168A8F
                                    • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00168A99
                                    • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 00168AA3
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceValueVirtualWork
                                    • String ID:
                                    • API String ID: 2616382602-0
                                    • Opcode ID: 285fc857f44b4a186d74ef8660f4baa569c5eaac30d8a737e4cbb106742b3b06
                                    • Instruction ID: cf612968a42e8746ba2e39b7bb4d71bfd26f9d4d003620ced64f357281bfa0eb
                                    • Opcode Fuzzy Hash: 285fc857f44b4a186d74ef8660f4baa569c5eaac30d8a737e4cbb106742b3b06
                                    • Instruction Fuzzy Hash: F9F0F67560021467CB25B7B58C0286EB72E5FA1B10B44412AF81193342DF249E65CBD1
                                    Function 0015A530 Relevance: 6.0, APIs: 4, Instructions: 37threadsleepCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0014B170: Sleep.KERNELBASE(00000064), ref: 0014B173
                                      • Part of subcall function 0014B170: CreateMutexA.KERNELBASE(00000000,00000000,001A7224), ref: 0014B191
                                      • Part of subcall function 0014B170: GetLastError.KERNEL32 ref: 0014B199
                                      • Part of subcall function 0014B170: GetLastError.KERNEL32 ref: 0014B1AA
                                      • Part of subcall function 00156F40: IsUserAnAdmin.SHELL32 ref: 00157097
                                      • Part of subcall function 00145CA0: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,80000001,0000043f,00000008,00000423,00000008,00000422,00000008,00000419,00000008), ref: 0014620D
                                    • CreateThread.KERNEL32(00000000,00000000,0015A3B0,00000000,00000000,00000000), ref: 0015A4F6
                                    • CreateThread.KERNEL32(00000000,00000000,Function_0001A440,00000000,00000000,00000000), ref: 0015A507
                                    • CreateThread.KERNEL32(00000000,00000000,0015A4D0,00000000,00000000,00000000), ref: 0015A518
                                    • Sleep.KERNEL32(00007530), ref: 0015A525
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Create$Thread$ErrorLastSleep$AdminMutexOpenUser
                                    • String ID:
                                    • API String ID: 3900192540-0
                                    • Opcode ID: b2e628a984462a52d8f4ac94aa1bff515554e9e34225f63424708ee53e620914
                                    • Instruction ID: 28374f79e6186297a8936ae2c5f4da290e4c9354daa233f2f63e77bfb3855c7f
                                    • Opcode Fuzzy Hash: b2e628a984462a52d8f4ac94aa1bff515554e9e34225f63424708ee53e620914
                                    • Instruction Fuzzy Hash: 34F0C231BE8328B2F13032E41C0BF5929445F54F56FB90212BB297F1E19AC0384456EF
                                    Function 0018A4AF Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • WriteConsoleW.KERNEL32(00148FB0,0000000F,001A4160,00000000,00148FB0,?,00188B9A,00148FB0,00000001,00148FB0,00148FB0,?,00183A75,00000000,?,00148FB0), ref: 0018A4C6
                                    • GetLastError.KERNEL32(?,00188B9A,00148FB0,00000001,00148FB0,00148FB0,?,00183A75,00000000,?,00148FB0,00000000,00148FB0,?,00183FC9,00148FB0), ref: 0018A4D2
                                      • Part of subcall function 0018A498: CloseHandle.KERNEL32(FFFFFFFE,0018A4E2,?,00188B9A,00148FB0,00000001,00148FB0,00148FB0,?,00183A75,00000000,?,00148FB0,00000000,00148FB0), ref: 0018A4A8
                                    • ___initconout.LIBCMT ref: 0018A4E2
                                      • Part of subcall function 0018A45A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0018A489,00188B87,00148FB0,?,00183A75,00000000,?,00148FB0,00000000), ref: 0018A46D
                                    • WriteConsoleW.KERNEL32(00148FB0,0000000F,001A4160,00000000,?,00188B9A,00148FB0,00000001,00148FB0,00148FB0,?,00183A75,00000000,?,00148FB0,00000000), ref: 0018A4F7
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                    • String ID:
                                    • API String ID: 2744216297-0
                                    • Opcode ID: 025ec90ddeab7e9b8626e8c99f65dd990421966d3a3a35f600d001ca1adb1c80
                                    • Instruction ID: 61a06746e381c920aa8cd160af5cf701040d1909a9b2c12e488721f9b406da51
                                    • Opcode Fuzzy Hash: 025ec90ddeab7e9b8626e8c99f65dd990421966d3a3a35f600d001ca1adb1c80
                                    • Instruction Fuzzy Hash: 24F03936001218BBDF222FA5EC0CD8A3F66FF493A1B4D4012FB2985530D7B289A1DF91
                                    Function 00160BE9 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                    Download Yara Rule
                                    APIs
                                    • SleepConditionVariableCS.KERNELBASE(?,00160B86,00000064), ref: 00160C0C
                                    • LeaveCriticalSection.KERNEL32(001A9720,001AC650,?,00160B86,00000064,?,74DF0F00,?,00147E9D,001AC650), ref: 00160C16
                                    • WaitForSingleObjectEx.KERNEL32(001AC650,00000000,?,00160B86,00000064,?,74DF0F00,?,00147E9D,001AC650), ref: 00160C27
                                    • EnterCriticalSection.KERNEL32(001A9720,?,00160B86,00000064,?,74DF0F00,?,00147E9D,001AC650), ref: 00160C2E
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                    • String ID:
                                    • API String ID: 3269011525-0
                                    • Opcode ID: 06e80894f38fb5959753f68e7bf00d85ee9e95916ac193b0b7784d8bcbd80224
                                    • Instruction ID: 7b4658ddad509b771f662a1869b1155ff81abfaa3a4022e9fe5e5db2271ddda0
                                    • Opcode Fuzzy Hash: 06e80894f38fb5959753f68e7bf00d85ee9e95916ac193b0b7784d8bcbd80224
                                    • Instruction Fuzzy Hash: E6E09236521228BBCB021FD0EC09EDE7F69EB0EB51B150062F50566570C77129D1CFE4
                                    Function 00148060 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 468sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Sleep
                                    • String ID: runas
                                    • API String ID: 3472027048-4000483414
                                    • Opcode ID: 63d26b0b5fc36cd9f864784f6e6d0626a4ea8b8be0d9c6244e6352bfd75ceef5
                                    • Instruction ID: 59b66753f158ca59275b80f4bc2e95e089bf86a842cfcc0d5c387e2b14dea1c1
                                    • Opcode Fuzzy Hash: 63d26b0b5fc36cd9f864784f6e6d0626a4ea8b8be0d9c6244e6352bfd75ceef5
                                    • Instruction Fuzzy Hash: 72E17C71A10244ABDF08EF78CD86BAEBB72EF55300F64824CF4159B3D2DB359A448792
                                    Function 00175154 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 001751B4
                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 001751FF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::FreeIdleProcessorRoot::SpinUntilVirtualstd::invalid_argument::invalid_argument
                                    • String ID: pContext
                                    • API String ID: 3390424672-2046700901
                                    • Opcode ID: 4a1f83dea594b28384b4fc437872979203f8e68ce61e20e83a7c45a654d4bda5
                                    • Instruction ID: afc4caf977f89bb316760731d2df27ece11ef179f87ec6bcafcc585f5d100356
                                    • Opcode Fuzzy Hash: 4a1f83dea594b28384b4fc437872979203f8e68ce61e20e83a7c45a654d4bda5
                                    • Instruction Fuzzy Hash: C1110636A006149BCF19BF68C894A6D73B7BF94321B558069EC1A9B242DBB0DD05CBD0
                                    Function 0016F37F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0016F3A1
                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0016F3B4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::details::FreeIdleProxyProxy::ReturnThreadstd::invalid_argument::invalid_argument
                                    • String ID: pContext
                                    • API String ID: 548886458-2046700901
                                    • Opcode ID: e9681e6002cd144cd50f473285c2223f505f2df0c563a732f0aa72030533fefe
                                    • Instruction ID: fb7bf2b1dc4be67d3f2c627c10b3f2e9d026d40e4705bdc8f478325ec764dbe3
                                    • Opcode Fuzzy Hash: e9681e6002cd144cd50f473285c2223f505f2df0c563a732f0aa72030533fefe
                                    • Instruction Fuzzy Hash: 3FE09239B00114A7CB04BB68DC59C9DB7BBAFE47107244069E915A7291DB70AE0AC6D0
                                    Function 00166F1E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00166F4E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000002.00000002.1669548119.0000000000141000.00000020.00000001.01000000.00000008.sdmp, Offset: 00140000, based on PE: true
                                    • Associated: 00000002.00000002.1669516041.0000000000140000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669593544.0000000000194000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669621319.00000000001A6000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669646397.00000000001A8000.00000008.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669659756.00000000001A9000.00000004.00000001.01000000.00000008.sdmpDownload File
                                    • Associated: 00000002.00000002.1669674350.00000000001AD000.00000002.00000001.01000000.00000008.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_2_2_140000_Hkbsse.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: std::invalid_argument::invalid_argument
                                    • String ID: pScheduler$version
                                    • API String ID: 2141394445-3154422776
                                    • Opcode ID: f62c48d8c06c50d10c9ae80d64e8af7b388201d7a5bc8ebff26ec16512cbb1a1
                                    • Instruction ID: 5da5fa7c097448716fba3524b85cf8a41ee9d37297d787bd8ab910b6b87ae101
                                    • Opcode Fuzzy Hash: f62c48d8c06c50d10c9ae80d64e8af7b388201d7a5bc8ebff26ec16512cbb1a1
                                    • Instruction Fuzzy Hash: 53E08C30544208B7CF15EAA5EC6AACC37AAAB30309F10C0A1B821210D287B49AADCB81

                                    Execution Graph

                                    Execution Coverage:3.1%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:0%
                                    Total number of Nodes:645
                                    Total number of Limit Nodes:9
                                    execution_graph 9204 6c831880 9209 6c835f40 9204->9209 9206 6c831891 9224 6c836cb8 9206->9224 9210 6c835f5e __InternalCxxFrameHandler 9209->9210 9213 6c835f84 9209->9213 9210->9206 9211 6c83606e 9245 6c836690 9211->9245 9213->9211 9215 6c835fd8 9213->9215 9216 6c835ffd 9213->9216 9214 6c836073 9262 6c831e20 9214->9262 9215->9214 9227 6c836983 9215->9227 9220 6c836983 26 API calls 9216->9220 9222 6c835fe9 ___scrt_uninitialize_crt 9216->9222 9220->9222 9223 6c836050 9222->9223 9240 6c83a250 9222->9240 9223->9206 9329 6c836c8b 9224->9329 9229 6c836988 ___std_exception_copy 9227->9229 9228 6c8369a2 9228->9222 9229->9228 9230 6c83a6f5 _unexpected 2 API calls 9229->9230 9231 6c8369a4 9229->9231 9230->9229 9232 6c831e20 Concurrency::cancel_current_task 9231->9232 9233 6c8369ae 9231->9233 9268 6c837cc3 9232->9268 9235 6c837cc3 Concurrency::cancel_current_task RaiseException 9233->9235 9237 6c837250 9235->9237 9236 6c831e3c 9271 6c837c41 9236->9271 9241 6c83a1dc ___std_exception_copy 25 API calls 9240->9241 9242 6c83a25f 9241->9242 9243 6c83a26d ___std_exception_copy 11 API calls 9242->9243 9244 6c83a26c 9243->9244 9318 6c836901 9245->9318 9263 6c831e2e Concurrency::cancel_current_task 9262->9263 9264 6c837cc3 Concurrency::cancel_current_task RaiseException 9263->9264 9265 6c831e3c 9264->9265 9266 6c837c41 ___std_exception_copy 25 API calls 9265->9266 9267 6c831e63 9266->9267 9269 6c837d0d RaiseException 9268->9269 9270 6c837cdd 9268->9270 9269->9236 9270->9269 9272 6c831e63 9271->9272 9273 6c837c4e ___std_exception_copy 9271->9273 9272->9222 9273->9272 9274 6c837c7b 9273->9274 9277 6c83b690 9273->9277 9286 6c83b5f5 9274->9286 9278 6c83b6ab 9277->9278 9279 6c83b69d 9277->9279 9280 6c83bed6 _free 14 API calls 9278->9280 9279->9278 9284 6c83b6c2 9279->9284 9281 6c83b6b3 9280->9281 9289 6c83a240 9281->9289 9283 6c83b6bd 9283->9274 9284->9283 9285 6c83bed6 _free 14 API calls 9284->9285 9285->9281 9287 6c83c15f _free 14 API calls 9286->9287 9288 6c83b60d 9287->9288 9288->9272 9292 6c83a1dc 9289->9292 9291 6c83a24c 9291->9283 9293 6c83bc73 _free 14 API calls 9292->9293 9294 6c83a1e7 9293->9294 9298 6c83a1f5 9294->9298 9300 6c83a26d IsProcessorFeaturePresent 9294->9300 9296 6c83a23f 9297 6c83a1dc ___std_exception_copy 25 API calls 9296->9297 9299 6c83a24c 9297->9299 9298->9291 9299->9291 9301 6c83a279 9300->9301 9304 6c83a094 9301->9304 9305 6c83a0b0 ___scrt_fastfail 9304->9305 9306 6c83a0dc IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 9305->9306 9307 6c83a1ad ___scrt_fastfail 9306->9307 9310 6c836941 9307->9310 9309 6c83a1cb GetCurrentProcess TerminateProcess 9309->9296 9311 6c83694a 9310->9311 9312 6c83694c IsProcessorFeaturePresent 9310->9312 9311->9309 9314 6c836d09 9312->9314 9317 6c836ccd SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 9314->9317 9316 6c836dec 9316->9309 9317->9316 9323 6c836860 9318->9323 9321 6c837cc3 Concurrency::cancel_current_task RaiseException 9322 6c836920 9321->9322 9326 6c836810 9323->9326 9327 6c837c41 ___std_exception_copy 25 API calls 9326->9327 9328 6c83683c 9327->9328 9328->9321 9330 6c836ca1 9329->9330 9331 6c836c9a 9329->9331 9338 6c83b3ea 9330->9338 9335 6c83b37e 9331->9335 9334 6c83189b 9336 6c83b3ea 28 API calls 9335->9336 9337 6c83b390 9336->9337 9337->9334 9341 6c83b101 9338->9341 9342 6c83b10d ___scrt_is_nonwritable_in_current_image 9341->9342 9349 6c83c024 EnterCriticalSection 9342->9349 9344 6c83b11b 9350 6c83b17b 9344->9350 9346 6c83b128 9360 6c83b150 9346->9360 9349->9344 9351 6c83b197 9350->9351 9359 6c83b20e _unexpected 9350->9359 9352 6c83b1ee 9351->9352 9351->9359 9363 6c83d5c7 9351->9363 9354 6c83d5c7 28 API calls 9352->9354 9352->9359 9356 6c83b204 9354->9356 9355 6c83b1e4 9357 6c83c15f _free 14 API calls 9355->9357 9358 6c83c15f _free 14 API calls 9356->9358 9357->9352 9358->9359 9359->9346 9398 6c83c06c LeaveCriticalSection 9360->9398 9362 6c83b139 9362->9334 9364 6c83d5d4 9363->9364 9365 6c83d5ef 9363->9365 9364->9365 9366 6c83d5e0 9364->9366 9368 6c83d5fe 9365->9368 9372 6c83f596 9365->9372 9369 6c83bed6 _free 14 API calls 9366->9369 9379 6c83f5c9 9368->9379 9371 6c83d5e5 ___scrt_fastfail 9369->9371 9371->9355 9373 6c83f5a1 9372->9373 9374 6c83f5b6 HeapSize 9372->9374 9375 6c83bed6 _free 14 API calls 9373->9375 9374->9368 9376 6c83f5a6 9375->9376 9377 6c83a240 ___std_exception_copy 25 API calls 9376->9377 9378 6c83f5b1 9377->9378 9378->9368 9380 6c83f5e1 9379->9380 9381 6c83f5d6 9379->9381 9383 6c83f5e9 9380->9383 9389 6c83f5f2 _unexpected 9380->9389 9391 6c83c083 9381->9391 9386 6c83c15f _free 14 API calls 9383->9386 9384 6c83f5f7 9387 6c83bed6 _free 14 API calls 9384->9387 9385 6c83f61c HeapReAlloc 9388 6c83f5de 9385->9388 9385->9389 9386->9388 9387->9388 9388->9371 9389->9384 9389->9385 9390 6c83a6f5 _unexpected 2 API calls 9389->9390 9390->9389 9392 6c83c0c1 9391->9392 9396 6c83c091 _unexpected 9391->9396 9393 6c83bed6 _free 14 API calls 9392->9393 9395 6c83c0bf 9393->9395 9394 6c83c0ac HeapAlloc 9394->9395 9394->9396 9395->9388 9396->9392 9396->9394 9397 6c83a6f5 _unexpected 2 API calls 9396->9397 9397->9396 9398->9362 10902 6c836ed1 10903 6c836f0f 10902->10903 10904 6c836edc 10902->10904 10941 6c83702b 10903->10941 10906 6c836f01 10904->10906 10907 6c836ee1 10904->10907 10927 6c836f24 10906->10927 10909 6c836ef7 10907->10909 10910 6c836ee6 10907->10910 10919 6c836a62 10909->10919 10913 6c836eeb 10910->10913 10914 6c836a81 10910->10914 10963 6c83b538 10914->10963 11047 6c837d4e 10919->11047 10922 6c836a6b 10922->10913 10925 6c836a7e 10925->10913 10926 6c837d59 21 API calls 10926->10922 10928 6c836f30 ___scrt_is_nonwritable_in_current_image 10927->10928 11053 6c836af2 10928->11053 10930 6c836f37 10931 6c837023 10930->10931 10932 6c836f5e 10930->10932 10938 6c836f9a ___scrt_is_nonwritable_in_current_image CallUnexpected 10930->10938 11069 6c837431 IsProcessorFeaturePresent 10931->11069 11061 6c836a54 10932->11061 10935 6c83702a 10936 6c836f6d __RTC_Initialize 10936->10938 11064 6c837654 InitializeSListHead 10936->11064 10938->10913 10939 6c836f7b 10939->10938 11065 6c836a29 10939->11065 10943 6c837037 ___scrt_is_nonwritable_in_current_image 10941->10943 10942 6c837040 10942->10913 10943->10942 10944 6c8370d3 10943->10944 10945 6c837068 10943->10945 10946 6c837431 ___scrt_fastfail 4 API calls 10944->10946 11113 6c836ac2 10945->11113 10950 6c8370da ___scrt_is_nonwritable_in_current_image 10946->10950 10948 6c83706d 11122 6c837660 10948->11122 10952 6c837110 dllmain_raw 10950->10952 10960 6c83710b 10950->10960 10961 6c8370f6 10950->10961 10951 6c837072 __RTC_Initialize 11125 6c836c63 10951->11125 10953 6c83712a dllmain_crt_dispatch 10952->10953 10952->10961 10953->10960 10953->10961 10957 6c837177 10958 6c837180 dllmain_crt_dispatch 10957->10958 10957->10961 10959 6c837193 dllmain_raw 10958->10959 10958->10961 10959->10961 10960->10957 10962 6c837163 dllmain_crt_dispatch dllmain_raw 10960->10962 10961->10913 10962->10957 10969 6c83baf0 10963->10969 10966 6c837d59 11035 6c838105 10966->11035 10970 6c83bafa 10969->10970 10973 6c836a86 10969->10973 10971 6c83d8a9 _unexpected 6 API calls 10970->10971 10972 6c83bb01 10971->10972 10972->10973 10974 6c83d8e8 _unexpected 6 API calls 10972->10974 10973->10966 10975 6c83bb14 10974->10975 10977 6c83b9b7 10975->10977 10978 6c83b9c2 10977->10978 10982 6c83b9d2 10977->10982 10983 6c83b9d8 10978->10983 10981 6c83c15f _free 14 API calls 10981->10982 10982->10973 10984 6c83b9f3 10983->10984 10985 6c83b9ed 10983->10985 10987 6c83c15f _free 14 API calls 10984->10987 10986 6c83c15f _free 14 API calls 10985->10986 10986->10984 10988 6c83b9ff 10987->10988 10989 6c83c15f _free 14 API calls 10988->10989 10990 6c83ba0a 10989->10990 10991 6c83c15f _free 14 API calls 10990->10991 10992 6c83ba15 10991->10992 10993 6c83c15f _free 14 API calls 10992->10993 10994 6c83ba20 10993->10994 10995 6c83c15f _free 14 API calls 10994->10995 10996 6c83ba2b 10995->10996 10997 6c83c15f _free 14 API calls 10996->10997 10998 6c83ba36 10997->10998 10999 6c83c15f _free 14 API calls 10998->10999 11000 6c83ba41 10999->11000 11001 6c83c15f _free 14 API calls 11000->11001 11002 6c83ba4c 11001->11002 11003 6c83c15f _free 14 API calls 11002->11003 11004 6c83ba5a 11003->11004 11009 6c83b804 11004->11009 11010 6c83b810 ___scrt_is_nonwritable_in_current_image 11009->11010 11025 6c83c024 EnterCriticalSection 11010->11025 11012 6c83b81a 11015 6c83c15f _free 14 API calls 11012->11015 11016 6c83b844 11012->11016 11015->11016 11026 6c83b863 11016->11026 11017 6c83b86f 11018 6c83b87b ___scrt_is_nonwritable_in_current_image 11017->11018 11030 6c83c024 EnterCriticalSection 11018->11030 11020 6c83b885 11021 6c83baa5 _unexpected 14 API calls 11020->11021 11022 6c83b898 11021->11022 11031 6c83b8b8 11022->11031 11025->11012 11029 6c83c06c LeaveCriticalSection 11026->11029 11028 6c83b851 11028->11017 11029->11028 11030->11020 11034 6c83c06c LeaveCriticalSection 11031->11034 11033 6c83b8a6 11033->10981 11034->11033 11036 6c838112 11035->11036 11037 6c836a8b 11035->11037 11038 6c838120 11036->11038 11039 6c839352 ___vcrt_FlsGetValue 6 API calls 11036->11039 11037->10913 11040 6c83938d ___vcrt_FlsSetValue 6 API calls 11038->11040 11039->11038 11041 6c838130 11040->11041 11043 6c8380e9 11041->11043 11044 6c8380f3 11043->11044 11046 6c838100 11043->11046 11045 6c83b5f5 ___std_exception_copy 14 API calls 11044->11045 11044->11046 11045->11046 11046->11037 11048 6c838149 CallUnexpected 23 API calls 11047->11048 11049 6c836a67 11048->11049 11049->10922 11050 6c83b52d 11049->11050 11051 6c83bc73 _free 14 API calls 11050->11051 11052 6c836a73 11051->11052 11052->10925 11052->10926 11054 6c836afb 11053->11054 11073 6c837251 IsProcessorFeaturePresent 11054->11073 11058 6c836b0c 11059 6c836b10 11058->11059 11060 6c837d64 ___scrt_uninitialize_crt 7 API calls 11058->11060 11059->10930 11060->11059 11107 6c836b2b 11061->11107 11063 6c836a5b 11063->10936 11064->10939 11066 6c836a2e ___scrt_release_startup_lock 11065->11066 11067 6c837251 IsProcessorFeaturePresent 11066->11067 11068 6c836a37 11066->11068 11067->11068 11068->10938 11070 6c837446 ___scrt_fastfail 11069->11070 11071 6c8374f1 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 11070->11071 11072 6c83753c ___scrt_fastfail 11071->11072 11072->10935 11074 6c836b07 11073->11074 11075 6c837d2f 11074->11075 11083 6c839009 11075->11083 11078 6c837d38 11078->11058 11080 6c837d40 11081 6c837d4b 11080->11081 11082 6c839045 ___vcrt_uninitialize_locks DeleteCriticalSection 11080->11082 11081->11058 11082->11078 11084 6c839012 11083->11084 11086 6c83903b 11084->11086 11087 6c837d34 11084->11087 11097 6c8393cb 11084->11097 11088 6c839045 ___vcrt_uninitialize_locks DeleteCriticalSection 11086->11088 11087->11078 11089 6c8381db 11087->11089 11088->11087 11102 6c8392dc 11089->11102 11092 6c8381f0 11092->11080 11093 6c83938d ___vcrt_FlsSetValue 6 API calls 11094 6c8381fe 11093->11094 11095 6c83820b 11094->11095 11096 6c83820e ___vcrt_uninitialize_ptd 6 API calls 11094->11096 11095->11080 11096->11092 11098 6c839293 ___vcrt_FlsFree 5 API calls 11097->11098 11099 6c8393e5 11098->11099 11100 6c839403 InitializeCriticalSectionAndSpinCount 11099->11100 11101 6c8393ee 11099->11101 11100->11101 11101->11084 11103 6c839293 ___vcrt_FlsFree 5 API calls 11102->11103 11104 6c8392f6 11103->11104 11105 6c83930f TlsAlloc 11104->11105 11106 6c8381e5 11104->11106 11106->11092 11106->11093 11108 6c836b37 11107->11108 11109 6c836b3b 11107->11109 11108->11063 11110 6c837431 ___scrt_fastfail 4 API calls 11109->11110 11112 6c836b48 ___scrt_release_startup_lock 11109->11112 11111 6c836bb1 11110->11111 11112->11063 11114 6c836ac7 ___scrt_release_startup_lock 11113->11114 11115 6c836acb 11114->11115 11118 6c836ad7 11114->11118 11116 6c83b394 CallUnexpected 14 API calls 11115->11116 11117 6c836ad5 11116->11117 11117->10948 11119 6c836ae4 11118->11119 11120 6c83aa3b CallUnexpected 23 API calls 11118->11120 11119->10948 11121 6c83ab91 11120->11121 11121->10948 11134 6c8380c6 InterlockedFlushSList 11122->11134 11126 6c836c6f 11125->11126 11130 6c836c85 11126->11130 11138 6c83b540 11126->11138 11128 6c836c7d 11129 6c837d64 ___scrt_uninitialize_crt 7 API calls 11128->11129 11129->11130 11131 6c8370cd 11130->11131 11248 6c836ae5 11131->11248 11135 6c8380d6 11134->11135 11137 6c83766a 11134->11137 11136 6c83b5f5 ___std_exception_copy 14 API calls 11135->11136 11135->11137 11136->11135 11137->10951 11139 6c83b55d ___scrt_uninitialize_crt 11138->11139 11140 6c83b54b 11138->11140 11139->11128 11141 6c83b559 11140->11141 11143 6c83e308 11140->11143 11141->11128 11146 6c83e1b6 11143->11146 11149 6c83e10a 11146->11149 11150 6c83e116 ___scrt_is_nonwritable_in_current_image 11149->11150 11157 6c83c024 EnterCriticalSection 11150->11157 11152 6c83e18c 11166 6c83e1aa 11152->11166 11155 6c83e120 ___scrt_uninitialize_crt 11155->11152 11158 6c83e07e 11155->11158 11157->11155 11159 6c83e08a ___scrt_is_nonwritable_in_current_image 11158->11159 11169 6c83e425 EnterCriticalSection 11159->11169 11161 6c83e094 ___scrt_uninitialize_crt 11165 6c83e0cd 11161->11165 11170 6c83e2c0 11161->11170 11180 6c83e0fe 11165->11180 11247 6c83c06c LeaveCriticalSection 11166->11247 11168 6c83e198 11168->11141 11169->11161 11171 6c83e2d6 11170->11171 11172 6c83e2cd 11170->11172 11183 6c83e25b 11171->11183 11174 6c83e1b6 ___scrt_uninitialize_crt 66 API calls 11172->11174 11175 6c83e2d3 11174->11175 11175->11165 11178 6c83e2f2 11196 6c83f9df 11178->11196 11246 6c83e439 LeaveCriticalSection 11180->11246 11182 6c83e0ec 11182->11155 11184 6c83e273 11183->11184 11188 6c83e298 11183->11188 11185 6c83e5a9 ___scrt_uninitialize_crt 25 API calls 11184->11185 11184->11188 11186 6c83e291 11185->11186 11207 6c8401d5 11186->11207 11188->11175 11189 6c83e5a9 11188->11189 11190 6c83e5b5 11189->11190 11191 6c83e5ca 11189->11191 11192 6c83bed6 _free 14 API calls 11190->11192 11191->11178 11193 6c83e5ba 11192->11193 11194 6c83a240 ___std_exception_copy 25 API calls 11193->11194 11195 6c83e5c5 11194->11195 11195->11178 11197 6c83f9f0 11196->11197 11198 6c83f9fd 11196->11198 11199 6c83bed6 _free 14 API calls 11197->11199 11200 6c83fa46 11198->11200 11203 6c83fa24 11198->11203 11206 6c83f9f5 11199->11206 11201 6c83bed6 _free 14 API calls 11200->11201 11202 6c83fa4b 11201->11202 11204 6c83a240 ___std_exception_copy 25 API calls 11202->11204 11232 6c83f93d 11203->11232 11204->11206 11206->11175 11208 6c8401e1 ___scrt_is_nonwritable_in_current_image 11207->11208 11209 6c840201 11208->11209 11210 6c8401e9 11208->11210 11211 6c84029c 11209->11211 11216 6c840233 11209->11216 11212 6c83bec3 __dosmaperr 14 API calls 11210->11212 11213 6c83bec3 __dosmaperr 14 API calls 11211->11213 11214 6c8401ee 11212->11214 11215 6c8402a1 11213->11215 11217 6c83bed6 _free 14 API calls 11214->11217 11218 6c83bed6 _free 14 API calls 11215->11218 11219 6c83f7fc ___scrt_uninitialize_crt EnterCriticalSection 11216->11219 11231 6c8401f6 11217->11231 11220 6c8402a9 11218->11220 11221 6c840239 11219->11221 11222 6c83a240 ___std_exception_copy 25 API calls 11220->11222 11223 6c840255 11221->11223 11224 6c84026a 11221->11224 11222->11231 11225 6c83bed6 _free 14 API calls 11223->11225 11226 6c8402c7 ___scrt_uninitialize_crt 60 API calls 11224->11226 11227 6c84025a 11225->11227 11228 6c840265 11226->11228 11229 6c83bec3 __dosmaperr 14 API calls 11227->11229 11230 6c840294 ___scrt_uninitialize_crt LeaveCriticalSection 11228->11230 11229->11228 11230->11231 11231->11188 11233 6c83f949 ___scrt_is_nonwritable_in_current_image 11232->11233 11234 6c83f7fc ___scrt_uninitialize_crt EnterCriticalSection 11233->11234 11235 6c83f958 11234->11235 11236 6c83f99f 11235->11236 11237 6c83f8d3 ___scrt_uninitialize_crt 25 API calls 11235->11237 11238 6c83bed6 _free 14 API calls 11236->11238 11239 6c83f984 FlushFileBuffers 11237->11239 11240 6c83f9a4 11238->11240 11239->11240 11241 6c83f990 11239->11241 11242 6c83f9d3 ___scrt_uninitialize_crt LeaveCriticalSection 11240->11242 11243 6c83bec3 __dosmaperr 14 API calls 11241->11243 11244 6c83f9bc 11242->11244 11245 6c83f995 GetLastError 11243->11245 11244->11206 11245->11236 11246->11182 11247->11168 11253 6c83b570 11248->11253 11251 6c83820e ___vcrt_uninitialize_ptd 6 API calls 11252 6c8370d2 11251->11252 11252->10942 11254 6c83bd54 6 API calls 11253->11254 11255 6c836aec 11254->11255 11255->11251 9185 6c8370db 9186 6c8370e7 ___scrt_is_nonwritable_in_current_image 9185->9186 9187 6c837110 dllmain_raw 9186->9187 9188 6c8370f6 9186->9188 9193 6c83710b 9186->9193 9187->9188 9189 6c83712a dllmain_crt_dispatch 9187->9189 9189->9188 9189->9193 9190 6c837177 9190->9188 9191 6c837180 dllmain_crt_dispatch 9190->9191 9191->9188 9192 6c837193 dllmain_raw 9191->9192 9192->9188 9193->9190 9194 6c837163 dllmain_crt_dispatch dllmain_raw 9193->9194 9194->9190 9195 6c83720c 9196 6c837215 9195->9196 9197 6c83721a dllmain_dispatch 9195->9197 9199 6c837609 9196->9199 9200 6c83761f 9199->9200 9202 6c837628 9200->9202 9203 6c8375bc GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 9200->9203 9202->9197 9203->9202 8938 6c83bc73 GetLastError 8939 6c83bc90 8938->8939 8940 6c83bc8a 8938->8940 8957 6c83bc96 SetLastError 8939->8957 8961 6c83d8e8 8939->8961 8973 6c83d8a9 8940->8973 8947 6c83bcc6 8949 6c83d8e8 _unexpected 6 API calls 8947->8949 8948 6c83bcdd 8950 6c83d8e8 _unexpected 6 API calls 8948->8950 8958 6c83bcd4 8949->8958 8951 6c83bce9 8950->8951 8952 6c83bcfe 8951->8952 8953 6c83bced 8951->8953 8984 6c83b91e 8952->8984 8955 6c83d8e8 _unexpected 6 API calls 8953->8955 8955->8958 8978 6c83c15f 8958->8978 8960 6c83c15f _free 12 API calls 8960->8957 8989 6c83d749 8961->8989 8964 6c83d922 TlsSetValue 8965 6c83bcae 8965->8957 8966 6c83c102 8965->8966 8971 6c83c10f _unexpected 8966->8971 8967 6c83c14f 9006 6c83bed6 8967->9006 8968 6c83c13a RtlAllocateHeap 8969 6c83bcbe 8968->8969 8968->8971 8969->8947 8969->8948 8971->8967 8971->8968 9003 6c83a6f5 8971->9003 8974 6c83d749 _unexpected 5 API calls 8973->8974 8975 6c83d8c5 8974->8975 8976 6c83d8e0 TlsGetValue 8975->8976 8977 6c83d8ce 8975->8977 8977->8939 8979 6c83c193 _free 8978->8979 8980 6c83c16a HeapFree 8978->8980 8979->8957 8980->8979 8981 6c83c17f 8980->8981 8982 6c83bed6 _free 12 API calls 8981->8982 8983 6c83c185 GetLastError 8982->8983 8983->8979 9043 6c83b7b2 8984->9043 8990 6c83d773 8989->8990 8991 6c83d777 8989->8991 8990->8964 8990->8965 8991->8990 8996 6c83d682 8991->8996 8994 6c83d791 GetProcAddress 8994->8990 8995 6c83d7a1 _unexpected 8994->8995 8995->8990 8997 6c83d693 ___vcrt_FlsFree 8996->8997 8998 6c83d6b1 LoadLibraryExW 8997->8998 9000 6c83d727 FreeLibrary 8997->9000 9001 6c83d73e 8997->9001 9002 6c83d6ff LoadLibraryExW 8997->9002 8998->8997 8999 6c83d6cc GetLastError 8998->8999 8999->8997 9000->8997 9001->8990 9001->8994 9002->8997 9009 6c83a722 9003->9009 9020 6c83bc73 GetLastError 9006->9020 9008 6c83bedb 9008->8969 9010 6c83a72e ___scrt_is_nonwritable_in_current_image 9009->9010 9015 6c83c024 EnterCriticalSection 9010->9015 9012 6c83a739 9016 6c83a775 9012->9016 9015->9012 9019 6c83c06c LeaveCriticalSection 9016->9019 9018 6c83a700 9018->8971 9019->9018 9021 6c83bc90 9020->9021 9022 6c83bc8a 9020->9022 9024 6c83d8e8 _unexpected 6 API calls 9021->9024 9039 6c83bc96 SetLastError 9021->9039 9023 6c83d8a9 _unexpected 6 API calls 9022->9023 9023->9021 9025 6c83bcae 9024->9025 9026 6c83c102 _unexpected 12 API calls 9025->9026 9025->9039 9028 6c83bcbe 9026->9028 9029 6c83bcc6 9028->9029 9030 6c83bcdd 9028->9030 9031 6c83d8e8 _unexpected 6 API calls 9029->9031 9032 6c83d8e8 _unexpected 6 API calls 9030->9032 9040 6c83bcd4 9031->9040 9033 6c83bce9 9032->9033 9034 6c83bcfe 9033->9034 9035 6c83bced 9033->9035 9038 6c83b91e _unexpected 12 API calls 9034->9038 9037 6c83d8e8 _unexpected 6 API calls 9035->9037 9036 6c83c15f _free 12 API calls 9036->9039 9037->9040 9041 6c83bd09 9038->9041 9039->9008 9040->9036 9042 6c83c15f _free 12 API calls 9041->9042 9042->9039 9044 6c83b7be ___scrt_is_nonwritable_in_current_image 9043->9044 9057 6c83c024 EnterCriticalSection 9044->9057 9046 6c83b7c8 9058 6c83b7f8 9046->9058 9049 6c83b8c4 9050 6c83b8d0 ___scrt_is_nonwritable_in_current_image 9049->9050 9062 6c83c024 EnterCriticalSection 9050->9062 9052 6c83b8da 9063 6c83baa5 9052->9063 9054 6c83b8f2 9067 6c83b912 9054->9067 9057->9046 9061 6c83c06c LeaveCriticalSection 9058->9061 9060 6c83b7e6 9060->9049 9061->9060 9062->9052 9064 6c83badb _unexpected 9063->9064 9065 6c83bab4 _unexpected 9063->9065 9064->9054 9065->9064 9070 6c83e64d 9065->9070 9184 6c83c06c LeaveCriticalSection 9067->9184 9069 6c83b900 9069->8960 9072 6c83e6cd 9070->9072 9073 6c83e663 9070->9073 9074 6c83c15f _free 14 API calls 9072->9074 9097 6c83e71b 9072->9097 9073->9072 9077 6c83e696 9073->9077 9080 6c83c15f _free 14 API calls 9073->9080 9075 6c83e6ef 9074->9075 9076 6c83c15f _free 14 API calls 9075->9076 9078 6c83e702 9076->9078 9082 6c83c15f _free 14 API calls 9077->9082 9096 6c83e6b8 9077->9096 9083 6c83c15f _free 14 API calls 9078->9083 9079 6c83c15f _free 14 API calls 9084 6c83e6c2 9079->9084 9086 6c83e68b 9080->9086 9081 6c83e729 9085 6c83e789 9081->9085 9094 6c83c15f 14 API calls _free 9081->9094 9087 6c83e6ad 9082->9087 9088 6c83e710 9083->9088 9089 6c83c15f _free 14 API calls 9084->9089 9090 6c83c15f _free 14 API calls 9085->9090 9098 6c83ea8d 9086->9098 9126 6c83eb8b 9087->9126 9093 6c83c15f _free 14 API calls 9088->9093 9089->9072 9095 6c83e78f 9090->9095 9093->9097 9094->9081 9095->9064 9096->9079 9138 6c83e7be 9097->9138 9099 6c83ea9e 9098->9099 9125 6c83eb87 9098->9125 9100 6c83eaaf 9099->9100 9101 6c83c15f _free 14 API calls 9099->9101 9102 6c83eac1 9100->9102 9103 6c83c15f _free 14 API calls 9100->9103 9101->9100 9104 6c83ead3 9102->9104 9105 6c83c15f _free 14 API calls 9102->9105 9103->9102 9106 6c83eae5 9104->9106 9108 6c83c15f _free 14 API calls 9104->9108 9105->9104 9107 6c83eaf7 9106->9107 9109 6c83c15f _free 14 API calls 9106->9109 9110 6c83eb09 9107->9110 9111 6c83c15f _free 14 API calls 9107->9111 9108->9106 9109->9107 9112 6c83c15f _free 14 API calls 9110->9112 9113 6c83eb1b 9110->9113 9111->9110 9112->9113 9114 6c83eb2d 9113->9114 9116 6c83c15f _free 14 API calls 9113->9116 9115 6c83eb3f 9114->9115 9117 6c83c15f _free 14 API calls 9114->9117 9118 6c83eb51 9115->9118 9119 6c83c15f _free 14 API calls 9115->9119 9116->9114 9117->9115 9120 6c83eb63 9118->9120 9121 6c83c15f _free 14 API calls 9118->9121 9119->9118 9122 6c83eb75 9120->9122 9123 6c83c15f _free 14 API calls 9120->9123 9121->9120 9124 6c83c15f _free 14 API calls 9122->9124 9122->9125 9123->9122 9124->9125 9125->9077 9127 6c83eb98 9126->9127 9137 6c83ebf0 9126->9137 9128 6c83eba8 9127->9128 9129 6c83c15f _free 14 API calls 9127->9129 9130 6c83ebba 9128->9130 9131 6c83c15f _free 14 API calls 9128->9131 9129->9128 9132 6c83ebcc 9130->9132 9134 6c83c15f _free 14 API calls 9130->9134 9131->9130 9133 6c83ebde 9132->9133 9135 6c83c15f _free 14 API calls 9132->9135 9136 6c83c15f _free 14 API calls 9133->9136 9133->9137 9134->9132 9135->9133 9136->9137 9137->9096 9139 6c83e7cb 9138->9139 9143 6c83e7ea 9138->9143 9139->9143 9144 6c83ec2c 9139->9144 9142 6c83c15f _free 14 API calls 9142->9143 9143->9081 9145 6c83e7e4 9144->9145 9146 6c83ec3d 9144->9146 9145->9142 9180 6c83ebf4 9146->9180 9149 6c83ebf4 _unexpected 14 API calls 9150 6c83ec50 9149->9150 9151 6c83ebf4 _unexpected 14 API calls 9150->9151 9152 6c83ec5b 9151->9152 9153 6c83ebf4 _unexpected 14 API calls 9152->9153 9154 6c83ec66 9153->9154 9155 6c83ebf4 _unexpected 14 API calls 9154->9155 9156 6c83ec74 9155->9156 9157 6c83c15f _free 14 API calls 9156->9157 9158 6c83ec7f 9157->9158 9159 6c83c15f _free 14 API calls 9158->9159 9160 6c83ec8a 9159->9160 9161 6c83c15f _free 14 API calls 9160->9161 9162 6c83ec95 9161->9162 9163 6c83ebf4 _unexpected 14 API calls 9162->9163 9164 6c83eca3 9163->9164 9165 6c83ebf4 _unexpected 14 API calls 9164->9165 9166 6c83ecb1 9165->9166 9167 6c83ebf4 _unexpected 14 API calls 9166->9167 9168 6c83ecc2 9167->9168 9169 6c83ebf4 _unexpected 14 API calls 9168->9169 9170 6c83ecd0 9169->9170 9171 6c83ebf4 _unexpected 14 API calls 9170->9171 9172 6c83ecde 9171->9172 9173 6c83c15f _free 14 API calls 9172->9173 9174 6c83ece9 9173->9174 9175 6c83c15f _free 14 API calls 9174->9175 9176 6c83ecf4 9175->9176 9177 6c83c15f _free 14 API calls 9176->9177 9178 6c83ecff 9177->9178 9179 6c83c15f _free 14 API calls 9178->9179 9179->9145 9181 6c83ec27 9180->9181 9182 6c83ec17 9180->9182 9181->9149 9182->9181 9183 6c83c15f _free 14 API calls 9182->9183 9183->9182 9184->9069 11740 6c835bc0 11741 6c835bea 11740->11741 11742 6c835c0e 11740->11742 11744 6c835f40 26 API calls 11741->11744 11747 6c836080 11742->11747 11746 6c835c04 11744->11746 11750 6c836921 11747->11750 11755 6c8368b5 11750->11755 11753 6c837cc3 Concurrency::cancel_current_task RaiseException 11754 6c836940 11753->11754 11756 6c836810 std::exception::exception 25 API calls 11755->11756 11757 6c8368c7 11756->11757 11757->11753

                                    Executed Functions

                                    Function 6C833140 Relevance: 18.0, APIs: 7, Strings: 3, Instructions: 485COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 117 6c833140-6c83332e 121 6c833363-6c83337f call 6c836941 117->121 122 6c833330-6c83333c 117->122 123 6c833359-6c833360 call 6c836952 122->123 124 6c83333e-6c83334c 122->124 123->121 124->123 126 6c833380-6c83346f call 6c83a250 call 6c836080 call 6c835f40 124->126 137 6c833471-6c83347d 126->137 138 6c833499-6c8334ac 126->138 139 6c83348f-6c833496 call 6c836952 137->139 140 6c83347f-6c83348d 137->140 139->138 140->139 141 6c8334ad-6c83363a call 6c83a250 call 6c835f40 140->141 151 6c83369d-6c8336b9 call 6c836941 141->151 152 6c83363c-6c833648 141->152 153 6c833693-6c83369a call 6c836952 152->153 154 6c83364a-6c833658 152->154 153->151 154->153 156 6c8336ba-6c833793 call 6c83a250 call 6c836080 call 6c836200 154->156 167 6c833795-6c8337a1 156->167 168 6c8337bd-6c8337ce 156->168 169 6c8337b3-6c8337ba call 6c836952 167->169 170 6c8337a3-6c8337b1 167->170 169->168 170->169 171 6c8337cf-6c83383f call 6c83a250 OpenClipboard 170->171 176 6c833845-6c833854 GetClipboardData 171->176 177 6c8339ee-6c833a00 171->177 178 6c83385a-6c833866 GlobalLock 176->178 179 6c8339e8 CloseClipboard 176->179 180 6c8339e1-6c8339e2 GlobalUnlock 178->180 181 6c83386c-6c83388b WideCharToMultiByte 178->181 179->177 180->179 181->180 182 6c833891-6c8339b7 call 6c8363d0 WideCharToMultiByte call 6c835f40 181->182 182->180 192 6c8339b9-6c8339c5 182->192 193 6c8339d7-6c8339de call 6c836952 192->193 194 6c8339c7-6c8339d5 192->194 193->180 194->193 195 6c833a01-6c833ad7 call 6c83a250 call 6c835f40 call 6c835d30 * 2 call 6c831ec0 call 6c835d30 call 6c835f40 call 6c833140 194->195
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: +++$abcdefghijklmnopqrstuvwxyz0123456789$wlt=1
                                    • API String ID: 0-2251221455
                                    • Opcode ID: 9ae76dd7989bafae135bbdebb95f5c875b6b3fbc172820f0e8ef324ad7c62378
                                    • Instruction ID: 016db6871ec44e1923148fac5b6975c5e2ac6cce9c069e6b3427369e85b02750
                                    • Opcode Fuzzy Hash: 9ae76dd7989bafae135bbdebb95f5c875b6b3fbc172820f0e8ef324ad7c62378
                                    • Instruction Fuzzy Hash: 04F11770A00218AFDB24CFA8CE44B9EBBB5EB45718F105A2DE818A7BC0D7759945CBD1
                                    Function 6C831EC0 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 393networkfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 0 6c831ec0-6c831f0c 1 6c831f12-6c831f16 0->1 2 6c83240a-6c83242f call 6c835f40 0->2 1->2 4 6c831f1c-6c831f20 1->4 7 6c832431-6c83243d 2->7 8 6c832459-6c832471 2->8 4->2 6 6c831f26-6c83202f call 6c835f40 InternetOpenW InternetConnectA HttpOpenRequestA HttpSendRequestA InternetReadFile 4->6 17 6c832241-6c8322a4 InternetCloseHandle * 3 6->17 18 6c832035 6->18 10 6c83244f-6c832456 call 6c836952 7->10 11 6c83243f-6c83244d 7->11 13 6c8323c1-6c8323d9 8->13 14 6c832477-6c832483 8->14 10->8 11->10 15 6c8324c5 call 6c83a250 11->15 21 6c8324a8-6c8324c4 call 6c836941 13->21 22 6c8323df-6c8323eb 13->22 19 6c8323b7-6c8323be call 6c836952 14->19 20 6c832489-6c832497 14->20 34 6c8324ca-6c8324cf call 6c836dee 15->34 24 6c8322a6-6c8322b5 17->24 25 6c8322db-6c8322f9 17->25 27 6c832040-6c832047 18->27 19->13 20->15 29 6c832499 20->29 30 6c8323f1-6c8323ff 22->30 31 6c83249e-6c8324a5 call 6c836952 22->31 35 6c8322b7-6c8322c5 24->35 36 6c8322cb-6c8322d8 call 6c836952 24->36 39 6c8322fb-6c83230c 25->39 40 6c83232c-6c83234d 25->40 37 6c83223b 27->37 38 6c83204d-6c83206a 27->38 29->19 30->15 43 6c832405 30->43 31->21 35->15 35->36 36->25 37->17 48 6c832071-6c832076 38->48 49 6c832322-6c832329 call 6c836952 39->49 50 6c83230e-6c83231c 39->50 44 6c83237b-6c832393 40->44 45 6c83234f-6c83235b 40->45 43->31 44->13 55 6c832395-6c8323a1 44->55 52 6c832371-6c832378 call 6c836952 45->52 53 6c83235d-6c83236b 45->53 48->48 57 6c832078-6c83211d call 6c835f40 * 2 48->57 49->40 50->15 50->49 52->44 53->15 53->52 55->19 60 6c8323a3-6c8323b1 55->60 67 6c832162-6c83217c call 6c836530 57->67 68 6c83211f-6c832160 call 6c839460 57->68 60->15 60->19 73 6c832182-6c83218f 67->73 68->73 74 6c832191-6c83219c 73->74 75 6c8321bc-6c8321c9 73->75 76 6c8321b2-6c8321b9 call 6c836952 74->76 77 6c83219e-6c8321ac 74->77 78 6c8321cb-6c8321da 75->78 79 6c8321fa-6c832205 75->79 76->75 77->15 77->76 82 6c8321f0-6c8321f7 call 6c836952 78->82 83 6c8321dc-6c8321ea 78->83 79->34 80 6c83220b-6c832235 InternetReadFile 79->80 80->27 80->37 82->79 83->15 83->82
                                    APIs
                                    • InternetOpenW.WININET(6C84CA04,00000000,00000000,00000000,00000000), ref: 6C831F83
                                    • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 6C831FAA
                                    • HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000001), ref: 6C831FD4
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,?,00000000), ref: 6C83200D
                                    • InternetReadFile.WININET(00000000,?,000003FF,?), ref: 6C832027
                                    • InternetReadFile.WININET(?,00000000,000003FF,00000000), ref: 6C83222D
                                    • InternetCloseHandle.WININET(00000000), ref: 6C832248
                                    • InternetCloseHandle.WININET(?), ref: 6C832250
                                    • InternetCloseHandle.WININET(?), ref: 6C832258
                                    Strings
                                    • POST, xrefs: 6C831FCE
                                    • Content-Type: application/x-www-form-urlencoded, xrefs: 6C831F4D
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSend
                                    • String ID: Content-Type: application/x-www-form-urlencoded$POST
                                    • API String ID: 1354133546-2387545335
                                    • Opcode ID: ebcba2e8d6ce3e83ba03366b2e804262b4af685d9e44771e1ae30bd90b1f60ef
                                    • Instruction ID: b40cac60f28d5060abda628f2889adf1c9062989efe943a5ea8a6e65a8bbec18
                                    • Opcode Fuzzy Hash: ebcba2e8d6ce3e83ba03366b2e804262b4af685d9e44771e1ae30bd90b1f60ef
                                    • Instruction Fuzzy Hash: 35F1B1B06001289BEB24CF68CD84BDDBB75AF45308F5095A8E60CA7682D7799AC4CFD5
                                    Function 6C83702B Relevance: 13.6, APIs: 9, Instructions: 134COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • __RTC_Initialize.LIBCMT ref: 6C837072
                                    • ___scrt_uninitialize_crt.LIBCMT ref: 6C83708C
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Initialize___scrt_uninitialize_crt
                                    • String ID:
                                    • API String ID: 2442719207-0
                                    • Opcode ID: 32ae6493c55ea9d89a86af600cafbc7c7b6e4e85d3aa537ab8bbf1bd960fdb05
                                    • Instruction ID: ec03a1a924e8386e1d0fbac99546e9ee8a083257a1b1eb478a75bdc6c7b513df
                                    • Opcode Fuzzy Hash: 32ae6493c55ea9d89a86af600cafbc7c7b6e4e85d3aa537ab8bbf1bd960fdb05
                                    • Instruction Fuzzy Hash: 37418E72A01679EADB318FEDCF40A9E7A74EB41758F107929E81CA7B40C77489059BE0
                                    Function 6C83BC73 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetLastError.KERNEL32(?,?,00000001,6C83BEDB,6C83C185,?,?,6C83B35C), ref: 6C83BC78
                                    • _free.LIBCMT ref: 6C83BCD5
                                    • _free.LIBCMT ref: 6C83BD0B
                                    • SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000001,6C83BEDB,6C83C185,?,?,6C83B35C), ref: 6C83BD16
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast_free
                                    • String ID:
                                    • API String ID: 2283115069-0
                                    • Opcode ID: 9b465830bf60c4da5ef76b82bf6ae6c4333326db581b83c6074a18258363a9aa
                                    • Instruction ID: 36d5d3f3359764144c3f9c5679080b62ca8f725f76a12396a2cfbb3dd7142e14
                                    • Opcode Fuzzy Hash: 9b465830bf60c4da5ef76b82bf6ae6c4333326db581b83c6074a18258363a9aa
                                    • Instruction Fuzzy Hash: 0811C6B13549346A963125ED8F80E6A2169DBC227EB263E39F92C93AC1DF648805D1D0
                                    Function 6C83C102 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 294 6c83c102-6c83c10d 295 6c83c11b-6c83c121 294->295 296 6c83c10f-6c83c119 294->296 298 6c83c123-6c83c124 295->298 299 6c83c13a-6c83c14b RtlAllocateHeap 295->299 296->295 297 6c83c14f-6c83c15a call 6c83bed6 296->297 304 6c83c15c-6c83c15e 297->304 298->299 300 6c83c126-6c83c12d call 6c83ed10 299->300 301 6c83c14d 299->301 300->297 307 6c83c12f-6c83c138 call 6c83a6f5 300->307 301->304 307->297 307->299
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6C83BCBE,00000001,00000364,00000006,000000FF,?,00000001,6C83BEDB,6C83C185,?,?,6C83B35C), ref: 6C83C143
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID:
                                    • API String ID: 1279760036-0
                                    • Opcode ID: d73e6f88d63e0f6ecbc5c84e3ab7ef24093cbe51c7061ef11516ae11cfcd18e8
                                    • Instruction ID: ae93f1543cf4f6909317ffbb2df292594d2ea7d040cc4e9d75dd09b3e68a3a0c
                                    • Opcode Fuzzy Hash: d73e6f88d63e0f6ecbc5c84e3ab7ef24093cbe51c7061ef11516ae11cfcd18e8
                                    • Instruction Fuzzy Hash: 86F0BB316025349B9F317ADE8E00A5F3768AF4276CF107E21E81C96A81DB60D80092D0

                                    Non-executed Functions

                                    Function 6C83C5EF Relevance: 9.2, APIs: 6, Instructions: 194fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 6C83C6DF
                                    • _free.LIBCMT ref: 6C83C7AF
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 6C83C7BD
                                    • _free.LIBCMT ref: 6C83C80B
                                    • FindClose.KERNEL32(00000000), ref: 6C83C81A
                                    • _free.LIBCMT ref: 6C83C830
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find_free$File$CloseFirstNext
                                    • String ID:
                                    • API String ID: 1576393127-0
                                    • Opcode ID: 479e739466da27c32493a7be75a40cc1fc656e9fb7ae99ff46049c1c5dfb0051
                                    • Instruction ID: 13be54080f733d236435ba1b6790c3b7664edceb1514522e9f2ae0e031848094
                                    • Opcode Fuzzy Hash: 479e739466da27c32493a7be75a40cc1fc656e9fb7ae99ff46049c1c5dfb0051
                                    • Instruction Fuzzy Hash: 8D61E6719051385FDF30AFA88D88AE9B7B8AB05308F147BEDD45D93612E7314E858F90
                                    Function 6C83DA64 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: HeapProcess
                                    • String ID:
                                    • API String ID: 54951025-0
                                    • Opcode ID: aa907e03c75980cc804b3961e93f5f0beaae52e3275c304ed7d7863ddce16737
                                    • Instruction ID: af17266d0f873534ff0556303225267babd04cdd23aa80523b50388c679e9040
                                    • Opcode Fuzzy Hash: aa907e03c75980cc804b3961e93f5f0beaae52e3275c304ed7d7863ddce16737
                                    • Instruction Fuzzy Hash: 52A01130B00280CB8BA08E3082082083AB8BA022ECB008038A000C2020EB288000EA82
                                    Function 6C83E64D Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 338 6c83e64d-6c83e661 339 6c83e663-6c83e668 338->339 340 6c83e6cf-6c83e6d7 338->340 339->340 341 6c83e66a-6c83e66f 339->341 342 6c83e6d9-6c83e6dc 340->342 343 6c83e71e-6c83e736 call 6c83e7be 340->343 341->340 344 6c83e671-6c83e674 341->344 342->343 346 6c83e6de-6c83e71b call 6c83c15f * 4 342->346 352 6c83e739-6c83e740 343->352 344->340 347 6c83e676-6c83e67e 344->347 346->343 350 6c83e680-6c83e683 347->350 351 6c83e698-6c83e6a0 347->351 350->351 357 6c83e685-6c83e697 call 6c83c15f call 6c83ea8d 350->357 354 6c83e6a2-6c83e6a5 351->354 355 6c83e6ba-6c83e6ce call 6c83c15f * 2 351->355 358 6c83e742-6c83e746 352->358 359 6c83e75f-6c83e763 352->359 354->355 360 6c83e6a7-6c83e6b9 call 6c83c15f call 6c83eb8b 354->360 355->340 357->351 366 6c83e748-6c83e74b 358->366 367 6c83e75c 358->367 362 6c83e765-6c83e76a 359->362 363 6c83e77b-6c83e787 359->363 360->355 370 6c83e778 362->370 371 6c83e76c-6c83e76f 362->371 363->352 373 6c83e789-6c83e794 call 6c83c15f 363->373 366->367 375 6c83e74d-6c83e75b call 6c83c15f * 2 366->375 367->359 370->363 371->370 378 6c83e771-6c83e777 call 6c83c15f 371->378 375->367 378->370
                                    APIs
                                    • ___free_lconv_mon.LIBCMT ref: 6C83E691
                                      • Part of subcall function 6C83EA8D: _free.LIBCMT ref: 6C83EAAA
                                      • Part of subcall function 6C83EA8D: _free.LIBCMT ref: 6C83EABC
                                      • Part of subcall function 6C83EA8D: _free.LIBCMT ref: 6C83EACE
                                      • Part of subcall function 6C83EA8D: _free.LIBCMT ref: 6C83EAE0
                                      • Part of subcall function 6C83EA8D: _free.LIBCMT ref: 6C83EAF2
                                      • Part of subcall function 6C83EA8D: _free.LIBCMT ref: 6C83EB04
                                      • Part of subcall function 6C83EA8D: _free.LIBCMT ref: 6C83EB16
                                      • Part of subcall function 6C83EA8D: _free.LIBCMT ref: 6C83EB28
                                      • Part of subcall function 6C83EA8D: _free.LIBCMT ref: 6C83EB3A
                                      • Part of subcall function 6C83EA8D: _free.LIBCMT ref: 6C83EB4C
                                      • Part of subcall function 6C83EA8D: _free.LIBCMT ref: 6C83EB5E
                                      • Part of subcall function 6C83EA8D: _free.LIBCMT ref: 6C83EB70
                                      • Part of subcall function 6C83EA8D: _free.LIBCMT ref: 6C83EB82
                                    • _free.LIBCMT ref: 6C83E686
                                      • Part of subcall function 6C83C15F: HeapFree.KERNEL32(00000000,00000000,?,6C83B35C), ref: 6C83C175
                                      • Part of subcall function 6C83C15F: GetLastError.KERNEL32(?,?,6C83B35C), ref: 6C83C187
                                    • _free.LIBCMT ref: 6C83E6A8
                                    • _free.LIBCMT ref: 6C83E6BD
                                    • _free.LIBCMT ref: 6C83E6C8
                                    • _free.LIBCMT ref: 6C83E6EA
                                    • _free.LIBCMT ref: 6C83E6FD
                                    • _free.LIBCMT ref: 6C83E70B
                                    • _free.LIBCMT ref: 6C83E716
                                    • _free.LIBCMT ref: 6C83E74E
                                    • _free.LIBCMT ref: 6C83E755
                                    • _free.LIBCMT ref: 6C83E772
                                    • _free.LIBCMT ref: 6C83E78A
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                    • String ID:
                                    • API String ID: 161543041-0
                                    • Opcode ID: ae5b01a34a10525bb9a57f76ea27ef9529835a9d32fda6485ccffd5d6a3eec2a
                                    • Instruction ID: e46d5fad959ae757910859ea26cd69bb4487ed2cdccc9c7c65cb8d1c6eef6ca6
                                    • Opcode Fuzzy Hash: ae5b01a34a10525bb9a57f76ea27ef9529835a9d32fda6485ccffd5d6a3eec2a
                                    • Instruction Fuzzy Hash: F2317F316013259FEB306AB9DE44B9A77E9AF01318F207D29E05DD7AA1DB70AC44DBD0
                                    Function 6C838480 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 395 6c838480-6c8384a9 call 6c83942f 398 6c838830-6c838835 call 6c83b64c 395->398 399 6c8384af-6c8384b2 395->399 399->398 400 6c8384b8-6c8384c1 399->400 403 6c8385c3 400->403 404 6c8384c7-6c8384cb 400->404 406 6c8385c5-6c8385cb 403->406 404->403 405 6c8384d1-6c8384d8 404->405 407 6c8384f0-6c8384f5 405->407 408 6c8384da-6c8384e1 405->408 409 6c8385d3-6c8385df 406->409 407->406 413 6c8384fb-6c838503 call 6c83813b 407->413 408->407 412 6c8384e3-6c8384ea 408->412 410 6c838796-6c838799 409->410 411 6c8385e5-6c8385e9 409->411 414 6c83879b-6c83879f 410->414 415 6c8387bd-6c8387c5 call 6c83813b 410->415 411->410 416 6c8385ef-6c8385f6 411->416 412->403 412->407 423 6c8387c7-6c8387cb 413->423 424 6c838509-6c838522 call 6c83813b * 2 413->424 414->398 419 6c8387a5-6c8387ba call 6c838836 414->419 415->398 415->423 420 6c8385f8-6c8385ff 416->420 421 6c83860e-6c838611 416->421 419->415 420->421 426 6c838601-6c838608 420->426 427 6c838617-6c83863e call 6c8376f3 421->427 428 6c83872c-6c838730 421->428 424->398 450 6c838528-6c83852e 424->450 426->410 426->421 427->428 441 6c838644-6c838647 427->441 433 6c838732-6c83873b call 6c837a9a 428->433 434 6c83873c-6c838740 428->434 433->434 434->415 435 6c838742-6c83874e 434->435 435->415 439 6c838750-6c838754 435->439 443 6c838766-6c83876e 439->443 444 6c838756-6c83875e 439->444 446 6c83864a-6c83865f 441->446 448 6c838770-6c838783 call 6c83813b * 2 443->448 449 6c838785-6c838792 call 6c838e96 443->449 444->415 447 6c838760-6c838764 444->447 451 6c838665-6c838668 446->451 452 6c83870e-6c838721 446->452 447->415 447->443 482 6c8387cc call 6c83b610 448->482 468 6c8387f1-6c838809 call 6c83813b * 2 449->468 469 6c838794 449->469 454 6c838530-6c838534 450->454 455 6c83855a-6c838562 call 6c83813b 450->455 451->452 458 6c83866e-6c838676 451->458 452->446 456 6c838727-6c83872a 452->456 454->455 460 6c838536-6c83853d 454->460 474 6c838564-6c838584 call 6c83813b * 2 call 6c838e96 455->474 475 6c8385cd-6c8385d0 455->475 456->428 458->452 463 6c83867c-6c838690 458->463 465 6c838551-6c838554 460->465 466 6c83853f-6c838546 460->466 470 6c838693-6c8386a3 463->470 465->398 465->455 466->465 473 6c838548-6c83854f 466->473 495 6c83880b 468->495 496 6c83880e-6c83882b call 6c8378d7 call 6c838d96 call 6c838f53 call 6c838d12 468->496 469->415 476 6c8386a5-6c8386b8 call 6c83896c 470->476 477 6c8386cb-6c8386d8 470->477 473->455 473->465 474->475 506 6c838586-6c83858b 474->506 475->409 489 6c8386ba-6c8386c0 476->489 490 6c8386dc-6c838708 call 6c838400 476->490 477->470 481 6c8386da 477->481 486 6c83870b 481->486 492 6c8387d1-6c8387ec call 6c837a9a call 6c838b17 call 6c837cc3 482->492 486->452 489->476 494 6c8386c2-6c8386c8 489->494 490->486 492->468 494->477 495->496 496->398 506->482 509 6c838591-6c838593 506->509 512 6c838596-6c8385a9 call 6c838b2f 509->512 512->492 518 6c8385af-6c8385bb 512->518 518->482 519 6c8385c1 518->519 519->512
                                    APIs
                                    • IsInExceptionSpec.LIBVCRUNTIME ref: 6C83857B
                                    • type_info::operator==.LIBVCRUNTIME ref: 6C8385A2
                                    • ___TypeMatch.LIBVCRUNTIME ref: 6C8386AE
                                    • IsInExceptionSpec.LIBVCRUNTIME ref: 6C838789
                                    • _UnwindNestedFrames.LIBCMT ref: 6C838810
                                    • CallUnexpected.LIBVCRUNTIME ref: 6C83882B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                    • String ID: csm$csm$csm
                                    • API String ID: 2123188842-393685449
                                    • Opcode ID: 594e7ec060a76b8012009d6f4608ee47d556926a45ac5c0b64b0ba1f7438ceb9
                                    • Instruction ID: 204c42fa4a04654339cc65bc6024ea5687733a704d67a32ab324ea938be96516
                                    • Opcode Fuzzy Hash: 594e7ec060a76b8012009d6f4608ee47d556926a45ac5c0b64b0ba1f7438ceb9
                                    • Instruction Fuzzy Hash: D9C179718002299FCF25CFE8CA8099EBBB5BF05318F14796BE819ABA01D371D955CBD1
                                    Function 6C83B9D8 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 2c30a4643299672533dd7aff68b25df331af14eba15f5626b6ad0aee9660e6a3
                                    • Instruction ID: 111ed8bae638997ca3437648f056e265751b1b895b7065b6d08c0f3b32d5946d
                                    • Opcode Fuzzy Hash: 2c30a4643299672533dd7aff68b25df331af14eba15f5626b6ad0aee9660e6a3
                                    • Instruction Fuzzy Hash: A821BB76900128AFCB11EFD8CD40DDD7BBAAF08244F006565E5199B622DB71DA48DBC0
                                    Function 6C837DD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 547 6c837dd0-6c837e21 call 6c843177 call 6c837d90 call 6c838fac 554 6c837e23-6c837e35 547->554 555 6c837e7d-6c837e80 547->555 557 6c837ea0-6c837ea9 554->557 558 6c837e37-6c837e4e 554->558 556 6c837e82-6c837e8f call 6c8391d0 555->556 555->557 563 6c837e94-6c837e9d call 6c837d90 556->563 560 6c837e50-6c837e5e call 6c839180 558->560 561 6c837e64 558->561 570 6c837e60 560->570 571 6c837e74-6c837e7b 560->571 562 6c837e67-6c837e6c 561->562 562->558 565 6c837e6e-6c837e70 562->565 563->557 565->557 568 6c837e72 565->568 568->563 572 6c837e62 570->572 573 6c837eaa-6c837eb3 570->573 571->563 572->562 574 6c837eb5-6c837ebc 573->574 575 6c837eed-6c837efd call 6c8391b4 573->575 574->575 577 6c837ebe-6c837ecd call 6c8428e0 574->577 581 6c837f11-6c837f2f call 6c837d90 call 6c839198 575->581 582 6c837eff-6c837f0e call 6c8391d0 575->582 583 6c837eea 577->583 584 6c837ecf-6c837ee7 577->584 582->581 583->575 584->583
                                    APIs
                                    • _ValidateLocalCookies.LIBCMT ref: 6C837E07
                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 6C837E0F
                                    • _ValidateLocalCookies.LIBCMT ref: 6C837E98
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 6C837EC3
                                    • _ValidateLocalCookies.LIBCMT ref: 6C837F18
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                    • String ID: csm
                                    • API String ID: 1170836740-1018135373
                                    • Opcode ID: e9aa71389fe81599f5085546ca531ed00cf3210ebcfd58255e24655503e90774
                                    • Instruction ID: 95a09c754c37b022cc6a2587f114f71f155ecb87cdb4a2ddbd84ed78dff34a94
                                    • Opcode Fuzzy Hash: e9aa71389fe81599f5085546ca531ed00cf3210ebcfd58255e24655503e90774
                                    • Instruction Fuzzy Hash: 9B419834A00128DBCF20DF98CA44ADE7BB5AF45718F10A965D818AB791D735DD05CBD1
                                    Function 6C83D682 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 593 6c83d682-6c83d68e 594 6c83d735-6c83d738 593->594 595 6c83d693-6c83d6a4 594->595 596 6c83d73e 594->596 597 6c83d6b1-6c83d6ca LoadLibraryExW 595->597 598 6c83d6a6-6c83d6a9 595->598 599 6c83d740-6c83d744 596->599 602 6c83d71c-6c83d725 597->602 603 6c83d6cc-6c83d6d5 GetLastError 597->603 600 6c83d732 598->600 601 6c83d6af 598->601 600->594 605 6c83d72e-6c83d730 601->605 604 6c83d727-6c83d728 FreeLibrary 602->604 602->605 606 6c83d6d7-6c83d6e9 call 6c83b778 603->606 607 6c83d70c 603->607 604->605 605->600 609 6c83d745-6c83d747 605->609 606->607 613 6c83d6eb-6c83d6fd call 6c83b778 606->613 608 6c83d70e-6c83d710 607->608 608->602 612 6c83d712-6c83d71a 608->612 609->599 612->600 613->607 616 6c83d6ff-6c83d70a LoadLibraryExW 613->616 616->608
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: api-ms-$ext-ms-
                                    • API String ID: 0-537541572
                                    • Opcode ID: 1dda7b55ffff083f0f59a18b1706b13bd15f734bafa9c3f08682c43cdad86f84
                                    • Instruction ID: 6bbd98aff4e07ca6861e406ebb85cc0c2b5371f592ef3d8b61eaa580b1cbe170
                                    • Opcode Fuzzy Hash: 1dda7b55ffff083f0f59a18b1706b13bd15f734bafa9c3f08682c43cdad86f84
                                    • Instruction Fuzzy Hash: B921DB32A56134A7DB3156E98E48A0A37749F437A8F157E22F91DA7681D730DD00C5E0
                                    Function 6C83EC2C Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 6C83EBF4: _free.LIBCMT ref: 6C83EC19
                                    • _free.LIBCMT ref: 6C83EC7A
                                      • Part of subcall function 6C83C15F: HeapFree.KERNEL32(00000000,00000000,?,6C83B35C), ref: 6C83C175
                                      • Part of subcall function 6C83C15F: GetLastError.KERNEL32(?,?,6C83B35C), ref: 6C83C187
                                    • _free.LIBCMT ref: 6C83EC85
                                    • _free.LIBCMT ref: 6C83EC90
                                    • _free.LIBCMT ref: 6C83ECE4
                                    • _free.LIBCMT ref: 6C83ECEF
                                    • _free.LIBCMT ref: 6C83ECFA
                                    • _free.LIBCMT ref: 6C83ED05
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 6688a93d272e8f63d8b572137aeade3ba908fe40e4732d61955ac79dadc09bbf
                                    • Instruction ID: 1f9a220595f8a0b38cd8d9e39c583d6ee3d257d8549542d7346c253c304db817
                                    • Opcode Fuzzy Hash: 6688a93d272e8f63d8b572137aeade3ba908fe40e4732d61955ac79dadc09bbf
                                    • Instruction Fuzzy Hash: B2115C31544B34BAD631A7F8CE05FCB779C5F40708F403C35A2AE66AA2DB24A90E57D1
                                    Function 6C83FA5C Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 654 6c83fa5c-6c83fad1 GetConsoleCP call 6c83a512 657 6c83fad7 654->657 658 6c83fddd 654->658 660 6c83fada-6c83fafc 657->660 659 6c83fde0 658->659 661 6c83fde2-6c83fde5 659->661 662 6c83fdec-6c83fe05 call 6c836941 659->662 663 6c83fb02-6c83fb0c 660->663 664 6c83fc2f-6c83fc39 660->664 661->662 668 6c83fb0f-6c83fb12 663->668 665 6c83fc3b-6c83fc57 664->665 666 6c83fc59-6c83fc6b call 6c83bd6e 664->666 669 6c83fc9c-6c83fcab call 6c83e58f 665->669 678 6c83fc99-6c83fc9b 666->678 679 6c83fc6d-6c83fc76 666->679 672 6c83fb14-6c83fb18 668->672 673 6c83fb1a-6c83fb27 668->673 669->658 690 6c83fcb1-6c83fcd5 call 6c83d45f 669->690 672->668 672->673 676 6c83fbcf-6c83fbdf 673->676 677 6c83fb2d-6c83fb47 673->677 680 6c83fbe5-6c83fc0b 676->680 681 6c83fd8d-6c83fd8f 676->681 683 6c83fd58-6c83fd5a 677->683 684 6c83fb4d-6c83fb51 677->684 678->669 685 6c83fdb1-6c83fdd2 679->685 686 6c83fc7c-6c83fc8e call 6c83e58f 679->686 689 6c83fc0e-6c83fc1e call 6c840690 680->689 687 6c83fd82 681->687 693 6c83fd91 681->693 683->687 688 6c83fd5c 683->688 691 6c83fb53 684->691 692 6c83fb65-6c83fb6a 684->692 697 6c83fd84-6c83fd8b 685->697 686->658 715 6c83fc94-6c83fc97 686->715 687->697 699 6c83fd5f-6c83fd7d 688->699 689->658 716 6c83fc24-6c83fc2a 689->716 690->658 712 6c83fcdb-6c83fcf0 WriteFile 690->712 702 6c83fb56-6c83fb60 691->702 695 6c83fb81-6c83fb83 692->695 696 6c83fb6c-6c83fb7e call 6c839b20 692->696 694 6c83fd94-6c83fdad 693->694 694->694 703 6c83fdaf 694->703 705 6c83fba6-6c83fbcd 695->705 706 6c83fb85-6c83fb8a 695->706 696->695 697->659 699->699 708 6c83fd7f 699->708 702->702 711 6c83fb62 702->711 703->708 705->689 714 6c83fb8d-6c83fba1 706->714 708->687 711->692 717 6c83fcf6-6c83fd07 712->717 718 6c83fdd4-6c83fdda GetLastError 712->718 714->714 719 6c83fba3 714->719 715->690 716->690 717->658 720 6c83fd0d-6c83fd11 717->720 718->658 719->705 721 6c83fd13-6c83fd30 WriteFile 720->721 722 6c83fd47-6c83fd4a 720->722 721->718 723 6c83fd36-6c83fd3a 721->723 722->658 724 6c83fd50-6c83fd53 722->724 723->658 725 6c83fd40-6c83fd44 723->725 724->660 725->722
                                    APIs
                                    • GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 6C83FAA4
                                    • __fassign.LIBCMT ref: 6C83FC83
                                    • __fassign.LIBCMT ref: 6C83FCA0
                                    • WriteFile.KERNEL32(?,6C83E184,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C83FCE8
                                    • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C83FD28
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C83FDD4
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileWrite__fassign$ConsoleErrorLast
                                    • String ID:
                                    • API String ID: 4031098158-0
                                    • Opcode ID: 401274a47cee204ecd40fd93e5167c19d22e794a0f74dae74465a6de1e30d9a7
                                    • Instruction ID: cafc3356cc2de2cf312ca5d6db8885ec438ac78cef439490076c054287e91c28
                                    • Opcode Fuzzy Hash: 401274a47cee204ecd40fd93e5167c19d22e794a0f74dae74465a6de1e30d9a7
                                    • Instruction Fuzzy Hash: B3D1BF75D012689FCF25CFE8C9809EDBBB5BF59318F2425A9E819BB341D7309906CB90
                                    Function 6C838149 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00000001,?,6C837D53,6C836A67,6C836EFC,?,6C837134,?,00000001,?,?,00000001,?,6C84D758,0000000C,6C837228), ref: 6C838157
                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6C838165
                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6C83817E
                                    • SetLastError.KERNEL32(00000000,6C837134,?,00000001,?,?,00000001,?,6C84D758,0000000C,6C837228,?,00000001,?), ref: 6C8381D0
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLastValue___vcrt_
                                    • String ID:
                                    • API String ID: 3852720340-0
                                    • Opcode ID: 2b1748e6752fe140b24628ece2485a4bc5536f33e5acc2dfc2a289d05b3ab27e
                                    • Instruction ID: 8108d4ac874d86a3d6aff80594b254f68d8c4bed4a0b7d114c691a0a5ed9ec35
                                    • Opcode Fuzzy Hash: 2b1748e6752fe140b24628ece2485a4bc5536f33e5acc2dfc2a289d05b3ab27e
                                    • Instruction Fuzzy Hash: C001967320D6319EAB311AE9AE8495A2674D78277E3247F3BF138859D0EF514804D1D0
                                    Function 6C83C9CB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                                    Download Yara Rule
                                    Strings
                                    • C:\Windows\SysWOW64\rundll32.exe, xrefs: 6C83C9D0
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: C:\Windows\SysWOW64\rundll32.exe
                                    • API String ID: 0-2837366778
                                    • Opcode ID: f7bf7a936a2cd88b62d9434d928b21efaff7352c8db542676287d0c6d2625f5b
                                    • Instruction ID: 29bfb9aa4ecad7b6c26311b8a1d35907f0306c5c685e14ff9bab225b8eb741aa
                                    • Opcode Fuzzy Hash: f7bf7a936a2cd88b62d9434d928b21efaff7352c8db542676287d0c6d2625f5b
                                    • Instruction Fuzzy Hash: 922192B1604239AF9730EEFA9E4095777ADAB413AC7057F34E51C96A41E720EC0087E1
                                    Function 6C8391E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: api-ms-
                                    • API String ID: 0-2084034818
                                    • Opcode ID: 28057c845853dce5116629603d8fd8bd47eeec35c110444ce53dde52cb549a43
                                    • Instruction ID: d996686b29a6be7e936b2434a26eff1df632a7a37160eb59af4e75ca1e9b6fad
                                    • Opcode Fuzzy Hash: 28057c845853dce5116629603d8fd8bd47eeec35c110444ce53dde52cb549a43
                                    • Instruction Fuzzy Hash: 5B110A31A06934EBCB316AE9CA4064A37749F477B8B113A28ED3AB7680DE30D900C5E4
                                    Function 6C83AB24 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C83AAD6,?,?,6C83AA9E,?,00000001,?), ref: 6C83AB39
                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C83AB4C
                                    • FreeLibrary.KERNEL32(00000000,?,?,6C83AAD6,?,?,6C83AA9E,?,00000001,?), ref: 6C83AB6F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressFreeHandleLibraryModuleProc
                                    • String ID: CorExitProcess$mscoree.dll
                                    • API String ID: 4061214504-1276376045
                                    • Opcode ID: 8dd07f9ab73212315b2ebbc7fe318dd961ef8668d737aee8daf1a79b09245500
                                    • Instruction ID: 4f4cb5b99f015fb74529db22a71beffecc15360bd5fc026d2fa4ef2794fa7370
                                    • Opcode Fuzzy Hash: 8dd07f9ab73212315b2ebbc7fe318dd961ef8668d737aee8daf1a79b09245500
                                    • Instruction Fuzzy Hash: 5AF08230A02118FBDF21ABD0CD09BDE7A7AEB0135EF109560E404A1150DB348B04DBE0
                                    Function 6C83EB8B Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 6C83EBA3
                                      • Part of subcall function 6C83C15F: HeapFree.KERNEL32(00000000,00000000,?,6C83B35C), ref: 6C83C175
                                      • Part of subcall function 6C83C15F: GetLastError.KERNEL32(?,?,6C83B35C), ref: 6C83C187
                                    • _free.LIBCMT ref: 6C83EBB5
                                    • _free.LIBCMT ref: 6C83EBC7
                                    • _free.LIBCMT ref: 6C83EBD9
                                    • _free.LIBCMT ref: 6C83EBEB
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 6241f19479741bef5fe8318c8b9793c4e48cfb09dc210119343cd1c24a9145de
                                    • Instruction ID: 74cafa29466b18f12c74fba580a86b9edd6cc6fea85adee73c90fa7320a31fe6
                                    • Opcode Fuzzy Hash: 6241f19479741bef5fe8318c8b9793c4e48cfb09dc210119343cd1c24a9145de
                                    • Instruction Fuzzy Hash: FBF03131505234AB8A31EAD8E6C1C4A33E9AB0131CB607C29F05DE7B51C764FC80CAD0
                                    Function 6C838229 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AdjustPointer
                                    • String ID:
                                    • API String ID: 1740715915-0
                                    • Opcode ID: 6f6673c4bb612275d300c53cd02a85aeff9426fd08532df13a6a7677801eb078
                                    • Instruction ID: a835aa60d993fcb45f495094f972e1f20cb7631ab7b10d3c1c5683db9a98131f
                                    • Opcode Fuzzy Hash: 6f6673c4bb612275d300c53cd02a85aeff9426fd08532df13a6a7677801eb078
                                    • Instruction Fuzzy Hash: 7A51C1716056269FDB348E99CA40BAA77A4FF00308F207D2FD8598BB91E735D844C7D0
                                    Function 6C83C263 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 6C83C885: _free.LIBCMT ref: 6C83C893
                                      • Part of subcall function 6C83D45F: WideCharToMultiByte.KERNEL32(?,00000000,6C83E1F5,00000000,00000001,6C83E184,6C8403EC,?,6C83E1F5,?,00000000,?,6C84015B,0000FDE9,00000000,?), ref: 6C83D501
                                    • GetLastError.KERNEL32 ref: 6C83C2CB
                                    • __dosmaperr.LIBCMT ref: 6C83C2D2
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6C83C311
                                    • __dosmaperr.LIBCMT ref: 6C83C318
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                    • String ID:
                                    • API String ID: 167067550-0
                                    • Opcode ID: 7c26cf6cd13df5299158d7dad14bff7ae8deb7416c16e25ef75a4403e2742753
                                    • Instruction ID: 2ee14cd1d3ed634acfa84487178b3f349efff4330c6484dfc0b7e39ac1d272bb
                                    • Opcode Fuzzy Hash: 7c26cf6cd13df5299158d7dad14bff7ae8deb7416c16e25ef75a4403e2742753
                                    • Instruction Fuzzy Hash: 7A217171604639AF9B306EEACA8096777ADFB053687147B29E91C97A41D730EC0087E0
                                    Function 6C83BB1C Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(?,?,?,6C83FEA2,00000000,00000001,6C83E1F5,?,6C840361,00000001,?,?,?,6C83E184,?,00000000), ref: 6C83BB21
                                    • _free.LIBCMT ref: 6C83BB7E
                                    • _free.LIBCMT ref: 6C83BBB4
                                    • SetLastError.KERNEL32(00000000,00000006,000000FF,?,6C840361,00000001,?,?,?,6C83E184,?,00000000,00000000,6C84DAD8,0000002C,6C83E1F5), ref: 6C83BBBF
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ErrorLast_free
                                    • String ID:
                                    • API String ID: 2283115069-0
                                    • Opcode ID: d025cea7bf1d791d7a85ea89ce94b91cce2b5b8890bff8e74da3dbd6cf07dba4
                                    • Instruction ID: 47207ddbe1f4ee2226e12f2ac21904ced664742723edd012a836b4e34e08a477
                                    • Opcode Fuzzy Hash: d025cea7bf1d791d7a85ea89ce94b91cce2b5b8890bff8e74da3dbd6cf07dba4
                                    • Instruction Fuzzy Hash: F4110AB13059347A963025FD4E80E7E216AEBC227D7253E39F52C93BC5DF648804D1D0
                                    Function 6C840E76 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • WriteConsoleW.KERNEL32(?,?,6C83E1F5,00000000,?,?,6C8408D0,?,00000001,?,00000001,?,6C83FE31,00000000,00000000,00000001), ref: 6C840E8D
                                    • GetLastError.KERNEL32(?,6C8408D0,?,00000001,?,00000001,?,6C83FE31,00000000,00000000,00000001,00000000,00000001,?,6C840385,6C83E184), ref: 6C840E99
                                      • Part of subcall function 6C840E5F: CloseHandle.KERNEL32(FFFFFFFE,6C840EA9,?,6C8408D0,?,00000001,?,00000001,?,6C83FE31,00000000,00000000,00000001,00000000,00000001), ref: 6C840E6F
                                    • ___initconout.LIBCMT ref: 6C840EA9
                                      • Part of subcall function 6C840E21: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C840E50,6C8408BD,00000001,?,6C83FE31,00000000,00000000,00000001,00000000), ref: 6C840E34
                                    • WriteConsoleW.KERNEL32(?,?,6C83E1F5,00000000,?,6C8408D0,?,00000001,?,00000001,?,6C83FE31,00000000,00000000,00000001,00000000), ref: 6C840EBE
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                    • String ID:
                                    • API String ID: 2744216297-0
                                    • Opcode ID: 66bdfce4924e9a954243164a58b61dcfc40d159d20a58e4413a1f16c76edd1a7
                                    • Instruction ID: 90972eefe51ee1deb78547135d8a10d9af65efa10566f0df513005ba4ea2bd3b
                                    • Opcode Fuzzy Hash: 66bdfce4924e9a954243164a58b61dcfc40d159d20a58e4413a1f16c76edd1a7
                                    • Instruction Fuzzy Hash: C0F0FE36101158FBCF322ED5CD08D8B3E75EB19369B048964FA1885220D7328820EBE1
                                    Function 6C83B49D Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 6C83B4A6
                                      • Part of subcall function 6C83C15F: HeapFree.KERNEL32(00000000,00000000,?,6C83B35C), ref: 6C83C175
                                      • Part of subcall function 6C83C15F: GetLastError.KERNEL32(?,?,6C83B35C), ref: 6C83C187
                                    • _free.LIBCMT ref: 6C83B4B9
                                    • _free.LIBCMT ref: 6C83B4CA
                                    • _free.LIBCMT ref: 6C83B4DB
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 3ce3cf0d369ce5240691844ab9a500b615a0316de09d9dca3227ca0148fcb676
                                    • Instruction ID: caf8251870837d3a66b71a902116edcccb070f5a91dbbd1e294eec6570a2f7cf
                                    • Opcode Fuzzy Hash: 3ce3cf0d369ce5240691844ab9a500b615a0316de09d9dca3227ca0148fcb676
                                    • Instruction Fuzzy Hash: 0EE04F757145B09ECEF22F9888004893B32AB4661C7812A37E40C02B22C7B91152EFC0
                                    Function 6C836690 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON
                                    Download Yara Rule
                                    APIs
                                    • std::_Xinvalid_argument.LIBCPMT ref: 6C836695
                                      • Part of subcall function 6C836901: std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C83690D
                                    • Concurrency::cancel_current_task.LIBCPMT ref: 6C8367DE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Concurrency::cancel_current_taskXinvalid_argumentstd::_std::invalid_argument::invalid_argument
                                    • String ID: string too long
                                    • API String ID: 3990507346-2556327735
                                    • Opcode ID: 14ebe031e1d1ffde2aca4560da16b0421fad6ffacf1bcacf6d22ff96568615e5
                                    • Instruction ID: 35dfa22f80d827a68c8024a25ce88105d17f8be93fe88e7b7bc71416b4d0ab71
                                    • Opcode Fuzzy Hash: 14ebe031e1d1ffde2aca4560da16b0421fad6ffacf1bcacf6d22ff96568615e5
                                    • Instruction Fuzzy Hash: 3141F272E01138ABCB249FECCA9459EB7A9FF45254B502A7AE819D7B00EB30DD1487D1
                                    Function 6C83ABB2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: C:\Windows\SysWOW64\rundll32.exe
                                    • API String ID: 0-2837366778
                                    • Opcode ID: 5c2969c1f2a9043747d9df5f42d284221981a96a437246510762b85bf23f2f05
                                    • Instruction ID: dd3cc4647c5b8a848ed91b55030e96e08502da42498cfd74d1c27c377c5544eb
                                    • Opcode Fuzzy Hash: 5c2969c1f2a9043747d9df5f42d284221981a96a437246510762b85bf23f2f05
                                    • Instruction Fuzzy Hash: EE418671A04228AFDF319BDDCA80DDE7BB9EB85708F112976E40897B40D7B18A45C7D0
                                    Function 6C838836 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6C83885B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.4126459506.000000006C831000.00000020.00000001.01000000.0000000B.sdmp, Offset: 6C830000, based on PE: true
                                    • Associated: 00000008.00000002.4126441035.000000006C830000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126486402.000000006C847000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126508131.000000006C84F000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                    • Associated: 00000008.00000002.4126530922.000000006C851000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_6c830000_rundll32.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: EncodePointer
                                    • String ID: MOC$RCC
                                    • API String ID: 2118026453-2084237596
                                    • Opcode ID: 1d9b680fd689dc4574b7125bae55b893b730c0ef3ac339f7bf86b94164063403
                                    • Instruction ID: 8f1bfd45e7f440fdda1d3338b0d1abfc783ebdfbba9f95d5fff8d4989c2e8f55
                                    • Opcode Fuzzy Hash: 1d9b680fd689dc4574b7125bae55b893b730c0ef3ac339f7bf86b94164063403
                                    • Instruction Fuzzy Hash: 67415971900229EFCF21CFD8CE80AEE7BB5BF48318F14656AED18A7650D335A950DB91

                                    Executed Functions

                                    Function 00007FFD9B4C7808 Relevance: .3, Instructions: 259COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1934367814.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffd9b4b0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1fc9753167c409abec9310b66ff9f0f9a48a52f150bfb44718ff3b54e374fe33
                                    • Instruction ID: ccdb6199cff3405b96ea59cf2960cf5bd6dffb1661eb2b6cc2c216f699efd716
                                    • Opcode Fuzzy Hash: 1fc9753167c409abec9310b66ff9f0f9a48a52f150bfb44718ff3b54e374fe33
                                    • Instruction Fuzzy Hash: 57715C30B0CE098FDB68EA28D865AB673D2EFA8714715416CE05EC76E6CE24FC429744
                                    Function 00007FFD9B58BD34 Relevance: .2, Instructions: 154COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1934759363.00007FFD9B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B580000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffd9b580000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6926ad4a071607a61e3348c4c242dd8db2f7f5e098b2ea8e90c5834ebe849061
                                    • Instruction ID: 1eabdcd4b09b6b4d8b4836cf391ede2a7d197737531635c45d25ebe1a6a78d76
                                    • Opcode Fuzzy Hash: 6926ad4a071607a61e3348c4c242dd8db2f7f5e098b2ea8e90c5834ebe849061
                                    • Instruction Fuzzy Hash: 77410B32B0EE5D1FF7E9965C68222B873C2DF85620B8501BFD54EC3193DE26AC0242C5
                                    Function 00007FFD9B4C77C0 Relevance: .1, Instructions: 147COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1934367814.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffd9b4b0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3585dbb95748bce56bf4b7b184e0ebb9a8d031a6f614b1c088567b0baa20eb0a
                                    • Instruction ID: 0431c37c2d2c3b5eb7b953983d6aa2578aaec5d0bb88c836aa39e4ac127986a4
                                    • Opcode Fuzzy Hash: 3585dbb95748bce56bf4b7b184e0ebb9a8d031a6f614b1c088567b0baa20eb0a
                                    • Instruction Fuzzy Hash: 8B411562B1DE4E0FE778A69C94656B173C1EF68B14F4105BFE49EC31E7ED08B9468280
                                    Function 00007FFD9B58BD68 Relevance: .1, Instructions: 71COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1934759363.00007FFD9B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B580000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffd9b580000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 78536c1f17d3e038200b9cbde6d65224e828fb7e68b74f77742a67ee06464e8b
                                    • Instruction ID: f253fe1dd517bf7c35c277139c1ada69b3964b7f74b3dcd1ca0cc7f7fc843cf3
                                    • Opcode Fuzzy Hash: 78536c1f17d3e038200b9cbde6d65224e828fb7e68b74f77742a67ee06464e8b
                                    • Instruction Fuzzy Hash: 8211E963B1FE191BF7FA561C242227973C6DF856217C901BEE54EC3297DD166C0201C9
                                    Function 00007FFD9B585781 Relevance: .1, Instructions: 59COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1934759363.00007FFD9B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B580000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffd9b580000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cc18968e7cb4fd2a86b7e434d7911668e574cd107b35c248a99cd1419ea6afd4
                                    • Instruction ID: b2570235bf937aa16c7bfd06d83b2099050f746623097f8a967cf6886cc799e1
                                    • Opcode Fuzzy Hash: cc18968e7cb4fd2a86b7e434d7911668e574cd107b35c248a99cd1419ea6afd4
                                    • Instruction Fuzzy Hash: 16112CA2A0FF854FF7B25AB868251916BF0EF51670F5847BED0BAC71D3DC2868414700
                                    Function 00007FFD9B4B33B5 Relevance: .0, Instructions: 49COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000009.00000002.1934367814.00007FFD9B4B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4B0000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_9_2_7ffd9b4b0000_powershell.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                    • Instruction ID: 2b9750d488bf851a6093a9cf02477a6a7f83bc3db41e3a1742ee8449413fe214
                                    • Opcode Fuzzy Hash: 5e0cd8e44b86cda1606cdcda3d5cd9c82b965f1b77ca43a9ede1ee8a995a9426
                                    • Instruction Fuzzy Hash: A801AC3110CB0C4FD744DF0CD051AA5B3E0FB85324F50056DE58AC3561DA32E882CB41