Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
A1E1u0Rnel.exe

Overview

General Information

Sample name:A1E1u0Rnel.exe
renamed because original name is a hash value
Original sample name:9e8835f955e76958242682c313e7195c.exe
Analysis ID:1517805
MD5:9e8835f955e76958242682c313e7195c
SHA1:51544394f6867baaf518768fae610be8afdf48fd
SHA256:3dbd82fe0ab3c3ed3ecabe41b6aee651928f0305b07b0285828fd878d84ee4a9
Tags:Amadeyexeuser-abuse_ch
Infos:

Detection

Amadey
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
One or more processes crash
Sigma detected: Use Short Name Path in Command Line
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • A1E1u0Rnel.exe (PID: 7380 cmdline: "C:\Users\user\Desktop\A1E1u0Rnel.exe" MD5: 9E8835F955E76958242682C313E7195C)
    • WerFault.exe (PID: 7592 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 724 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7692 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 744 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 864 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7812 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 912 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7868 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 900 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7924 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 892 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 8040 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1108 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 8112 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1144 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 8176 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1212 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 2880 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1236 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • skotes.exe (PID: 7216 cmdline: "C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe" MD5: 9E8835F955E76958242682C313E7195C)
      • WerFault.exe (PID: 3964 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7216 -s 480 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 5464 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7216 -s 488 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • WerFault.exe (PID: 1964 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7216 -s 492 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 5868 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1408 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 6096 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1568 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 7608 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1548 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Malware Configuration

Threatname: Amadey

{"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1801334266.000000000079D000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x9e8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
    00000000.00000003.1360771683.0000000002290000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
      00000019.00000003.1562563345.0000000002140000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
        00000019.00000002.1788999781.000000000063D000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
        • 0xfe8:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
        Click to see the 5 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        25.2.skotes.exe.400000.0.raw.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
          0.3.A1E1u0Rnel.exe.2290000.0.raw.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
            25.3.skotes.exe.2140000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
              25.2.skotes.exe.400000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                0.2.A1E1u0Rnel.exe.400000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                  Click to see the 7 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Use Short Name Path in Command Line
                  Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe, ParentCommandLine: "C:\Users\user\Desktop\A1E1u0Rnel.exe", ParentImage: C:\Users\user\Desktop\A1E1u0Rnel.exe, ParentProcessId: 7380, ParentProcessName: A1E1u0Rnel.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe" , ProcessId: 7216, ProcessName: skotes.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-09-25T07:47:20.509063+020028561471A Network Trojan was detected192.168.2.760163185.215.113.4380TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000000.00000003.1360771683.0000000002290000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeReversingLabs: Detection: 52%
                  Multi AV Scanner detection for submitted file
                  Source: A1E1u0Rnel.exeReversingLabs: Detection: 52%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                  Machine Learning detection for sample
                  Source: A1E1u0Rnel.exeJoe Sandbox ML: detected

                  Compliance

                  barindex
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeUnpacked PE file: 0.2.A1E1u0Rnel.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 25.2.skotes.exe.400000.0.unpack
                  Source: A1E1u0Rnel.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0043DC0D FindFirstFileExW,0_2_0043DC0D
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0225DE74 FindFirstFileExW,0_2_0225DE74
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0043DC0D FindFirstFileExW,25_2_0043DC0D
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0210DE74 FindFirstFileExW,25_2_0210DE74

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.7:60163 -> 185.215.113.43:80
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorIPs: 185.215.113.43
                  Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0040AA09 SetCurrentDirectoryA,GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA,0_2_0040AA09
                  Source: Amcache.hve.5.drString found in binary or memory: http://upx.sf.net

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 00000000.00000002.1801334266.000000000079D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000019.00000002.1788999781.000000000063D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0041CB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,0_2_0041CB97
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0041CB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,25_2_0041CB97
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_00409A000_2_00409A00
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0040AA090_2_0040AA09
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_004470490_2_00447049
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_004261920_2_00426192
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_004431A80_2_004431A8
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_004216020_2_00421602
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0044779B0_2_0044779B
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_004488600_2_00448860
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_004478BB0_2_004478BB
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_00404B300_2_00404B30
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_00442D100_2_00442D10
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_00404DE00_2_00404DE0
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_00423DF10_2_00423DF1
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_00420E130_2_00420E13
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_00437F360_2_00437F36
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_022672B00_2_022672B0
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_022463F90_2_022463F9
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0224107A0_2_0224107A
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_022250470_2_02225047
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_022440580_2_02244058
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0225819D0_2_0225819D
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_02267A020_2_02267A02
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_02268AC70_2_02268AC7
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_02267B220_2_02267B22
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_022418690_2_02241869
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_02262F770_2_02262F77
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_02224D970_2_02224D97
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_00409A0025_2_00409A00
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0044704925_2_00447049
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0042619225_2_00426192
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_004431A825_2_004431A8
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0042160225_2_00421602
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0044779B25_2_0044779B
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0044886025_2_00448860
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_004478BB25_2_004478BB
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_00404B3025_2_00404B30
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_00442D1025_2_00442D10
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_00404DE025_2_00404DE0
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_00423DF125_2_00423DF1
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_00420E1325_2_00420E13
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_00437F3625_2_00437F36
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_021172B025_2_021172B0
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_020F63F925_2_020F63F9
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_020D504725_2_020D5047
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_020F405825_2_020F4058
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_020F107A25_2_020F107A
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0210819D25_2_0210819D
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_02117A0225_2_02117A02
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_02118AC725_2_02118AC7
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_02117B2225_2_02117B22
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_020F186925_2_020F1869
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_02112F7725_2_02112F77
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_020D4D9725_2_020D4D97
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe 3DBD82FE0AB3C3ED3ECABE41B6AEE651928F0305B07B0285828FD878D84EE4A9
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: String function: 0041DF80 appears 41 times
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: String function: 0223DBA9 appears 68 times
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: String function: 0223E1E7 appears 38 times
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: String function: 0041D942 appears 75 times
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: String function: 02238327 appears 135 times
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: String function: 004180C0 appears 131 times
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 0041DF80 appears 42 times
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 020EDBA9 appears 68 times
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 020E8327 appears 135 times
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 020EE1E7 appears 38 times
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 0041D942 appears 75 times
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: String function: 004180C0 appears 131 times
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 724
                  Source: A1E1u0Rnel.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 00000000.00000002.1801334266.000000000079D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000019.00000002.1788999781.000000000063D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: A1E1u0Rnel.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: skotes.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/68@0/1
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0079DA16 CreateToolhelp32Snapshot,Module32First,0_2_0079DA16
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0040AA09 SetCurrentDirectoryA,GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA,0_2_0040AA09
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7380
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeMutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7216
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeFile created: C:\Users\user~1\AppData\Local\Temp\abc3bc1985Jump to behavior
                  Source: A1E1u0Rnel.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: A1E1u0Rnel.exeReversingLabs: Detection: 52%
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeFile read: C:\Users\user\Desktop\A1E1u0Rnel.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\A1E1u0Rnel.exe "C:\Users\user\Desktop\A1E1u0Rnel.exe"
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 724
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 744
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 864
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 912
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 900
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 892
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1108
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1144
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1212
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1236
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe"
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1408
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1568
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7216 -s 480
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7216 -s 488
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7216 -s 492
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1548
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: mstask.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: dui70.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: duser.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: chartv.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: oleacc.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: atlthunk.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: textinputframework.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: coreuicomponents.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: coremessaging.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: wtsapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: winsta.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: explorerframe.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: msimg32.dll
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: wininet.dll
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: msvcr100.dll
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior

                  Data Obfuscation

                  barindex
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeUnpacked PE file: 0.2.A1E1u0Rnel.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 25.2.skotes.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
                  Detected unpacking (overwrites its own PE header)
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeUnpacked PE file: 0.2.A1E1u0Rnel.exe.400000.0.unpack
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeUnpacked PE file: 25.2.skotes.exe.400000.0.unpack
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0042BF99 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0042BF99
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_00411359 push es; ret 0_2_0041135A
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0041D91C push ecx; ret 0_2_0041D92F
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0041DFC6 push ecx; ret 0_2_0041DFD9
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_007B80C9 push esi; iretd 0_2_007B80EC
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_007A1B50 pushad ; iretd 0_2_007A1B51
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_022315C0 push es; ret 0_2_022315C1
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0223DB83 push ecx; ret 0_2_0223DB96
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_02220F97 push 0044C2D0h; retn 0044h0_2_02221269
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_00411359 push es; ret 25_2_0041135A
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0041D91C push ecx; ret 25_2_0041D92F
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0041DFC6 push ecx; ret 25_2_0041DFD9
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_00642150 pushad ; iretd 25_2_00642151
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0063D67C pushad ; retf 25_2_0063D6D5
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_006586C9 push esi; iretd 25_2_006586EC
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_020E15C0 push es; ret 25_2_020E15C1
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_020EDB83 push ecx; ret 25_2_020EDB96
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_020D0F97 push 0044C2D0h; retn 0044h25_2_020D1269
                  Source: A1E1u0Rnel.exeStatic PE information: section name: .text entropy: 7.875731644568043
                  Source: skotes.exe.0.drStatic PE information: section name: .text entropy: 7.875731644568043
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeFile created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeJump to dropped file
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeFile created: C:\Windows\Tasks\skotes.jobJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0041C768 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0041C768
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeAPI coverage: 2.8 %
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeAPI coverage: 1.6 %
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0043DC0D FindFirstFileExW,0_2_0043DC0D
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0225DE74 FindFirstFileExW,0_2_0225DE74
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0043DC0D FindFirstFileExW,25_2_0043DC0D
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0210DE74 FindFirstFileExW,25_2_0210DE74
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_00407D30 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,0_2_00407D30
                  Source: Amcache.hve.5.drBinary or memory string: VMware
                  Source: Amcache.hve.5.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.5.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.5.drBinary or memory string: VMware20,1hbin@
                  Source: Amcache.hve.5.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.5.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.5.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.5.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.5.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.5.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.5.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: Amcache.hve.5.drBinary or memory string: vmci.sys
                  Source: Amcache.hve.5.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.5.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: Amcache.hve.5.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: Amcache.hve.5.drBinary or memory string: VMware20,1
                  Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.5.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.5.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.5.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.5.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.5.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.5.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: Amcache.hve.5.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.5.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.5.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: Amcache.hve.5.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
                  Source: Amcache.hve.5.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPort
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeProcess queried: DebugPort
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_00436AAE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00436AAE
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0042BF99 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0042BF99
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0043A302 mov eax, dword ptr fs:[00000030h]0_2_0043A302
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0043652B mov eax, dword ptr fs:[00000030h]0_2_0043652B
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0079D2F3 push dword ptr fs:[00000030h]0_2_0079D2F3
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_02256792 mov eax, dword ptr fs:[00000030h]0_2_02256792
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0225A569 mov eax, dword ptr fs:[00000030h]0_2_0225A569
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0222092B mov eax, dword ptr fs:[00000030h]0_2_0222092B
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_02220D90 mov eax, dword ptr fs:[00000030h]0_2_02220D90
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0043A302 mov eax, dword ptr fs:[00000030h]25_2_0043A302
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0043652B mov eax, dword ptr fs:[00000030h]25_2_0043652B
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0063D8F3 push dword ptr fs:[00000030h]25_2_0063D8F3
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_02106792 mov eax, dword ptr fs:[00000030h]25_2_02106792
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0210A569 mov eax, dword ptr fs:[00000030h]25_2_0210A569
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_020D092B mov eax, dword ptr fs:[00000030h]25_2_020D092B
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_020D0D90 mov eax, dword ptr fs:[00000030h]25_2_020D0D90
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0041D1E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0041D1E7
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_00436AAE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00436AAE
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0041DBA5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0041DBA5
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0041DD0A SetUnhandledExceptionFilter,0_2_0041DD0A
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0223D44E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0223D44E
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0223DE0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0223DE0C
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_02256D15 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_02256D15
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0041D1E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,25_2_0041D1E7
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_00436AAE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_00436AAE
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0041DBA5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_0041DBA5
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0041DD0A SetUnhandledExceptionFilter,25_2_0041DD0A
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_020ED44E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,25_2_020ED44E
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_020EDE0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_020EDE0C
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_02106D15 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_02106D15

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Contains functionality to inject code into remote processes
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_004070A0 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,0_2_004070A0
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeProcess created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0041DD91 cpuid 0_2_0041DD91
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0040AA09 SetCurrentDirectoryA,GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA,0_2_0040AA09
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0040B1A0 GetUserNameA,0_2_0040B1A0
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_00442517 _free,_free,_free,GetTimeZoneInformation,_free,0_2_00442517
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_00407D30 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,0_2_00407D30
                  Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.5.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.5.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.5.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                  Source: Amcache.hve.5.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Amadeys stealer DLL
                  Source: Yara matchFile source: 25.2.skotes.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.A1E1u0Rnel.exe.2290000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.3.skotes.exe.2140000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.skotes.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.A1E1u0Rnel.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.A1E1u0Rnel.exe.2220e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.3.skotes.exe.2140000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.skotes.exe.20d0e67.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.A1E1u0Rnel.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.A1E1u0Rnel.exe.2290000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.skotes.exe.20d0e67.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.A1E1u0Rnel.exe.2220e67.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1360771683.0000000002290000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000003.1562563345.0000000002140000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0042EC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_0042EC48
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0042DF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_0042DF51
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0224E1B8 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,0_2_0224E1B8
                  Source: C:\Users\user\Desktop\A1E1u0Rnel.exeCode function: 0_2_0224EEAF Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,0_2_0224EEAF
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0042EC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,25_2_0042EC48
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_0042DF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,25_2_0042DF51
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_020FE1B8 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,25_2_020FE1B8
                  Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exeCode function: 25_2_020FEEAF Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,25_2_020FEEAF

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		111
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Scheduled Task/Job                  		1
                  Virtualization/Sandbox Evasion                  		LSASS Memory131
                  Security Software Discovery                  		Remote Desktop ProtocolData from Removable Media1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  DLL Side-Loading                  		111
                  Process Injection                  		Security Account Manager1
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                  Deobfuscate/Decode Files or Information                  		NTDS1
                  Process Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                  Obfuscated Files or Information                  		LSA Secrets1
                  Account Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts22
                  Software Packing                  		Cached Domain Credentials1
                  System Owner/User Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSync2
                  File and Directory Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem15
                  System Information Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1517805 Sample: A1E1u0Rnel.exe Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 44 185.215.113.43 WHOLESALECONNECTIONSNL Portugal 2->44 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 5 other signatures 2->52 8 A1E1u0Rnel.exe 5 2->8         started        signatures3 process4 file5 28 C:\Users\user\AppData\Local\...\skotes.exe, PE32 8->28 dropped 30 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 8->30 dropped 54 Detected unpacking (changes PE section rights) 8->54 56 Detected unpacking (overwrites its own PE header) 8->56 58 Contains functionality to inject code into remote processes 8->58 12 skotes.exe 8->12         started        15 WerFault.exe 16 8->15         started        18 WerFault.exe 16 8->18         started        20 11 other processes 8->20 signatures6 process7 file8 60 Multi AV Scanner detection for dropped file 12->60 62 Detected unpacking (changes PE section rights) 12->62 64 Detected unpacking (overwrites its own PE header) 12->64 22 WerFault.exe 12->22         started        24 WerFault.exe 12->24         started        26 WerFault.exe 12->26         started        32 C:\ProgramData\Microsoft\...\Report.wer, Unicode 15->32 dropped 34 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->34 dropped 36 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->36 dropped 38 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->38 dropped 40 C:\ProgramData\Microsoft\...\Report.wer, Unicode 20->40 dropped 42 8 other malicious files 20->42 dropped signatures9 process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  A1E1u0Rnel.exe53%ReversingLabsWin32.Trojan.Amadey
                  A1E1u0Rnel.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe53%ReversingLabsWin32.Trojan.Amadey

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://upx.sf.net0%URL Reputationsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://upx.sf.netAmcache.hve.5.drfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  185.215.113.43
                  		unknownPortugal
                  		206894WHOLESALECONNECTIONSNLtrue

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1517805
                  Start date and time:2024-09-25 07:45:08 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 7m 20s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:40
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:A1E1u0Rnel.exe
                  renamed because original name is a hash value
                  Original Sample Name:9e8835f955e76958242682c313e7195c.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@19/68@0/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 95%
                  • Number of executed functions: 32
                  • Number of non-executed functions: 359
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, SIHClient.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 20.189.173.22
                  • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, login.live.com, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size exceeded maximum capacity and may have missing disassembly code.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: A1E1u0Rnel.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  03:15:39API Interceptor4x Sleep call for process: WerFault.exe modified
                  07:46:15Task SchedulerRun new task: skotes path: C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  185.215.113.43file.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, Stealc, zgRATBrowse
                  • 185.215.113.43/Zu7JuNko/index.php
                  file.exeGet hashmaliciousAmadey, StealcBrowse
                  • 185.215.113.43/Zu7JuNko/index.php
                  file.exeGet hashmaliciousAmadeyBrowse
                  • 185.215.113.43/Zu7JuNko/index.php

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                  • 185.215.113.103
                  file.exeGet hashmaliciousAmadey, Go Injector, XWormBrowse
                  • 185.215.113.16
                  file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                  • 185.215.113.103
                  isiihLLJJr.exeGet hashmaliciousStealcBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousAmadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RATBrowse
                  • 185.215.113.17
                  file.exeGet hashmaliciousStealc, VidarBrowse
                  • 185.215.113.37
                  file.exeGet hashmaliciousAmadeyBrowse
                  • 185.215.113.16
                  file.exeGet hashmaliciousAmadeyBrowse
                  • 185.215.113.16

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exefile.exeGet hashmaliciousAmadey, Stealc, VidarBrowse

                    Created / dropped Files

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_A1E1u0Rnel.exe_46736cfd47bed6b0ebf7285daaeba6834b4d5258_12e44377_318722b3-2d8e-4738-825d-82630ba18e57\Report.wer

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):1.0037107021507727
                    Encrypted:false
                    SSDEEP:192:WtuH9056rAj/1nZrSQWwzuiFlZ24IO8f:CuH+56rAjZzuiFlY4IO8f
                    MD5:3F2852589D41B766F5FD6C455591FB81
                    SHA1:9D2D5F0F66106003D206CD82184AA96E352B6B46
                    SHA-256:ADC3326CB7FBEBE1D4F50DD0D0FECE47FF822D71E56D911F8445EA1719CEC1DB
                    SHA-512:DD0A1ABE1116C0794AF0456AB49F4D9F534A0DACE271F40FDAC321A86111B2273853F35C78DE9C51FF0D9BCB92AF5DF792692DC0A8FE548EAAE432490C7BBAAB
                    Malicious:true
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.2.2.1.1.4.5.2.2.6.5.1.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.1.8.7.2.2.b.3.-.2.d.8.e.-.4.7.3.8.-.8.2.5.d.-.8.2.6.3.0.b.a.1.8.e.5.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.c.1.5.0.c.1.5.-.8.b.7.4.-.4.1.2.5.-.9.1.0.6.-.c.7.2.8.c.f.c.4.c.f.b.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.1.E.1.u.0.R.n.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.4.-.0.0.0.1.-.0.0.1.4.-.4.7.d.2.-.f.f.3.7.0.e.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.0.3.5.3.2.2.9.d.7.f.9.b.1.b.f.e.5.4.1.7.a.4.a.3.e.4.1.8.a.2.c.0.0.0.0.f.f.f.f.!.0.0.0.0.5.1.5.4.4.3.9.4.f.6.8.6.7.b.a.a.f.5.1.8.7.6.8.f.a.e.6.1.0.b.e.8.a.f.d.f.4.8.f.d.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_A1E1u0Rnel.exe_46736cfd47bed6b0ebf7285daaeba6834b4d5258_12e44377_6cca8d34-456d-4699-9381-62c7c35725a7\Report.wer

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.9895872742162178
                    Encrypted:false
                    SSDEEP:192:Hcnt3AftvH9056rAj/1nZrSQhzuiF/Z24IO8f:8CvH+56rAjvzuiF/Y4IO8f
                    MD5:59C48A668F8225343113E2B5CDC26A3B
                    SHA1:E1CB20813F235D9260F8B6060A24575C6D5F8179
                    SHA-256:54230D4ECE251E395E18A9BD806E296ACAED578D440E5D3280A1EDF4511DE6C6
                    SHA-512:18E45FD9D28AB84B59C4CEA92533AE996968064774027F44E5382C8687C2BDE1875CC62BAFE2CC983629294A3EC2B4319BC8B4A0562EBA994B069D4D36E6557B
                    Malicious:true
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.6.7.8.4.5.9.6.8.1.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.c.c.a.8.d.3.4.-.4.5.6.d.-.4.6.9.9.-.9.3.8.1.-.6.2.c.7.c.3.5.7.2.5.a.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.b.1.c.f.d.3.2.-.5.a.c.c.-.4.1.7.0.-.9.b.5.c.-.9.1.2.1.6.9.5.5.d.f.c.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.1.E.1.u.0.R.n.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.4.-.0.0.0.1.-.0.0.1.4.-.4.7.d.2.-.f.f.3.7.0.e.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.0.3.5.3.2.2.9.d.7.f.9.b.1.b.f.e.5.4.1.7.a.4.a.3.e.4.1.8.a.2.c.0.0.0.0.f.f.f.f.!.0.0.0.0.5.1.5.4.4.3.9.4.f.6.8.6.7.b.a.a.f.5.1.8.7.6.8.f.a.e.6.1.0.b.e.8.a.f.d.f.4.8.f.d.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_A1E1u0Rnel.exe_46736cfd47bed6b0ebf7285daaeba6834b4d5258_12e44377_78ae8226-6ded-4508-b514-dab49020bf2c\Report.wer

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.8371009720112538
                    Encrypted:false
                    SSDEEP:96:/eBi1L/FwsBhqwoA7Rq6tQXIDcQnc6rCcEhcw3r5NX+HbHg/8BRTf3o8Fa9OyRgY:mBqtwH9056rAj/azuiFkZ24IO8f
                    MD5:3D56E24DCD9BDEB9F884795F8FAECBE2
                    SHA1:3571B3F24DE08C381221649E498CA618429C0CB4
                    SHA-256:765587EA35D1E4AB58C54C090B6889E91B6B1FF1BE70C4A5AB6B07C2A9B8A9F8
                    SHA-512:9A6485CE8C77E621B573C20C3A18AB6FC4772D87947C1672318E95DAD3235C0CCBF138D4A7FA1178B528843C2A2C2E10EAA80A08731D88B9E67708A206D9B381
                    Malicious:true
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.6.7.7.6.2.3.5.8.7.8.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.8.a.e.8.2.2.6.-.6.d.e.d.-.4.5.0.8.-.b.5.1.4.-.d.a.b.4.9.0.2.0.b.f.2.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.a.f.e.3.1.e.c.-.d.8.e.f.-.4.d.f.2.-.a.6.8.3.-.4.9.9.5.f.8.d.b.d.9.4.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.1.E.1.u.0.R.n.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.4.-.0.0.0.1.-.0.0.1.4.-.4.7.d.2.-.f.f.3.7.0.e.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.0.3.5.3.2.2.9.d.7.f.9.b.1.b.f.e.5.4.1.7.a.4.a.3.e.4.1.8.a.2.c.0.0.0.0.f.f.f.f.!.0.0.0.0.5.1.5.4.4.3.9.4.f.6.8.6.7.b.a.a.f.5.1.8.7.6.8.f.a.e.6.1.0.b.e.8.a.f.d.f.4.8.f.d.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_A1E1u0Rnel.exe_46736cfd47bed6b0ebf7285daaeba6834b4d5258_12e44377_8cfab33b-a42d-43a0-91f6-d920b162b5aa\Report.wer

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.9116235244472513
                    Encrypted:false
                    SSDEEP:192:34t2H9056rAj/1nZrSQdzuiF/Z24IO8f:Y2H+56rAjjzuiF/Y4IO8f
                    MD5:AC71C603346DD45379897B9729262D41
                    SHA1:99973A4C183F228A2B702EBAA0BB76452A1367E2
                    SHA-256:935888DEA5C9A60FEFD9C37462EDA7D9D6C713D35182E6AF60AFA7C3300BA6E0
                    SHA-512:30A096F267EA80A95328F258156061A61AF5A5D9F39C3EEB49BB08276A2A678D04E6ABBD19992E5FF9D06FF75CF37A1EA6D6CDEF7369229FE829BAD2568D8862
                    Malicious:true
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.6.7.8.2.7.2.5.9.3.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.c.f.a.b.3.3.b.-.a.4.2.d.-.4.3.a.0.-.9.1.f.6.-.d.9.2.0.b.1.6.2.b.5.a.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.1.c.d.9.e.8.d.-.d.9.c.5.-.4.4.8.b.-.a.3.7.6.-.c.2.0.6.d.b.e.7.6.d.5.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.1.E.1.u.0.R.n.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.4.-.0.0.0.1.-.0.0.1.4.-.4.7.d.2.-.f.f.3.7.0.e.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.0.3.5.3.2.2.9.d.7.f.9.b.1.b.f.e.5.4.1.7.a.4.a.3.e.4.1.8.a.2.c.0.0.0.0.f.f.f.f.!.0.0.0.0.5.1.5.4.4.3.9.4.f.6.8.6.7.b.a.a.f.5.1.8.7.6.8.f.a.e.6.1.0.b.e.8.a.f.d.f.4.8.f.d.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_A1E1u0Rnel.exe_46736cfd47bed6b0ebf7285daaeba6834b4d5258_12e44377_9c60e1f7-f33f-4ed8-a004-4f4986e62e3d\Report.wer

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.8956078192222737
                    Encrypted:false
                    SSDEEP:96:dX8Q1L/FVsBhqwoA7Rq6tQXIDcQnc6rCcEhcw3r5NX+HbHg/8BRTf3o8Fa9OyRgs:FntVH9056rAj/1nZrHzuiF/Z24IO8f
                    MD5:F181679CB44B24F5671C2BB271F04D94
                    SHA1:335425402FE2BF4F834CC6E0B6E5847721F1C763
                    SHA-256:080892F917FFDBC21960DFA54143C136A978976286617E2628FA316F382A5C79
                    SHA-512:AFA469BAC9020D96D67E419E1175B9B3AA4536E91566960D5609AF2CE4D896B71D180B51D791293AC1C11033DBEF5E3A1AE59046A2EA98D10FB7CD71B8809226
                    Malicious:true
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.6.7.8.0.6.4.8.3.4.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.c.6.0.e.1.f.7.-.f.3.3.f.-.4.e.d.8.-.a.0.0.4.-.4.f.4.9.8.6.e.6.2.e.3.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.2.5.6.7.d.d.c.-.8.3.c.1.-.4.4.f.6.-.9.b.d.c.-.f.9.c.9.9.0.8.1.f.1.5.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.1.E.1.u.0.R.n.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.4.-.0.0.0.1.-.0.0.1.4.-.4.7.d.2.-.f.f.3.7.0.e.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.0.3.5.3.2.2.9.d.7.f.9.b.1.b.f.e.5.4.1.7.a.4.a.3.e.4.1.8.a.2.c.0.0.0.0.f.f.f.f.!.0.0.0.0.5.1.5.4.4.3.9.4.f.6.8.6.7.b.a.a.f.5.1.8.7.6.8.f.a.e.6.1.0.b.e.8.a.f.d.f.4.8.f.d.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_A1E1u0Rnel.exe_46736cfd47bed6b0ebf7285daaeba6834b4d5258_12e44377_a3e11d96-f9d9-4aed-8ad7-7d9d53b7d301\Report.wer

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.99644473995017
                    Encrypted:false
                    SSDEEP:192:LtxH9056rAj/1nZrSQWRzuiFlZ24IO8f:ZxH+56rAjgzuiFlY4IO8f
                    MD5:D81758555C428A4A74EE0323F7DC1BFF
                    SHA1:284A307616719B09B4110A89516D42D04B109D1E
                    SHA-256:746B58EFB6FD035D3C03F2AF7DE1DF5233109BE3A19ED6D79392B63E963C36D7
                    SHA-512:C74B3DBDC0D28259ECA643A5998FF446859AF6A1F7893B1F45BD81C3D1D40FE3D0DD81A108F683DE45E4B41210AF63790D9131082B5AB68804227E23A5B1A47B
                    Malicious:true
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.2.2.1.1.2.7.1.3.8.1.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.3.e.1.1.d.9.6.-.f.9.d.9.-.4.a.e.d.-.8.a.d.7.-.7.d.9.d.5.3.b.7.d.3.0.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.0.1.d.c.6.c.-.b.b.4.7.-.4.7.6.b.-.a.d.6.5.-.9.5.7.3.1.5.6.9.f.6.e.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.1.E.1.u.0.R.n.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.4.-.0.0.0.1.-.0.0.1.4.-.4.7.d.2.-.f.f.3.7.0.e.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.0.3.5.3.2.2.9.d.7.f.9.b.1.b.f.e.5.4.1.7.a.4.a.3.e.4.1.8.a.2.c.0.0.0.0.f.f.f.f.!.0.0.0.0.5.1.5.4.4.3.9.4.f.6.8.6.7.b.a.a.f.5.1.8.7.6.8.f.a.e.6.1.0.b.e.8.a.f.d.f.4.8.f.d.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_A1E1u0Rnel.exe_46736cfd47bed6b0ebf7285daaeba6834b4d5258_12e44377_afe235c3-9aa5-41cb-a4ef-1d31eabe84b4\Report.wer

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):1.012254905464525
                    Encrypted:false
                    SSDEEP:192:rtjH9056rAj/1nZrSQWczuiFlZ24IO8f:5jH+56rAjVzuiFlY4IO8f
                    MD5:7A978DD5BBFD30CF3DB811BA790820E2
                    SHA1:F4A44B931404E6077922C3CAD4C2867CC3B82ECE
                    SHA-256:F986DE7FDCD523AD40D5FCFADD5AA5FE24D130B06D575DAA9E74A8770C1E6B46
                    SHA-512:1EAF8FB333C5AB380E1FD7486117DF7EEE860B689F8B4594D1E3680B595144080C92B44FB6A9AFF798D86A3AB1CBFF8FF5822709EB5DBB413D8E7D7AE8B62047
                    Malicious:true
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.2.2.1.1.5.2.6.1.1.9.3.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.e.2.3.5.c.3.-.9.a.a.5.-.4.1.c.b.-.a.4.e.f.-.1.d.3.1.e.a.b.e.8.4.b.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.e.1.6.0.0.0.-.9.1.b.f.-.4.7.0.b.-.8.c.a.f.-.b.7.5.b.4.3.b.c.7.9.6.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.1.E.1.u.0.R.n.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.4.-.0.0.0.1.-.0.0.1.4.-.4.7.d.2.-.f.f.3.7.0.e.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.0.3.5.3.2.2.9.d.7.f.9.b.1.b.f.e.5.4.1.7.a.4.a.3.e.4.1.8.a.2.c.0.0.0.0.f.f.f.f.!.0.0.0.0.5.1.5.4.4.3.9.4.f.6.8.6.7.b.a.a.f.5.1.8.7.6.8.f.a.e.6.1.0.b.e.8.a.f.d.f.4.8.f.d.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_A1E1u0Rnel.exe_46736cfd47bed6b0ebf7285daaeba6834b4d5258_12e44377_c7437f03-9a52-4407-8f20-f2a1e214bb67\Report.wer

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.9024205848961917
                    Encrypted:false
                    SSDEEP:96:nM1L/FqsBhqwoA7Rq6tQXIDcQnc6rCcEhcw3r5NX+HbHg/8BRTf3o8Fa9OyRgEV0:wtqH9056rAj/1nZrGzuiF/Z24IO8f
                    MD5:B01C5DD01FEF168008C68DAD41A5C0F5
                    SHA1:48E1B9BE97C71F8D1FEFA2B1B63B9380871E44D2
                    SHA-256:4B104A237471148605EF8CACBFD130335C5DEFBAF3C24773A6F714605ACD4356
                    SHA-512:AEA67A644540F162C459A6C4FCB115620A8E68013A5F2663E32F46FBE210241500560FE99ED32202D6F2E156DD223DD2459E06F244F26DD03B2E2B4E516A8A74
                    Malicious:true
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.6.7.8.1.9.4.3.4.6.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.7.4.3.7.f.0.3.-.9.a.5.2.-.4.4.0.7.-.8.f.2.0.-.f.2.a.1.e.2.1.4.b.b.6.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.3.5.8.9.c.c.8.-.6.3.a.8.-.4.f.b.b.-.a.f.3.9.-.f.9.9.2.b.e.a.1.d.0.1.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.1.E.1.u.0.R.n.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.4.-.0.0.0.1.-.0.0.1.4.-.4.7.d.2.-.f.f.3.7.0.e.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.0.3.5.3.2.2.9.d.7.f.9.b.1.b.f.e.5.4.1.7.a.4.a.3.e.4.1.8.a.2.c.0.0.0.0.f.f.f.f.!.0.0.0.0.5.1.5.4.4.3.9.4.f.6.8.6.7.b.a.a.f.5.1.8.7.6.8.f.a.e.6.1.0.b.e.8.a.f.d.f.4.8.f.d.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_A1E1u0Rnel.exe_46736cfd47bed6b0ebf7285daaeba6834b4d5258_12e44377_dbc446db-5038-4c18-9536-25e6bcb31f5d\Report.wer

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.8704522122222181
                    Encrypted:false
                    SSDEEP:96:NQ1L/FTsBhqwoA7Rq6tQXIDcQnc6rCcEhcw3r5NX+HbHg/8BRTf3o8Fa9OyRgEVa:itTH9056rAj/1qzuiF/Z24IO8f
                    MD5:80C74B2C529BB019F1AACA14D7D1FF3A
                    SHA1:CB7C08B4212466756D4E706086E263D3ECC9D572
                    SHA-256:7C00A0F308A3CEDF4A8CB12597148305902471C2EDFA4FDE1957F16503B19F71
                    SHA-512:383F89A1A2C737B112F07212DE2E3E05FAF5339A5E0D2DCFDA04590305F20341A545ADAF38DFD2857468670F1F6305AADA37C3A4C56A7C5FFC0748B4A1E7A896
                    Malicious:true
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.6.7.7.9.0.2.7.7.9.5.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.b.c.4.4.6.d.b.-.5.0.3.8.-.4.c.1.8.-.9.5.3.6.-.2.5.e.6.b.c.b.3.1.f.5.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.d.2.6.f.4.a.c.-.5.e.c.6.-.4.2.d.3.-.9.9.1.5.-.1.8.1.f.c.2.5.b.2.a.0.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.1.E.1.u.0.R.n.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.4.-.0.0.0.1.-.0.0.1.4.-.4.7.d.2.-.f.f.3.7.0.e.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.0.3.5.3.2.2.9.d.7.f.9.b.1.b.f.e.5.4.1.7.a.4.a.3.e.4.1.8.a.2.c.0.0.0.0.f.f.f.f.!.0.0.0.0.5.1.5.4.4.3.9.4.f.6.8.6.7.b.a.a.f.5.1.8.7.6.8.f.a.e.6.1.0.b.e.8.a.f.d.f.4.8.f.d.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_A1E1u0Rnel.exe_46736cfd47bed6b0ebf7285daaeba6834b4d5258_12e44377_fcff1298-e679-4ab3-a0ec-75938b12aeec\Report.wer

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.8955783365801905
                    Encrypted:false
                    SSDEEP:96:1mN1L/FUsBhqwoA7Rq6tQXIDcQnc6rCcEhcw3r5NX+HbHg/8BRTf3o8Fa9OyRgEX:MtUH9056rAj/1nZrHzuiF/Z24IO8f
                    MD5:C13C13F948B7D19C74CBE42C63386A2F
                    SHA1:FE65272292C13E3F52A6AE74FFD159BB55D26ACB
                    SHA-256:58D935B9460DAD4B6F4220349E9C591654A12E53F316D924AC3D6B84E667AF16
                    SHA-512:0B3EA3632194B10CCDDE70714E64B3B7D0B4693E35BB0C61F5F35CE671D0BA64565438C621BB8510FE166C5FFA2E914DD53D7528C08478ADD1FEB96A3F1748D5
                    Malicious:true
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.1.6.7.7.9.8.2.6.2.3.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.c.f.f.1.2.9.8.-.e.6.7.9.-.4.a.b.3.-.a.0.e.c.-.7.5.9.3.8.b.1.2.a.e.e.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.2.8.2.b.f.b.f.-.4.7.1.8.-.4.6.d.9.-.a.5.1.d.-.c.e.6.8.4.7.0.a.3.6.0.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.1.E.1.u.0.R.n.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.4.-.0.0.0.1.-.0.0.1.4.-.4.7.d.2.-.f.f.3.7.0.e.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.0.3.5.3.2.2.9.d.7.f.9.b.1.b.f.e.5.4.1.7.a.4.a.3.e.4.1.8.a.2.c.0.0.0.0.f.f.f.f.!.0.0.0.0.5.1.5.4.4.3.9.4.f.6.8.6.7.b.a.a.f.5.1.8.7.6.8.f.a.e.6.1.0.b.e.8.a.f.d.f.4.8.f.d.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_A1E1u0Rnel.exe_5b95b1dbd32f18c5a4f896585cd12967391b20b8_12e44377_665b7eed-25c5-494f-b722-1acf54a0c990\Report.wer

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):1.0986395446234976
                    Encrypted:false
                    SSDEEP:192:YK+tTHrF0MwIwj/1nZrSQW4TzuiFwZ24IO8f:ZqTHrmMwIwjxTzuiFwY4IO8f
                    MD5:E683A41951692692DC4BD27DD26E183E
                    SHA1:899EBA492AE60D87216313CB1D57D58CB6D2CF0F
                    SHA-256:19305DC4EC51670A46865DD82A0036673392836881012BF910AC8FB0DB7DB187
                    SHA-512:05A2BFDF8F12D14E2F7FBC0212D8E9C47D988154F4CFE954EB27720792BD67FFD5B57F88E07EFDBCE9D28936E181A8B59FE2C79E32BC32FC70D9C834A099ED5A
                    Malicious:true
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.2.2.1.1.7.5.5.9.2.7.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.1.3.1.0.7.2.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.6.5.b.7.e.e.d.-.2.5.c.5.-.4.9.4.f.-.b.7.2.2.-.1.a.c.f.5.4.a.0.c.9.9.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.b.3.f.d.8.8.1.-.5.3.8.8.-.4.0.5.6.-.9.1.d.f.-.0.1.d.6.0.f.5.b.7.b.4.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.1.E.1.u.0.R.n.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.4.-.0.0.0.1.-.0.0.1.4.-.4.7.d.2.-.f.f.3.7.0.e.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.0.3.5.3.2.2.9.d.7.f.9.b.1.b.f.e.5.4.1.7.a.4.a.3.e.4.1.8.a.2.c.0.0.0.0.f.f.f.f.!.0.0.0.0.5.1.5.4.4.3.9.4.f.6.8.6.7.b.a.a.f.5.1.8.7.6.8.f.a.e.6.1.0.b.e.8.a.f.d.f.4.8.f.d.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.A.1.E.1.u.0.R.n.

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_A1E1u0Rnel.exe_caa68d727cb7dc293238ff94694a2a8b28173b_12e44377_429a9779-33ea-421e-9133-4b5a5f9ab79b\Report.wer

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):1.09853981567617
                    Encrypted:false
                    SSDEEP:192:+cqtjHrS0eym7j/1nZrSQW4TzuiFwZ24IO8y:gjHrZeym7jxTzuiFwY4IO8y
                    MD5:E5E3DB1440355FE159E487A4ED1B3EA3
                    SHA1:6849E6336FDDF3AB78025911DE8239DA4EB11793
                    SHA-256:04708B513BC838450E6B8A9E5F911C7E20D2FEFB23B11D0EB5DA842AD322443C
                    SHA-512:E98D542B149E4D98CCBE605029D790658D2B8BD95543A1482E118CF995BFFEDBA9F86727C77D75A40D7B8B7A3B6E38354E5E48548767FBE97C7C7108448DC5F3
                    Malicious:true
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.2.2.1.4.2.8.1.9.1.6.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.7.2.2.1.4.3.6.1.6.0.3.9.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.2.9.a.9.7.7.9.-.3.3.e.a.-.4.2.1.e.-.9.1.3.3.-.4.b.5.a.5.f.9.a.b.7.9.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.1.0.d.b.6.1.e.-.d.c.3.9.-.4.2.5.9.-.8.b.8.2.-.3.1.c.f.b.2.c.a.c.4.1.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.1.E.1.u.0.R.n.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.4.-.0.0.0.1.-.0.0.1.4.-.4.7.d.2.-.f.f.3.7.0.e.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.0.3.5.3.2.2.9.d.7.f.9.b.1.b.f.e.5.4.1.7.a.4.a.3.e.4.1.8.a.2.c.0.0.0.0.f.f.f.f.!.0.0.0.0.5.1.5.4.4.3.9.4.f.6.8.6.7.b.a.a.f.5.1.8.7.6.8.f.a.e.6.1.0.b.e.8.a.f.d.f.4.8.f.d.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....T.a.r.g.e.t.A.p.p.

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_A1E1u0Rnel.exe_d83735364d2d366dcbfba77571953b8ebcc3bef_12e44377_38a42a9c-3c05-41a7-82d0-c95491a0c11e\Report.wer

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):1.0985769669222567
                    Encrypted:false
                    SSDEEP:192:TbVtHHrK0MwIwj/1nZrSQW4TzuiFwZ24IO8y:H3HHrRMwIwjxTzuiFwY4IO8y
                    MD5:0CC4AFBC60A1C7E45554AC251B56F2F3
                    SHA1:65B9CAAA1DE337595DE89B3D2D3E3D5F01967C86
                    SHA-256:B866D60191727485BBA717DAC709BE7168F139FA25228249E1AA621B80566858
                    SHA-512:96F67F6B748088DFF5331C6E601DD30A412AB5A0F349120A4C1DF3385BAF27D9F26F58FD0D3D29D6C93ECF334F1DD58D0BD5D82C607153A947C3D693FC4AC78D
                    Malicious:true
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.2.2.1.2.1.5.3.3.5.7.3.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.7.2.2.1.2.3.1.8.9.8.2.2.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.8.a.4.2.a.9.c.-.3.c.0.5.-.4.1.a.7.-.8.2.d.0.-.c.9.5.4.9.1.a.0.c.1.1.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.e.f.f.3.3.3.b.-.4.f.c.9.-.4.d.f.e.-.b.0.4.6.-.a.0.9.9.5.1.a.8.1.1.c.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.A.1.E.1.u.0.R.n.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.d.4.-.0.0.0.1.-.0.0.1.4.-.4.7.d.2.-.f.f.3.7.0.e.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.0.3.5.3.2.2.9.d.7.f.9.b.1.b.f.e.5.4.1.7.a.4.a.3.e.4.1.8.a.2.c.0.0.0.0.f.f.f.f.!.0.0.0.0.5.1.5.4.4.3.9.4.f.6.8.6.7.b.a.a.f.5.1.8.7.6.8.f.a.e.6.1.0.b.e.8.a.f.d.f.4.8.f.d.!.A.1.E.1.u.0.R.n.e.l...e.x.e.....T.a.r.g.e.t.A.p.p.

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_skotes.exe_88192a9816395b82b0e9aa1e6db812aef265105e_360c380b_ccd47ed6-642b-40d4-bdba-7f5e1c6fd956\Report.wer

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.7749574045804555
                    Encrypted:false
                    SSDEEP:192:nKUbUBEIS0NJAxN3Sj/jzuiFwZ24IO8KKI:KUQBEIZNJAxcjbzuiFwY4IO85
                    MD5:997CC52396B1559BD4630A0B0FFA963A
                    SHA1:E56953E79B15B90079085E14721284EE2B9EB4ED
                    SHA-256:228024FC58CC9A3A18F0A6F038540F7D21A8F52F7F03D4CE4523DF30B3367767
                    SHA-512:3F0CC94DA8BD8C41D85557086C371B2EE6F069AA1B49B59250AF4D7D43FD4F9D04FD08E30699B711F1B4A39743A165238FCC151F1D5B8132F925B0A1075239C3
                    Malicious:false
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.2.2.1.3.9.9.7.8.5.1.1.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.7.2.2.1.4.0.7.1.2.8.9.1.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.d.4.7.e.d.6.-.6.4.2.b.-.4.0.d.4.-.b.d.b.a.-.7.f.5.e.1.c.6.f.d.9.5.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.4.3.2.5.9.e.-.8.7.a.2.-.4.e.a.5.-.b.e.5.7.-.1.5.e.1.8.2.d.5.c.c.7.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.k.o.t.e.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.3.0.-.0.0.0.1.-.0.0.1.4.-.e.4.2.1.-.9.8.a.b.1.a.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.3.0.9.4.f.c.a.3.8.0.6.f.4.3.a.4.e.8.9.f.f.7.1.6.0.8.9.0.f.8.1.0.0.0.0.f.f.f.f.!.0.0.0.0.5.1.5.4.4.3.9.4.f.6.8.6.7.b.a.a.f.5.1.8.7.6.8.f.a.e.6.1.0.b.e.8.a.f.d.f.4.8.f.d.!.s.k.o.t.e.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4.

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_skotes.exe_9f818e98fe0de47d7664d145ee66b4680d199f4_360c380b_0136dca6-cea4-4688-ac33-063393ede9d6\Report.wer

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.7741992122823446
                    Encrypted:false
                    SSDEEP:192:GDhJ55UvEIF0o44j03Sj/jzuiFwZ24IO8xKI:Gr5qvEImoFjljbzuiFwY4IO88
                    MD5:8AB5BDC0EDF4F3418CABA3A721D64609
                    SHA1:96D3EABCF1D0ED1F806B62C7E2013E2700CD8A07
                    SHA-256:704D7DFB6254B79AD7A88A8D9C3F565DF3A25A64EEE6A88244B541FC18391356
                    SHA-512:53347A40136A13AF665F956EF0C0DA0B19C0B7F94DFCB93DD8C54FCE8F3B8CD4F8195DC5AEEC28C5EDC51C5CD5C55FC83F39A8B24F40C05C03BDF596CCB0A51C
                    Malicious:false
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.2.2.1.2.3.2.4.6.8.5.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.1.3.1.0.7.2.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.1.3.6.d.c.a.6.-.c.e.a.4.-.4.6.8.8.-.a.c.3.3.-.0.6.3.3.9.3.e.d.e.9.d.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.e.4.1.a.4.9.1.-.5.6.e.8.-.4.e.d.d.-.a.3.6.d.-.2.3.a.5.3.1.0.a.6.6.7.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.k.o.t.e.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.3.0.-.0.0.0.1.-.0.0.1.4.-.e.4.2.1.-.9.8.a.b.1.a.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.3.0.9.4.f.c.a.3.8.0.6.f.4.3.a.4.e.8.9.f.f.7.1.6.0.8.9.0.f.8.1.0.0.0.0.f.f.f.f.!.0.0.0.0.5.1.5.4.4.3.9.4.f.6.8.6.7.b.a.a.f.5.1.8.7.6.8.f.a.e.6.1.0.b.e.8.a.f.d.f.4.8.f.d.!.s.k.o.t.e.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.9././.2.2.:.1.7.:.4.0.:.4.4.!.0.!.s.k.o.t.e.s...e.x.e.....B.o.o.t.

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_skotes.exe_d8a9fbb694e513969a718f364f46fcdbcadc5d6_360c380b_30af84f3-0f36-4c36-b8af-4b8c3a0fb14f\Report.wer

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.7749468455815802
                    Encrypted:false
                    SSDEEP:192:DZmUxEIK0o44j03Sj/jzuiFwZ24IO8KKI:xxEIRoFjljbzuiFwY4IO85
                    MD5:40F1CE28A560C06455A1A6C90E2B440A
                    SHA1:B19001430A86C6E226E8EE41AA057A41A992DC3A
                    SHA-256:4243BB270B455ECEA84384764A3747EBE87AFBE964144EF964DE34F45A22FBF5
                    SHA-512:E631EA1DEAD1E6A11EA3D356BFD1B754BA25A098020195C8D52E20F08FF82961F1FEBAF8548D89022AE91186E8585381B2AF5F48F5912CAC14EEE1AEA646A6C9
                    Malicious:false
                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.7.2.2.1.2.4.5.0.6.3.1.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.7.2.2.1.2.5.2.8.7.5.6.9.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.0.a.f.8.4.f.3.-.0.f.3.6.-.4.c.3.6.-.b.8.a.f.-.4.b.8.c.3.a.0.f.b.1.4.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.4.e.e.f.1.3.5.-.9.5.3.b.-.4.6.5.d.-.9.d.3.a.-.a.4.c.1.2.7.c.c.1.d.8.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.s.k.o.t.e.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.3.0.-.0.0.0.1.-.0.0.1.4.-.e.4.2.1.-.9.8.a.b.1.a.0.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.3.0.9.4.f.c.a.3.8.0.6.f.4.3.a.4.e.8.9.f.f.7.1.6.0.8.9.0.f.8.1.0.0.0.0.f.f.f.f.!.0.0.0.0.5.1.5.4.4.3.9.4.f.6.8.6.7.b.a.a.f.5.1.8.7.6.8.f.a.e.6.1.0.b.e.8.a.f.d.f.4.8.f.d.!.s.k.o.t.e.s...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D7.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8326
                    Entropy (8bit):3.6987052948901216
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJZw6lY6YNQESU9oDgmfaMpDRC89bcrsfq0m:R6lXJe6i6YuESU9oDgmfaG7cwf4
                    MD5:9255720B1AB5D191AB1EDDB5F95B7BCF
                    SHA1:AB58F2AAE4A26FEF54C787DA8FB582E9C7D04371
                    SHA-256:DBBC9BFF0B94A3CAEE300058C714829F52D8E2FA74173E0C735CF929DCBF146B
                    SHA-512:87E13BAE7C4C911D24D2E1447C56FED6B10569E7FA644D18D0C7FB39BB0C59AFDE33C74FFACD825DAB3C8C0EA4666BE9B5A16803A79AC00262525F03A48CD0D6
                    Malicious:false
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.8.0.<./.P.i.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER306.tmp.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4579
                    Entropy (8bit):4.45725268798868
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zsoJg77aI9dunWpW8VYjZYm8M4JI5F6B+q8Ijd0QSlh5d:uIjfuI73j7VpJVtd0QSlh5d
                    MD5:21602F59C2C04F4169C51EB0D455B046
                    SHA1:5519F72598976C0EDB76E7A74A79D4B07F060085
                    SHA-256:758D118E04DABF342E7A7F3BD8E1786C88F76CBD8EB18709D674BC1C4085D0E7
                    SHA-512:29F8AF23FB67FB57E8AB85A702EA97C15D2D0179739FF8A9AC21E156CDB903BA8D9B8B16D6194D5A48CD61405CC2F8A66EA4E3D64A20F41D0129B2BF134821BA
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515418" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER6638.tmp.dmp

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 15 streams, Wed Sep 25 05:46:17 2024, 0x1205a4 type
                    Category:dropped
                    Size (bytes):49056
                    Entropy (8bit):2.063667592384286
                    Encrypted:false
                    SSDEEP:192:2bASv8U7kUXrpt298LyObP/Z0qGM+uGB9SbkAJfsdd2ECIQspqyarB7pc:CAaNZptu8LNbXBWAJFhUpKB7
                    MD5:C323C7CFAC204339096FD6E0E3507399
                    SHA1:D902FF4E7113553D3C05E839B4B7C8D398C26FB3
                    SHA-256:DBDA1B68A6D41D7E941A4C3F61B10F19E67450304A60DE47D014EC8FB5DF129A
                    SHA-512:42F221FD9A4D7EA1A8C72783C9D506BAFE9DE6578F359A92351110E88CF3CF25E94C12DC93CAF0AE7FC03DDCC04EA056CB5D86B3D71C65E564DF0D177C1A1602
                    Malicious:false
                    Preview:MDMP..a..... ..........f........................\...........<...4............+..........`.......8...........T..........................p...........\...............................................................................eJ..............GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C15.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8416
                    Entropy (8bit):3.6998018852621763
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJZO67e5g6YNKSU9QvCygmfJnpB589bBrsfzLm:R6lXJw67n6YgSU9ZygmfJuBwfO
                    MD5:BFC679B73A7F2D7DA8255F2AD740D913
                    SHA1:4050BF4C7D9D0888044538577F26A1D2C3754FCC
                    SHA-256:763E5B5E88413897BC3F339CD003B64B702290DF4794DADF7DF501BE9132E4A5
                    SHA-512:DBCB2B4797C4737C16F1CA3DCAF94737C1D3B359914BD824A3682A10A7F7075E052053F275ED954DE083075D6B8FBCE6E1E07E0CB1BAA41ED5C59A7577CB7E26
                    Malicious:false
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.8.0.<./.P.i.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C74.tmp.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4720
                    Entropy (8bit):4.481933762647282
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zsCJg77aI9dunWpW8VYj4MIYm8M4JIeFz+q8v1Vd0QSlh5d:uIjfQI73j7VMJNKPd0QSlh5d
                    MD5:59FDD74D76C183373E3FD613DB0EF489
                    SHA1:D08BB626498878065218DC66C75273E677D2FF33
                    SHA-256:03CE5A97CE9954C256913C09B8C02B168AFDFED51922532A1DD079A5E614E788
                    SHA-512:8E799EB8B6854C7A7181F11E5A1B7A49B33E135DB5539D02333DE3A76D44EF403EB5383CEF83165E4845A37BA25F2CE574545CC462B58C530A72AB21FC1876DD
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515328" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER7125.tmp.dmp

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 15 streams, Wed Sep 25 05:46:19 2024, 0x1205a4 type
                    Category:dropped
                    Size (bytes):61076
                    Entropy (8bit):2.13859352903295
                    Encrypted:false
                    SSDEEP:192:cWAHt49EXr5SBObPhjPRyGpnuGGIixUSf3NpOWZFfJfsdd2ECIBbtOfCfrTyr4:hAKO5S0bpj5dqxJdIWZ1JFhYtPrTV
                    MD5:DB5F80AD410B58378D9EFA55642A0A3E
                    SHA1:52134D6B8DBB56AF54315A1FD5D6F40B22579B7B
                    SHA-256:474D0836695FB49941204D49D40A244B99B226CB4A2F5832C88AF96BF0D08F29
                    SHA-512:E25653680777AF8750BDA22A3DC84A79ECDEC46C9A479C1245F95AFD893BDAD241633588920C00015A43E329ACE142C4618B9F42AF766E5207FC185252CFEDAD
                    Malicious:false
                    Preview:MDMP..a..... ..........f....................................<................/..........`.......8...........T.......................................................................................................................eJ......h.......GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER71E1.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8416
                    Entropy (8bit):3.7020443003919543
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJZOl6a6YNiSU9lva3gmfJnpBV89bfrsf9Vm:R6lXJc6a6YoSU9U3gmfJKfwfO
                    MD5:F3D293261CD05C1118D76974D792C562
                    SHA1:BAD260E5C52F1E0FDF38BF20077D73EF5F3A91E8
                    SHA-256:8AA719F2C8B9864DD1F857211C6EA13808555A338DE715D491C9E4D4EE18BE93
                    SHA-512:A6F776F2BFC3DCEDCBF4B4B7D3074BEE244F211A85A79B5D223FDB1349D78CFFB7676283108890B70236343E56303EB806EE5F54B82D37DDC6EBC87D084939CB
                    Malicious:false
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.8.0.<./.P.i.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER7201.tmp.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4720
                    Entropy (8bit):4.480535655284876
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zs5Jg77aI9dunWpW8VYjAYm8M4JIeFbXS+q8v1Vd0QSlh5d:uIjfLI73j7VgJYKPd0QSlh5d
                    MD5:FFCB5F394BE67B835E0EADF63867184E
                    SHA1:C6256DDD0FADFC537AC16C184DBB34ECBF2BF3CF
                    SHA-256:9BB7B8FCB378586F0FD750039AB78E1F5E9915398C440ADF8910DD6DC0DBCE25
                    SHA-512:1B6BC392A45349C2CD772F9359C5B1C08F57C6C721618A3A784BC4FBD85C5CA483CD986E32AFB2919A9F544C1A5F2EFE81B9081DC5FA6D2B8D33D71670277AAE
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515329" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER7442.tmp.dmp

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 15 streams, Wed Sep 25 05:46:19 2024, 0x1205a4 type
                    Category:dropped
                    Size (bytes):77602
                    Entropy (8bit):1.9925255017317927
                    Encrypted:false
                    SSDEEP:384:CADTJOB8Q768bplgaC4Vz6+pJv6YX7JFhOgl6lo:CADTJOCQRbplNu+GYo2
                    MD5:6115A1DCB278533D46C03B44A6EE2A54
                    SHA1:5CFF3643AA3B2B2F7D712A1B6FB03F6EEB19411E
                    SHA-256:66BEB3DD031055AF59EF039AFB95DD84E9D31C13F7B6F02A4054E1C4BADF0957
                    SHA-512:AFAB5B2710935F9F1FE021CB65D7DC3447C6D1E6762E0275336A3441B54D7F06F89A2DEA76F7A538B20DA7799006EFABA1BB16A501246E8073EFC5C3EB62EC3D
                    Malicious:false
                    Preview:MDMP..a..... ..........f........................x...........<...........4....9..........`.......8...........T...........H"..............L...........8...............................................................................eJ..............GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER74B0.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8420
                    Entropy (8bit):3.6998574256329078
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJZK6IFS46YNXWSU9lva3gmfJnpBT89bfrsfZVm:R6lXJU6IFN6YVWSU9U3gmfJcfwfy
                    MD5:0B83409AC17B9957C7FB6360EDF48AD4
                    SHA1:168FDD0F24D6AE9A4EA805E5ED1B3387EE04A437
                    SHA-256:32975774EAFCB53ABF453E1BED989C87927C4025F4F6A2EBCA2905F59A7F5FCC
                    SHA-512:B315FF04551A1FD529EF8B304A2BDDF36B0106B8BFA08A4D683133F49F10F53B668AEA7352A06146042955C5F2E3D444D46217BE77E164D47615994DD2F734A7
                    Malicious:false
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.8.0.<./.P.i.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER74E0.tmp.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4720
                    Entropy (8bit):4.480544527754589
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zs5Jg77aI9dunWpW8VYjLvYm8M4JIeFQb+q8v1Vd0QSlh5d:uIjfLI73j7VjJibKPd0QSlh5d
                    MD5:3B0E96DCB8BFF36A178EF63070BE4E03
                    SHA1:886901555D32DA61468D191312DABBA275779801
                    SHA-256:31722B151882294777D758805EEA8215223D9E25F1C1F0138E9A7FF23CDD8602
                    SHA-512:715F6DE40CFDC2CAD84350DBE2E23191136F8655A8D05A373B6C7EA4D13B7C54E4FC8590557069CA6CCEAB159E28CDEE859DDFFF4F06DD9A5C3A3B8EC7D39EB9
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515329" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER776E.tmp.dmp

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 15 streams, Wed Sep 25 05:46:20 2024, 0x1205a4 type
                    Category:dropped
                    Size (bytes):81648
                    Entropy (8bit):2.1260437443343596
                    Encrypted:false
                    SSDEEP:384:HAl1OB8Q3ZbpxzawCRz9+pCPyi6YX7JFhaWttMc/q2xBA7vHS9:HAl1OCQpbpxza9x+0gYhttMwovq
                    MD5:866CC4F44A0A33AC970AF6FB1F9701B5
                    SHA1:F21520E372A3412287C10FCCE1327AEA22507373
                    SHA-256:94B7CE86925B19E0586B9D7AB083C6BCD0BE2D8C0B383412A7A3F1199FA03EF9
                    SHA-512:788D6F0D2C8DA47A62483474810CFD8A4D9DA9AA3E5DF5245AFAC1BEDCD1CD5B3BE58363CF31EE0C809368FA3532D3BD30888D600D377578785614DE82F238C7
                    Malicious:false
                    Preview:MDMP..a..... ..........f........................x...........<...........d....9..........`.......8...........T............"..X...........L...........8...............................................................................eJ..............GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER784A.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8420
                    Entropy (8bit):3.7006511734292658
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJZs6IFl6YNgSU9lDJgmfJnpBp89bdrsfLyfm:R6lXJi6IFl6YaSU9BJgmfJudwfLj
                    MD5:E7374E49E20D997DBC2DBFE89CEB49D1
                    SHA1:FBCA944920417764F69924F4A392ACF4BE308504
                    SHA-256:D5254D58C71B3C6A4E9389CF68671CE9A6698D12E633A49EEBE65FC8C894B744
                    SHA-512:12516152D82342C36E5D33194FC5F85C2FF765FCD8DF33093830D1A00EBBCD9F3461F26C1EE99D29654F5EC9FC7F616D18AD010913DBCF475BAD7129702FAEA8
                    Malicious:false
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.8.0.<./.P.i.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER786A.tmp.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4720
                    Entropy (8bit):4.482011195780444
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zs5Jg77aI9dunWpW8VYjxYm8M4JIeFcDJ+q8v1Vd0QSlh5d:uIjfLI73j7VtJaKPd0QSlh5d
                    MD5:97406D2842E2CB2143CEFA9DD37E5D18
                    SHA1:511677E13FF090D4A9EFD5EA12399E99EEF212C9
                    SHA-256:DB9E31352C633583C9871B7FCFFD152425FE69E5B59AE5037029853AF02AA56C
                    SHA-512:27952049A9549FA9026E766488A7FA00729521D4AB31E1D9CBFFD2AF803ADA6EADEB35B2879862D48A87EAB56E30D2E361C48780B702A679A85F73C9DC339CF7
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515329" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER7C8F.tmp.dmp

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 15 streams, Wed Sep 25 05:46:22 2024, 0x1205a4 type
                    Category:dropped
                    Size (bytes):77060
                    Entropy (8bit):2.0296239197525443
                    Encrypted:false
                    SSDEEP:384:5AzWxQ3b2bpqgPlCfo6+pJPuX7JFhRBgwtY:5AzW23b2bpqgPs3+juKJ
                    MD5:EAE56FD454FCCF8FEB0565D4A9DDA7ED
                    SHA1:11D8FE262B2A2952D2FA66D16A725486830DB014
                    SHA-256:1E1D8D14C7A574CA1E3388C63AD7C0C430A5E391FBF7D63BA7B2E668C1CE422F
                    SHA-512:E3F2B390A442FB612730A6694DD05F3F23654946766DD78245F46C99FB14B740C4A0064E55B7622A076C1731E27FD743EC41D3D6E748D696BE5BA5CDB70A246F
                    Malicious:false
                    Preview:MDMP..a..... ..........f....................................<...|.......$....:..........`.......8...........T............#..........................................................................................................eJ......<.......GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D0D.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8420
                    Entropy (8bit):3.7002663408521363
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJZ46IpLUK6YNnSU9lDJgmfJnpBt89bPrsf5Fm:R6lXJG6IpIK6YNSU9BJgmfJiPwfS
                    MD5:BFF58DFC362A8FD9F86648A074771F5C
                    SHA1:345A4AAA6D975AE7DE83F2C215A4463514C6FE26
                    SHA-256:18251E8DD45FF9CF4B462A3948B4D29C9A774217E1F0CD66E30F75D2BFD9AED3
                    SHA-512:48B5C1683CCFF90BA1AA0549FFC25B84E6CEE55D924E500F8D0FBD2A6DB09FCADAC29675EC44A15FB97FAF094C6270D5A56D1A6E5C47EEE1C4098D4300B2021E
                    Malicious:false
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.8.0.<./.P.i.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER7D3C.tmp.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4720
                    Entropy (8bit):4.481272118191749
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zs5Jg77aI9dunWpW8VYjTYm8M4JIeFW+q8v1Vd0QSlh5d:uIjfLI73j7VnJ4KPd0QSlh5d
                    MD5:9D268B680C47B9A9A59082AC36BE8875
                    SHA1:D0F09A4D55DAB8B6D73AA4466321E2C5C6BB01C2
                    SHA-256:209D9E398680049DD4E7423FD429542A9A958B8E60BC91A00837B5540E3FAE1E
                    SHA-512:F45B2043C588B8B5769FC6C5430EDD87547DA3A858096AD1325F330627C516A2748A49FA916439416FCEA13E10F208123F9F0AE1C48CCB0839F2C5E9409C2077
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515329" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F9C.tmp.dmp

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 15 streams, Wed Sep 25 05:46:23 2024, 0x1205a4 type
                    Category:dropped
                    Size (bytes):90282
                    Entropy (8bit):2.2327067799678755
                    Encrypted:false
                    SSDEEP:768:MACgTvr+bpU+toObaJIahg59R141MoYRCr7:MA3TaUqWJIJFWkCf
                    MD5:2FCC80CAC1F299503A7357392DC4103C
                    SHA1:6AFE3AF39193D8635AE46BED14051506478895B4
                    SHA-256:D79CB973D33B3DCF705EFDF220E5A990E44C570B9584A0A0C85437E7A8F000E7
                    SHA-512:B4FD5BB7F952DB4912219F9CEB2B0C556572E7A9743235D0CE74C6995AF42881C480AD4A07C705EE87A933DC862FA498246C9AC3E2B81C9A3805A42A1FFCD1CA
                    Malicious:false
                    Preview:MDMP..a..... ..........f........................P...........<...........t....=..........`.......8...........T............#...<..........T...........@...............................................................................eJ..............GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8191.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8420
                    Entropy (8bit):3.7019020808877543
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJZn6b6YNRSU9YgJgmfJnpBM89bGrsfUCCm:R6lXJJ6b6Y7SU9fJgmfJRGwfp
                    MD5:A7D7C5CBA6FBDE089DAF7459894A4B1E
                    SHA1:39870D8D4BA48E74CA92D980B18922AEAD155487
                    SHA-256:B1B4886DF064A048FC49463421CF42A6484B21A955742301846AA5D22A99059C
                    SHA-512:11FC2CC854A9A77E9FE9A38337B28B532C175392D5495A4D6F8846F00AC351D60964672BB51E3B5FB408E1D16700BA1607F13450BA9F5A2CED3FD12D9B48749E
                    Malicious:false
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.8.0.<./.P.i.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER81B1.tmp.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4720
                    Entropy (8bit):4.4817650810105105
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zs5Jg77aI9dunWpW8VYjJYm8M4JIeFF+q8v1Vd0QSlh5d:uIjfLI73j7VZJXKPd0QSlh5d
                    MD5:D57449D1E1992E755A2260F23144C4DF
                    SHA1:84DDB41D5F14ED4F398E6D7200A5649433A8E9B6
                    SHA-256:9C32F36CC9D403170A523945415FB783A45DA4C2665CB18CED66DB6B21025F5D
                    SHA-512:B892637CDB59CDAB46FA4301A4734036CBDC92E8236356B3C6B2D26CE643952574ACB37DDB9FF939261EB453563C519377D9CE2DD4F6492E359FE6326BB2143A
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515329" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER86EF.tmp.dmp

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 15 streams, Wed Sep 25 05:46:24 2024, 0x1205a4 type
                    Category:dropped
                    Size (bytes):108902
                    Entropy (8bit):2.155361469699659
                    Encrypted:false
                    SSDEEP:768:fAmaeoQzbp9gF2Y5ALieDNLYZ0navpoYTVKPGZqA953q:fAfm9gJ5ALiWNUqahfBKOF953
                    MD5:2B37619731D0A6B4784168813884F81D
                    SHA1:FB6D90AA7BB08A30BBC00B0B14A419B52C7BDD11
                    SHA-256:837A9C1A078F912CD4937CCCB3D6F75F16191B273A344D75C206D5957BE99822
                    SHA-512:F0A475035FD3F3E27254C7645A98B0E3689ACCD97AF7B561C786CF898CB0474016DA983FDC90240343FA5BA351972601A1B1D1BA74EE17305A69F4137CA6546E
                    Malicious:false
                    Preview:MDMP..a..... ..........f............................(.......<...........t....I..........`.......8...........T............+...}..........X...........D!..............................................................................eJ.......!......GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8828.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8420
                    Entropy (8bit):3.7019666168856333
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJZ36R6YNwSU9s0fgmfJnpBV89bwrsfztOQm:R6lXJZ6R6YaSU9ffgmfJKwwfK
                    MD5:2FA473B6E025696E414ACA8A6AAC39C5
                    SHA1:2D6A7706907870AEC4E6B44A50FE3B9807D5374A
                    SHA-256:7BF0E4A4E036D543C6CCCA2F6980179F08A49176C815850519A1182C839D4BB8
                    SHA-512:F800FDE27D11F0CDA146DAAE6E11C2E9FB38B465BF73C8F912FEB51BED063DFE35847F013DC7DC9D67AF98909A322E8BCF79C8B0994700BB9DAFF43892662DE0
                    Malicious:false
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.8.0.<./.P.i.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8897.tmp.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4720
                    Entropy (8bit):4.481526877689725
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zs5Jg77aI9dunWpW8VYjZlYm8M4JIeFTWw+q8v1Vd0QSlh5d:uIjfLI73j7VyUJXKPd0QSlh5d
                    MD5:1322185E1B187937B260B1DB26788CE1
                    SHA1:86A483DAD5EA783B3570ABF0E9D0270775419977
                    SHA-256:EB2996603B3BAF1B2912ADFD84F0AA2999C2E6D67887ADBFEC45E340C084F574
                    SHA-512:3D935BF17F76702466080E5CD7EF1DFCE781B970F6BF57F5CB14B866D949B712C3AD3D90681E2E1E23375B6AB27A92472ED824617CE107FB994567BC0E7BCA6A
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515329" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8AF6.tmp.dmp

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 15 streams, Wed Sep 25 07:15:13 2024, 0x1205a4 type
                    Category:dropped
                    Size (bytes):103270
                    Entropy (8bit):2.055959405584928
                    Encrypted:false
                    SSDEEP:384:JApOJTa64/l8bp9hdSsob2LxhHVvpVqYWGVKPGihbeEb4wxJx1:JApOMBabp9hd93d7vpoYNVKPGM06JX
                    MD5:B82687A052EC208A7DB31D47C4482124
                    SHA1:0E081829FCCD2896058961F57EA9CE502F6133B9
                    SHA-256:D8EBE644F5AD4ECB58C582D2066F8FF13D61323C2517A1D17355BCBD7A13069D
                    SHA-512:3413909749996F9AA2D0B3FFE52AA444C270E5716428EF562FEABCE52D9581628244ADBA7D4E170D5B24558E7DD76E4989A883FBA69E66E2E6ABC6ACC718FA21
                    Malicious:false
                    Preview:MDMP..a..... ..........f........................`...(.......<...............hJ..........`.......8...........T............,...f.......................!..............................................................................eJ......H"......GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8D87.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8430
                    Entropy (8bit):3.6998395165917195
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJZQ6pR6YNQzSU9odZgmfJnpBT89b5rsf0JdTm:R6lXJe6pR6YuzSU9OZgmfJc5wfT
                    MD5:3471D29BCAD6C97D6B746CA221AA6169
                    SHA1:4E109A19F0A492C4F61F2EC7A3946112E4BC6D12
                    SHA-256:F283D1E6D162266BD90694F107E74E56B0D9BAF5F4BE8888225726B02E2DDE49
                    SHA-512:615082C31D4B794EBA87405B29CFEC2B2AB13FEA9F747B09A2D593947A992C59C00F8822961308D444AE95B31CF84EB484EBC90E1F1C15EE7D45B27EB65C948C
                    Malicious:false
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.8.0.<./.P.i.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8DD6.tmp.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4720
                    Entropy (8bit):4.481347405766496
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zs9Jg77aI9dunWpW8VYjVYm8M4JIeFHd+q8v1Vd0QSlh5d:uIjfXI73j7VhJDKPd0QSlh5d
                    MD5:98B5D0970C1C2CF61C5650449001307D
                    SHA1:928781ADD4BD1522F99B5BB88619983B422386E5
                    SHA-256:84D17BB40E62C2326142341E22E255DFF5E33272640DCE3B2B8CCDE82DE7931B
                    SHA-512:C938921A3117538EFFB044F156143C69DBE05008BCAA9F43740DB1CFF0B4ED0152325DFAB97ED32C8B7DD20C4AD2E2605A3F7602BFB79BE329F1764A7C1188A1
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515417" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER91FB.tmp.dmp

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 15 streams, Wed Sep 25 07:15:14 2024, 0x1205a4 type
                    Category:dropped
                    Size (bytes):117362
                    Entropy (8bit):2.1860885141865785
                    Encrypted:false
                    SSDEEP:768:KA7dBNKbp93MKxupVjzUGpUYNVKPj+SIP:KATg93MKQpVjzUwrDKb+SIP
                    MD5:0A9380DAEE6CEB60126F2256CF007FC5
                    SHA1:57192C7F9DC8AB2EBFB29084E5F4C8EFB6923190
                    SHA-256:A5BC2350D46641B727E354772D2EE1319962613576BA7C3A6E7EFFC7C02FF092
                    SHA-512:E86C5262D660523FBEB31EDDB87A60428009C8FD317F38342ED2969C7549DC51DB03CCCE33B57D5C7FE5A57F79CFA3B494F4BBC6C390D28379E0AF0C2608ACF1
                    Malicious:false
                    Preview:MDMP..a..... ..........f............D...............X.......<...$ ...........M..........`.......8...........T..........................` ..........L"..............................................................................eJ......."......GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER92D7.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8430
                    Entropy (8bit):3.7000564029046457
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJZh6X6YNQ0SU9udZgmfJnpB389bGrsfdCm:R6lXJ/6X6Yu0SU9oZgmfJAGwfp
                    MD5:65A10A21A08032560D7E3A6D1C36DDDA
                    SHA1:BCD9E16E2E2675A1250C941CF48305C5A8302639
                    SHA-256:21922F960F50A0BC8DE8D1AA319D661FCAF9A4549C4F8EB3E849C24D39EF2AB5
                    SHA-512:23E3A8EAB63A99F261B1B8977541E5ABE0735874EEBF9572511553CE0CDBB1C6B104E2DB149257FB101105A488923606364834B81F45A224D8967B1263BF1795
                    Malicious:false
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.8.0.<./.P.i.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER92F7.tmp.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4720
                    Entropy (8bit):4.480713629327579
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zs9Jg77aI9dunWpW8VYjCYm8M4JIeF2+q8v1Vd0QSlh5d:uIjfXI73j7V+J0KPd0QSlh5d
                    MD5:8834B0916FF62ECE5F3E783C3B136F11
                    SHA1:EAC11832910D6A76941E5175B60913F291CE25D4
                    SHA-256:45770B8B00430C7CC05A7CA74641AAD8B9D374EE423D0AE864E8F9053F19D0B9
                    SHA-512:2740EC4EB951E21683690C2717A404AEC497C075C5861750CC110898100631DA590B4F737E06785D6F5848DA9EABD1AEF6DE088854ACB2B797F8D7E925A06E81
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515417" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER93.tmp.dmp

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 15 streams, Wed Sep 25 07:15:43 2024, 0x1205a4 type
                    Category:dropped
                    Size (bytes):43066
                    Entropy (8bit):2.545420911418239
                    Encrypted:false
                    SSDEEP:192:l03rUcXLpjyznIXPN0XRpMObPhOFm9H0drbuTgS1XY4k2ECIrguvpDXrPH0OHeW+:6BpjOnwNEFbp9GdggS2ShZuxXDZH7V0
                    MD5:98826FFE60A1BD5EED6BFDCE4FC06115
                    SHA1:B0806877021279983AE6E767239A8F632E3DDC49
                    SHA-256:9F1299DC96DF520EC40E6856E713E74F1435918E16A03B28DBDB83C76182F95B
                    SHA-512:A43EF8321438773CBAD2C6C5472C3391829D0EB0C28FCE4733D90DF5F0EBB91727B0561952BE49CC1EE3074E40D72FCCC531A6EF80F01CF2F739D75CDAB236E6
                    Malicious:false
                    Preview:MDMP..a..... ..........f............4...............H.......<....#......t....4..........`.......8...........T............:...m..........8$..........$&..............................................................................eJ.......&......GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER94E9.tmp.dmp

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 15 streams, Wed Sep 25 07:15:15 2024, 0x1205a4 type
                    Category:dropped
                    Size (bytes):115836
                    Entropy (8bit):1.94329109056593
                    Encrypted:false
                    SSDEEP:384:dAihvmgxEoHJ3bp9g2e9InNkx/qAdq7o9kL0GhVJKt02L8PJc3M:dAihvmgKc3bp9g2SYU5qk960xt0NO8
                    MD5:E605B174FFE89B0446262EDCFF2176F7
                    SHA1:9BC322D576033F408CCA9454AA3D4215B04700F9
                    SHA-256:8F2B452D6D0401D1A5DF6C999945705901D8C0C4DD9FF7C05445B26C2F6C5FF8
                    SHA-512:28076D91DC5A1B19706D58C87B90A3B899FE50BD3E57C8E2A56E7A9F95B06EFADA046E7A0DC115D0FC75B15FBCEC697258873DFA3CBB725F746466BCC7C2DCE9
                    Malicious:false
                    Preview:MDMP..a..... ..........f............t...........8...........<.... ...........Q..........`.......8...........T............................ ..........."..............................................................................eJ.......#......GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER9577.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8430
                    Entropy (8bit):3.6999330683209495
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJZD68e6YNQhSU9pdZgmfJnpB089bPrsf0cFm:R6lXJN68e6YuhSU9zZgmfJpPwf2
                    MD5:25C9562732E629D6E0B64B4A2622D473
                    SHA1:C788889DAADB022360B256E76B2CB0A2450F196E
                    SHA-256:79BF19179777D7A87B1B1CD7C9FA3EDD02858D1F714FEEAEABC0222D9306A03B
                    SHA-512:8557681419967032A77E8FF7A0650039ECFC24D698B4363501482A4BEB4D45164A75D76BAC9E30CA5796AD6DD472A38880D4905FD11B75B1E1FCC70ED07A3D3B
                    Malicious:false
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.8.0.<./.P.i.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER95A6.tmp.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4720
                    Entropy (8bit):4.4801109298387995
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zs9Jg77aI9dunWpW8VYjhYm8M4JIeFke+q8v1Vd0QSlh5d:uIjfXI73j7VJJaeKPd0QSlh5d
                    MD5:6658C8D0717B21818F852FE9EE4FAB13
                    SHA1:D757158D693A3EC4E5D1B7CB7593283933A440D8
                    SHA-256:CD4F8DAFC8724AAB60800F5284B8A32BB9AD7A109617BDC1FF4F0FE84322F9A0
                    SHA-512:68482E4F9C85931FE7467CA89383C5CD67FA6D475C8DBDE8AD47D3757C3012731A38A75935BB91BFF1DBBB89D2ECD0949AD36637558D8BFED06482CF3C4260A2
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515417" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER9DD2.tmp.dmp

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 15 streams, Wed Sep 25 07:15:18 2024, 0x1205a4 type
                    Category:dropped
                    Size (bytes):46750
                    Entropy (8bit):2.4842530400693157
                    Encrypted:false
                    SSDEEP:384:mBpjOnwN4Plbp9lITgSC6ShlRXnrRCXtU:mB18Bbp9UsnrkdU
                    MD5:CC7B56408954CE686A386BB61F9DF625
                    SHA1:60CDC214BDEECCB6911F441DAAE4CA9120A3F3C9
                    SHA-256:9BF1ED9018F358B23C5A4F7C4D80AE98F5372CB5FE86768C104D45BE45B15A9D
                    SHA-512:F04AFE4EA19BD4C9CF9E40E5FEB7F98EC53F98365E52032D1150BBE29F3842E4D9B6B984BA9ADBF1063AD444A847CC45D0F111643E599835DCB38A340D003A09
                    Malicious:false
                    Preview:MDMP..a..... ..........f............4...............H.......<....#...........4..........`.......8...........T............:...{..........8$..........$&..............................................................................eJ.......&......GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA277.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8390
                    Entropy (8bit):3.6944188425135622
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJZ6676YNQ8SU9xYZgmf9uUpNr89barsfQem:R6lXJE676Yu8SU96Zgmf9sawfA
                    MD5:4552AF62CD8596CA8E3C5E016F1F9533
                    SHA1:B1904B7AEA13772D76A1B1B74D3AE02951237EBA
                    SHA-256:12A888A21238188C64F3FA0A35019FE0EEE5D2DDEFD9ACEB27541AC6A78EB8FC
                    SHA-512:76DF02762174B65659B24F877C065C63B8E7012FEEC8EED9A48414168D25BB84608A3D116F05DD0E07CE684618183D3D6B2A0F129E73DCE5C57A46B5A03CFF89
                    Malicious:false
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.8.0.<./.P.i.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERA5C3.tmp.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4680
                    Entropy (8bit):4.444656668525276
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zsoJg77aI9dunWpW8VYjQ5Ym8M4JIeFQK+q8v1Vd0QSlhId:uIjfuI73j7V0JaKK3d0QSlhId
                    MD5:144BEB08EB68AFEECA872B6E64B51BFA
                    SHA1:58CCDAE3156BACF01C365AF1F98FD4D6E1017158
                    SHA-256:210C01F6EFE3FD51F27B31D990DF996FA0A4911C002BAEA5F7DB29F5CEA5F534
                    SHA-512:F0501B03B79678480D5AE24120D35BD8D30EC36FE79A4AC8F62EBECDCE30F32B238EBD1A6680116E2E3AB10E7E655011C56128BD11B60325E8052AE906074F76
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515418" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERAD53.tmp.dmp

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 15 streams, Wed Sep 25 07:15:22 2024, 0x1205a4 type
                    Category:dropped
                    Size (bytes):46822
                    Entropy (8bit):2.4878365259925137
                    Encrypted:false
                    SSDEEP:192:ofrUcXLpjyznIXPN0X7RJObPhOFm9AZkbuhgS1Xvbw/4k2ECIOzZGQMnDsdXf+aM:MBpjOnwNhbp9WZpgSR0ShpZ2AdPXYCID
                    MD5:9B8D59407BDD656ECF4CEB2DA1AE40AA
                    SHA1:502426701BA66EC3E2BA402A4D77E6051F12DA14
                    SHA-256:F71EBD8D926E77B1163ABF6D21724E1CC863BFCA587FA6867C9BA2E16AF00881
                    SHA-512:3ECDE7719AB170DE99F553938B5783B15E7DF68451E1F96A46FB46E7FBCBAC65CE6141C547A0CA7D9235EDDE3A792FBD6A4A72BEC39ECB46054A5F5E45E4C99F
                    Malicious:false
                    Preview:MDMP..a..... ..........f............4...............H.......<....#...........4..........`.......8...........T............:...|..........8$..........$&..............................................................................eJ.......&......GenuineIntel............T..............f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERB18A.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8326
                    Entropy (8bit):3.69607140396092
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJZE6l6YNQgSU9WvqogmfCuUprL89bjrsfmBm:R6lXJa6l6YugSU9bogmfCajwfR
                    MD5:824736FB5EF42EE9FB4686DB8675E0F8
                    SHA1:4020F5F2FC18CB38B6F1152A3D1C23F5B7517D42
                    SHA-256:C65A7C906C5D65CADB3D9E90FDA8A3444FCE6820F98C11635476EB2C93044F3E
                    SHA-512:BF9E6E06D726CE935F727B3295FD0D6C3C79BC153F2C5C40DA01E9603AF2112909B836ECCE279177109277BDEEA577457E045AB5988C1825950DDCE77A46E280
                    Malicious:false
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.8.0.<./.P.i.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERB1CA.tmp.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4579
                    Entropy (8bit):4.457478185477567
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zsoJg77aI9dunWpW8VYjZYm8M4JINFrY+q8WFd0QSlh5d:uIjfuI73j7V1Jxdd0QSlh5d
                    MD5:2540F6D32A4064C03DF39B10CC2295F8
                    SHA1:CD8DF08F7D00AD50068C549278C49458D2CC15B4
                    SHA-256:DE5971561BDD3992B5CCCD98792CA88A80AD61805B5F4503BCBC5234F0AF5173
                    SHA-512:49811AEC93A5974991F9C137170C36AC073DF9D6A23C3FADEB4A2AC949BF7400371A08C48B0AC2BF762875970EF810F620E6D973E1914133C14D60315B43CED3
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515418" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERB40A.tmp.dmp

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 14 streams, Wed Sep 25 07:15:23 2024, 0x1205a4 type
                    Category:dropped
                    Size (bytes):25184
                    Entropy (8bit):2.2799661800067934
                    Encrypted:false
                    SSDEEP:192:YAqgjXnQ1XON3gS1XGfATx9JA3wfQzl1:82QEN3gS8qx9MwfI
                    MD5:B6EA481969A621ABD76934F99AC71B43
                    SHA1:2CAF7A1662CC93F737A07BF28D6BA8F4A891A742
                    SHA-256:D56E6C43595B875227AEC7EDF4A91992D9267E086A6DC996A8302ABCE34E834C
                    SHA-512:9DEF80E13C10751445EB2AB01DC4122B022973E6D55DF669E9A6F857C99B18F99B7880FC86B3FCEDDBD3603ED4266D3C2987E9F77DDA4E15C07B491F1EE3A2D9
                    Malicious:false
                    Preview:MDMP..a..... ..........f............4...............<.......................T.......8...........T................O......................................................................................................eJ......P.......GenuineIntel............T.......0......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERB478.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8338
                    Entropy (8bit):3.6884392272767292
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJGl6CC9s6YJM6Ngmf95QpNm89bad1fio+m:R6lXJk6CL6Yy6Ngmf96affio
                    MD5:6F46F388265C0619962FD762EBD9C861
                    SHA1:D5061EE130395786919B4CF1C8F7B161349F9AB8
                    SHA-256:53111FD93EA8B13898CF6EAB822E5C18087835D808433D6EA0069E602F6B99E0
                    SHA-512:FB2D092F35B9831C48828608D9B7000EA84717AC06A866EA405E2E73DE2329E81C2ACAE7052F77EA7EC0B5EDCFC48B7DEDD7EFD825164C619C0271BADB8B151C
                    Malicious:false
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.1.6.<./.P.i.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4A8.tmp.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4652
                    Entropy (8bit):4.421337409914967
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zsoJg77aI9dunWpW8VYjtYm8M4JgVFUT+q8vK37zCplU6d:uIjfuI73j7VlJ7Kq7zCplU6d
                    MD5:A1F55F16BE3E77805CCC42E6DCF5317C
                    SHA1:E3C0E89E1E79545E423571901B0D1B42DE7EA877
                    SHA-256:4221BADB4E247082631EB4DA8ECC89DE70563DC82A3DBBBCD3256BC111CA241C
                    SHA-512:1525CE9CC505A8426B83A4F8AAA2201A2324F7E63673B0D8AD59A548477EEBFF46A06A8913EBFBDD995AAC39539BCE5DABC23EE4ABCC79F4273B4124306849DE
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515418" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERB8EC.tmp.dmp

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 14 streams, Wed Sep 25 07:15:25 2024, 0x1205a4 type
                    Category:dropped
                    Size (bytes):25256
                    Entropy (8bit):2.2838239457648424
                    Encrypted:false
                    SSDEEP:192:ypqgjXns6OiugS1X0nANR9JAv4+3ZMvj45:l2sFiugS2YR9E4+3R5
                    MD5:36F34C6573170DF5A6E531117BC1EE98
                    SHA1:AE7DB3F3FB2EB16CDD22BC6D045FCD2938A9F7FE
                    SHA-256:81676FEB936D947472F0611F3ABE39E9148BF92F8ADD5D1D033C556FB5C3781E
                    SHA-512:DDCF4E71BE6B133420C6A5172E0CB87AF72AE40FF99C90A42B78DB3B799340F9512B165699E482D810A6711E0F74DE50036B968529053038B359F93167F085EC
                    Malicious:false
                    Preview:MDMP..a..... ..........f............4...............<.......................T.......8...........T................P......................................................................................................eJ......P.......GenuineIntel............T.......0......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB1F.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8272
                    Entropy (8bit):3.692914839879223
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJGL6CV6YJx6Ngmfi5QprOx89bMVsfwkm:R6lXJK6CV6Yv6Ngmfi6Mufy
                    MD5:C2CCCDF9301BBD6F9D864FA0C36F4DD5
                    SHA1:E5CF131FD01A740D4B269C00D44BC0042685B39C
                    SHA-256:44391335164C153C43ADBBD1A3133EE730EB38C7842D91401C184D9778B39845
                    SHA-512:0A5B3AD9AD6744605C2886D21D43FFA37F47E562816FC726E6282CE71AAFD3FB6BEE7CD3E13045D394FA39E8AC7BDB7BA8402E6A4C2E40C60FB192551E254273
                    Malicious:false
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.1.6.<./.P.i.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB4F.tmp.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4551
                    Entropy (8bit):4.4355056692787445
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zsoJg77aI9dunWpW8VYjdYm8M4JgqF1V+q84y7zCplU7d:uIjfuI73j7VBJDV87zCplU7d
                    MD5:17146DDD192FAF363297F21005FA630B
                    SHA1:30880C27A90F6F5B89A95AABAA586BB6E9F9D4C8
                    SHA-256:9098B23F71CDC843FD074C1635525FF961016880BA63595C698C3A381F2E281D
                    SHA-512:300233B243B8F3F204C5B622B0364AC722BB302BA39F5B95DA6B5E34FED96E858D2B1583E0F2BBCF4DA041E1F350236F70544A69117BF149B3A0096C04FFE708
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515418" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERF568.tmp.dmp

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 14 streams, Wed Sep 25 07:15:40 2024, 0x1205a4 type
                    Category:dropped
                    Size (bytes):21480
                    Entropy (8bit):2.3799122818163227
                    Encrypted:false
                    SSDEEP:96:5e80rYTmyPleNB63HjXj5JfIwsi7YwghgS1XV9fgAm9XZ6lGWIkWI8EIkpAGcW8/:DpqgjXnwHOkgS1XzgAm9JAPAGcWT2/Ua
                    MD5:4A860AFE094782DD7CE7C9424139912C
                    SHA1:84FB2C4DB00EB21779BFD404952D647A8AB14F2F
                    SHA-256:72CCF12646234C20F69C32533A859D990222E69939584F51971D70C767F41583
                    SHA-512:BD5753DA68EB317B4222621DDD39BEB31D4EE10953E711F2B5F8AD764DAAD934D0A062EB7AB4BEE86E907A6BBBCB69F6A7F0C0371DE1BDD712FC2814E1802D19
                    Malicious:false
                    Preview:MDMP..a..... ..........f............4...............<.......d...............T.......8...........T...............hA......................................................................................................eJ......P.......GenuineIntel............T.......0......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERF5C7.tmp.WERInternalMetadata.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8274
                    Entropy (8bit):3.6923772605129037
                    Encrypted:false
                    SSDEEP:192:R6l7wVeJGK6H6YJ36kYgmf6nJpDO89bXVsfVdm:R6lXJT6H6Yp6Bgmf6nrXufu
                    MD5:69DEBA3B84C1C6BDE0802EF53A2E5514
                    SHA1:BCC87C3A3679432FA4B5F9D90B62630BAB269125
                    SHA-256:F2D04DDC5AD40D473487E6010EE37DF229FAF2E073AAA041720EE10904AEEEAE
                    SHA-512:B00D53F70ED9A36B96A532CF0B7EF75D4B2231B935A6FB753969DE71029F0FE4F81A1183F7677DB2E4ABF4B352A14809C8DD7DC1AEC3573606E026FD4808E793
                    Malicious:false
                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.1.6.<./.P.i.

                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERF654.tmp.xml

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4551
                    Entropy (8bit):4.435399863653185
                    Encrypted:false
                    SSDEEP:48:cvIwWl8zsoJg77aI9dunWpW8VYjnoYm8M4JgWFVdL+q8io7zCplU7d:uIjfuI73j7V0J1U7zCplU7d
                    MD5:9345EBDA88F43D87E5DF3C40C4A956C8
                    SHA1:DDE01D11B2CF5AB87232961AE5BDE75C3E52A48F
                    SHA-256:38A2DA90D1F19EBCE472EC1A67772F11F59DA15546A9E6524CD81C52A851BC04
                    SHA-512:74C1FBFE5BFB43DBA1E96614716F1ADA3FD65394F82E7B94247AC85887B1CEDDB74F6AACECBE7C557AC6993527FC734B14F7B4435C0ED78A14A9969B196F535C
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="515418" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                    C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe

                    Download File
                    Process:C:\Users\user\Desktop\A1E1u0Rnel.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):445440
                    Entropy (8bit):7.144815474711832
                    Encrypted:false
                    SSDEEP:6144:HLq9GF64lio2h7Yw8nmnjgepNUn6QUvO2t/PhbrwknPJFYc5bmi:HG9G4zRrnzv1tHVrwkCi
                    MD5:9E8835F955E76958242682C313E7195C
                    SHA1:51544394F6867BAAF518768FAE610BE8AFDF48FD
                    SHA-256:3DBD82FE0AB3C3ED3ECABE41B6AEE651928F0305B07B0285828FD878D84EE4A9
                    SHA-512:2856FA5E5FEEA068BB07DBE74BAFF55957B6F5EF612892E7EBDC3A525D87BD7B7DA7B31F8D9A75BC441CA83F5307DC52821216AD65A37217F0FEADA03454D747
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 53%
                    Joe Sandbox View:
                    • Filename: file.exe, Detection: malicious, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q7.d?d.d?d.d?dt+.d.d?d.6.d.d?d.6.d.d?d.6.d.d?d.Dd.d?d.d>dJd?d.6.d.d?d.6.d.d?d.6.d.d?dRich.d?d................PE..L...l9zd.................X..........q........p....@.........................................................................<...P....P...(.............................................................@............p...............................text....V.......X.................. ..`.rdata...#...p...$...\..............@..@.data...............................@....tls.........@......................@....rsrc....(...P...*..................@..@........................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe:Zone.Identifier

                    Download File
                    Process:C:\Users\user\Desktop\A1E1u0Rnel.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:modified
                    Size (bytes):26
                    Entropy (8bit):3.95006375643621
                    Encrypted:false
                    SSDEEP:3:ggPYV:rPYV
                    MD5:187F488E27DB4AF347237FE461A079AD
                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                    Malicious:true
                    Preview:[ZoneTransfer]....ZoneId=0

                    C:\Windows\Tasks\skotes.job

                    Download File
                    Process:C:\Users\user\Desktop\A1E1u0Rnel.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):306
                    Entropy (8bit):3.4970215712840784
                    Encrypted:false
                    SSDEEP:6:T69tDZXUKJUEZ+lX1CGdKUe6tcVAkXIEZ8MlW8+y0lbctvt0:O9JlvJQ1CGAFMkXd8kX+VYtvt0
                    MD5:E7B600D9DB7D0BF840979EE863A539E0
                    SHA1:FCD4F662758FCA7372015D61D4B3B120A28E14C9
                    SHA-256:7E9A73069C8ADF54C47BD790EA861555FB88EC4D57D1EF8EED941396A458D4B8
                    SHA-512:147995F95A70A46796BC69A77CB64134DC3E0BE45CB9139C2B33A1AAD3A0947CE9F01A343BE225E9B7B016D15E615600A0D079F10E4B1F84EC556825220DE827
                    Malicious:false
                    Preview:....N.<....J.Q.q||..F.......<... .....s.......... ....................;.C.:.\.U.s.e.r.s.\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.a.b.c.3.b.c.1.9.8.5.\.s.k.o.t.e.s...e.x.e.........F.R.O.N.T.D.E.S.K.-.P.C.\.f.r.o.n.t.d.e.s.k...................0................./.@3P.........................

                    C:\Windows\appcompat\Programs\Amcache.hve

                    Download File
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:MS Windows registry file, NT/2000 or above
                    Category:dropped
                    Size (bytes):1835008
                    Entropy (8bit):4.419331900975876
                    Encrypted:false
                    SSDEEP:6144:Qcifpi6ceLPL9skLmb0mHSWSPtaJG8nAgex285i2MMhA20X4WABlGuNI5+:1i58HSWIZBk2MM6AFByo
                    MD5:367F25F989B678B8986040FE1A20A941
                    SHA1:7DA56EC8F51140FB579D6AA5020461C9031788DC
                    SHA-256:233E806CE5C5E0DCA337CFFD7C2027F1C54D7CA4C2A5C130A3DA211511FF93E2
                    SHA-512:3F9754B5E5D13ACC329E6A5323262E7AA96EA9089670E70EC6ACF00AC0FDEA9A7A6B5BFECF0F8A2B05BCBADE3CCBAE639555A86088D728616C0FC04F71FAB1E6
                    Malicious:false
                    Preview:regfP...P....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm6.<............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.144815474711832
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:A1E1u0Rnel.exe
                    File size:445'440 bytes
                    MD5:9e8835f955e76958242682c313e7195c
                    SHA1:51544394f6867baaf518768fae610be8afdf48fd
                    SHA256:3dbd82fe0ab3c3ed3ecabe41b6aee651928f0305b07b0285828fd878d84ee4a9
                    SHA512:2856fa5e5feea068bb07dbe74baff55957b6f5ef612892e7ebdc3a525d87bd7b7da7b31f8d9a75bc441ca83f5307dc52821216ad65a37217f0feada03454d747
                    SSDEEP:6144:HLq9GF64lio2h7Yw8nmnjgepNUn6QUvO2t/PhbrwknPJFYc5bmi:HG9G4zRrnzv1tHVrwkCi
                    TLSH:76947DB26AE06815FEA647359E29D6ECE76FBC525E34424E3180BE1F18733B1D712312
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q7.d?d.d?d.d?dt+.d.d?d.6.d.d?d.6.d.d?d.6.d.d?d..Dd.d?d.d>dJd?d.6.d.d?d.6.d.d?d.6.d.d?dRich.d?d................PE..L...l9zd...

                    File Icon

                    Icon Hash:738733b18ba39bec

                    Static PE Info

                    General

                    Entrypoint:0x401a71
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                    Time Stamp:0x647A396C [Fri Jun 2 18:48:12 2023 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:0
                    File Version Major:5
                    File Version Minor:0
                    Subsystem Version Major:5
                    Subsystem Version Minor:0
                    Import Hash:ef449b91b415f487291c91f6dead0311

                    Entrypoint Preview

                    Instruction
                    call 00007FC1A0707A16h
                    jmp 00007FC1A07037AEh
                    mov edi, edi
                    push ebp
                    mov ebp, esp
                    sub esp, 00000328h
                    mov dword ptr [0044BC28h], eax
                    mov dword ptr [0044BC24h], ecx
                    mov dword ptr [0044BC20h], edx
                    mov dword ptr [0044BC1Ch], ebx
                    mov dword ptr [0044BC18h], esi
                    mov dword ptr [0044BC14h], edi
                    mov word ptr [0044BC40h], ss
                    mov word ptr [0044BC34h], cs
                    mov word ptr [0044BC10h], ds
                    mov word ptr [0044BC0Ch], es
                    mov word ptr [0044BC08h], fs
                    mov word ptr [0044BC04h], gs
                    pushfd
                    pop dword ptr [0044BC38h]
                    mov eax, dword ptr [ebp+00h]
                    mov dword ptr [0044BC2Ch], eax
                    mov eax, dword ptr [ebp+04h]
                    mov dword ptr [0044BC30h], eax
                    lea eax, dword ptr [ebp+08h]
                    mov dword ptr [0044BC3Ch], eax
                    mov eax, dword ptr [ebp-00000320h]
                    mov dword ptr [0044BB78h], 00010001h
                    mov eax, dword ptr [0044BC30h]
                    mov dword ptr [0044BB2Ch], eax
                    mov dword ptr [0044BB20h], C0000409h
                    mov dword ptr [0044BB24h], 00000001h
                    mov eax, dword ptr [0044A008h]
                    mov dword ptr [ebp-00000328h], eax
                    mov eax, dword ptr [0044A00Ch]
                    mov dword ptr [ebp-00000324h], eax
                    call dword ptr [000000F8h]

                    Rich Headers

                    Programming Language:
                    • [C++] VS2008 build 21022
                    • [ASM] VS2008 build 21022
                    • [ C ] VS2008 build 21022
                    • [IMP] VS2005 build 50727
                    • [RES] VS2008 build 21022
                    • [LNK] VS2008 build 21022

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x4893c0x50.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1450000x22880.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x484e80x18.rdata
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x484a00x40.rdata
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x470000x1cc.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x4561f0x45800901ca5b78513f3e4ae030b9f735fa160False0.9155765231564749data7.875731644568043IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rdata0x470000x23c20x2400b680bb530f40683cc8a114878210f536False0.3715277777777778data5.601694037151863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x4a0000xf93bc0x1c00392fce6f33c33073444c52794f775fbdFalse0.22809709821428573data2.4188264231659278IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .tls0x1440000x51d0x600d00a0884dfc2593613905d91d2ea3f37False0.015625data0.007830200398677895IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0x1450000x228800x22a0009c8440545b3265fb90a67416207b4ffFalse0.3892641583935018data4.94575270045558IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    AFX_DIALOG_LAYOUT0x15caf00x2data5.0
                    VEHESEHOJIZUGEGITASABEZOYIBEMOM0x15c6f00x3faASCII text, with very long lines (1018), with no line terminatorsTurkishTurkey0.6335952848722987
                    RT_CURSOR0x15caf80x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4276315789473684
                    RT_CURSOR0x15cc400x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.7368421052631579
                    RT_CURSOR0x15cd700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.06130705394190871
                    RT_CURSOR0x15f3400xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.31023454157782515
                    RT_CURSOR0x1602000x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.7368421052631579
                    RT_CURSOR0x1603300x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.06130705394190871
                    RT_ICON0x145c800xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.5770255863539445
                    RT_ICON0x146b280x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6525270758122743
                    RT_ICON0x1473d00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.7091013824884793
                    RT_ICON0x147a980x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7528901734104047
                    RT_ICON0x1480000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5309128630705394
                    RT_ICON0x14a5a80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.6355534709193246
                    RT_ICON0x14b6500x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.6516393442622951
                    RT_ICON0x14bfd80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.7845744680851063
                    RT_ICON0x14c4b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.3435501066098081
                    RT_ICON0x14d3600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5347472924187726
                    RT_ICON0x14dc080x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6192396313364056
                    RT_ICON0x14e2d00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6748554913294798
                    RT_ICON0x14e8380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TurkishTurkey0.42914937759336097
                    RT_ICON0x150de00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.5168032786885246
                    RT_ICON0x1517680x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.5106382978723404
                    RT_ICON0x151c380xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.39952025586353945
                    RT_ICON0x152ae00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5604693140794224
                    RT_ICON0x1533880x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.619815668202765
                    RT_ICON0x153a500x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6329479768786127
                    RT_ICON0x153fb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.4530956848030019
                    RT_ICON0x1550600x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.4426229508196721
                    RT_ICON0x1559e80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.4858156028368794
                    RT_ICON0x155eb80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.3358208955223881
                    RT_ICON0x156d600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.40342960288808666
                    RT_ICON0x1576080x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.40380184331797236
                    RT_ICON0x157cd00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.4111271676300578
                    RT_ICON0x1582380x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TurkishTurkey0.175
                    RT_ICON0x15a7e00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TurkishTurkey0.19910881801125704
                    RT_ICON0x15b8880x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TurkishTurkey0.23442622950819672
                    RT_ICON0x15c2100x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TurkishTurkey0.2632978723404255
                    RT_STRING0x162ab00x3d0data0.45901639344262296
                    RT_STRING0x162e800x6fadata0.4311310190369541
                    RT_STRING0x1635800x710data0.4258849557522124
                    RT_STRING0x163c900x716data0.42998897464167585
                    RT_STRING0x1643a80x6bcdata0.42923433874709976
                    RT_STRING0x164a680x796data0.4243048403707518
                    RT_STRING0x1652000x6ccdata0.4298850574712644
                    RT_STRING0x1658d00x6f8data0.4327354260089686
                    RT_STRING0x165fc80x618data0.4442307692307692
                    RT_STRING0x1665e00x6b2data0.4340723453908985
                    RT_STRING0x166c980x6cadata0.43383199079401613
                    RT_STRING0x1673680x484data0.4619377162629758
                    RT_STRING0x1677f00x8cdata0.6
                    RT_GROUP_CURSOR0x15cc280x14data1.15
                    RT_GROUP_CURSOR0x15f3180x22data1.0588235294117647
                    RT_GROUP_CURSOR0x1601e80x14data1.25
                    RT_GROUP_CURSOR0x1628d80x22data1.088235294117647
                    RT_GROUP_ICON0x151bd00x68dataTurkishTurkey0.7019230769230769
                    RT_GROUP_ICON0x15c6780x76dataTurkishTurkey0.6779661016949152
                    RT_GROUP_ICON0x14c4400x76dataTurkishTurkey0.6610169491525424
                    RT_GROUP_ICON0x155e500x68dataTurkishTurkey0.7211538461538461
                    RT_VERSION0x1629000x1b0data0.5995370370370371

                    Imports

                    DLLImport
                    KERNEL32.dllGetComputerNameA, FillConsoleOutputCharacterA, GetNumaNodeProcessorMask, GetConsoleAliasExesLengthA, OpenJobObjectA, ReadConsoleA, QueryDosDeviceA, WaitForSingleObject, GetComputerNameW, GetNumaAvailableMemoryNode, FreeEnvironmentStringsA, GetModuleHandleW, GetConsoleAliasesLengthA, GetPriorityClass, GetEnvironmentStrings, FatalAppExitW, SetSystemTimeAdjustment, WriteConsoleOutputA, GetFileAttributesA, HeapCreate, SetConsoleMode, GetBinaryTypeA, GetModuleFileNameW, GetShortPathNameA, GetStdHandle, GetLastError, GetCommandLineW, GetProcAddress, SearchPathA, OpenWaitableTimerA, LoadLibraryA, InterlockedExchangeAdd, LocalAlloc, SetCalendarInfoW, MoveFileA, SetCommMask, FindAtomA, FoldStringA, CreatePipe, GetDefaultCommConfigA, GetModuleHandleA, FreeEnvironmentStringsW, BuildCommDCBA, PurgeComm, WaitForDebugEvent, GlobalReAlloc, CopyFileExA, GetVolumeInformationW, CreateFileA, BackupRead, DebugActiveProcess, HeapFree, HeapAlloc, Sleep, ExitProcess, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, WriteFile, GetModuleFileNameA, SetHandleCount, GetFileType, GetStartupInfoA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RtlUnwind, MultiByteToWideChar, ReadFile, LCMapStringA, WideCharToMultiByte, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW
                    USER32.dllGetUserObjectInformationW, SetFocus
                    ADVAPI32.dllObjectPrivilegeAuditAlarmA

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    TurkishTurkey

                    Network Behavior

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Sep 25, 2024 07:46:37.999110937 CEST53585411.1.1.1192.168.2.7
                    Sep 25, 2024 07:47:04.043988943 CEST5357400162.159.36.2192.168.2.7
                    Sep 25, 2024 07:47:04.538417101 CEST53498951.1.1.1192.168.2.7

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:01:46:08
                    Start date:25/09/2024
                    Path:C:\Users\user\Desktop\A1E1u0Rnel.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\A1E1u0Rnel.exe"
                    Imagebase:0x400000
                    File size:445'440 bytes
                    MD5 hash:9E8835F955E76958242682C313E7195C
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1801334266.000000000079D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1360771683.0000000002290000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:5
                    Start time:01:46:15
                    Start date:25/09/2024
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 724
                    Imagebase:0x360000
                    File size:483'680 bytes
                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:7
                    Start time:01:46:18
                    Start date:25/09/2024
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 744
                    Imagebase:0x360000
                    File size:483'680 bytes
                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:9
                    Start time:01:46:19
                    Start date:25/09/2024
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 864
                    Imagebase:0x360000
                    File size:483'680 bytes
                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:11
                    Start time:01:46:20
                    Start date:25/09/2024
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 912
                    Imagebase:0x360000
                    File size:483'680 bytes
                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:13
                    Start time:01:46:21
                    Start date:25/09/2024
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 900
                    Imagebase:0x360000
                    File size:483'680 bytes
                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:15
                    Start time:01:46:22
                    Start date:25/09/2024
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 892
                    Imagebase:0x360000
                    File size:483'680 bytes
                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:18
                    Start time:01:46:24
                    Start date:25/09/2024
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1108
                    Imagebase:0x360000
                    File size:483'680 bytes
                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:20
                    Start time:03:15:12
                    Start date:25/09/2024
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1144
                    Imagebase:0x360000
                    File size:483'680 bytes
                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:22
                    Start time:03:15:14
                    Start date:25/09/2024
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1212
                    Imagebase:0x360000
                    File size:483'680 bytes
                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:24
                    Start time:03:15:15
                    Start date:25/09/2024
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1236
                    Imagebase:0x360000
                    File size:483'680 bytes
                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:25
                    Start time:03:15:15
                    Start date:25/09/2024
                    Path:C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe"
                    Imagebase:0x400000
                    File size:445'440 bytes
                    MD5 hash:9E8835F955E76958242682C313E7195C
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000019.00000003.1562563345.0000000002140000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000019.00000002.1788999781.000000000063D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                    • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                    Antivirus matches:
                    • Detection: 53%, ReversingLabs
                    Has exited:true

                    General

                    Target ID:27
                    Start time:03:15:16
                    Start date:25/09/2024
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1408
                    Imagebase:0x360000
                    File size:483'680 bytes
                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:29
                    Start time:03:15:20
                    Start date:25/09/2024
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1568
                    Imagebase:0x360000
                    File size:483'680 bytes
                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:31
                    Start time:03:15:22
                    Start date:25/09/2024
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7216 -s 480
                    Imagebase:0x360000
                    File size:483'680 bytes
                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:34
                    Start time:03:15:23
                    Start date:25/09/2024
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7216 -s 488
                    Imagebase:0x360000
                    File size:483'680 bytes
                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:37
                    Start time:03:15:39
                    Start date:25/09/2024
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7216 -s 492
                    Imagebase:0x360000
                    File size:483'680 bytes
                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:39
                    Start time:03:15:42
                    Start date:25/09/2024
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1548
                    Imagebase:0x360000
                    File size:483'680 bytes
                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Has exited:true

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:1.6%
                      Dynamic/Decrypted Code Coverage:4.3%
                      Signature Coverage:27.3%
                      Total number of Nodes:655
                      Total number of Limit Nodes:24
                      execution_graph 57973 43ac53 57978 43aa29 57973->57978 57976 43ac92 57979 43aa48 57978->57979 57980 43aa5b 57979->57980 57983 43aa70 57979->57983 57998 4375f6 14 API calls __dosmaperr 57980->57998 57982 43aa60 57999 436c5a 25 API calls __cftof 57982->57999 57993 43ab90 57983->57993 58000 44132b 37 API calls 2 library calls 57983->58000 57985 43aa6b 57985->57976 57995 441a9c 57985->57995 57987 43ac41 58004 436c5a 25 API calls __cftof 57987->58004 57990 43abe0 57990->57993 58001 44132b 37 API calls 2 library calls 57990->58001 57992 43abfe 57992->57993 58002 44132b 37 API calls 2 library calls 57992->58002 57993->57985 58003 4375f6 14 API calls __dosmaperr 57993->58003 58005 441461 57995->58005 57998->57982 57999->57985 58000->57990 58001->57992 58002->57993 58003->57987 58004->57985 58008 44146d CallCatchBlock 58005->58008 58006 441474 58025 4375f6 14 API calls __dosmaperr 58006->58025 58008->58006 58009 44149f 58008->58009 58016 441a2e 58009->58016 58010 441479 58026 436c5a 25 API calls __cftof 58010->58026 58015 441483 58015->57976 58028 43698d 58016->58028 58022 4414c3 58027 4414f6 RtlLeaveCriticalSection __wsopen_s 58022->58027 58023 441a64 58023->58022 58083 43adf5 14 API calls __dosmaperr 58023->58083 58025->58010 58026->58015 58027->58015 58084 43690a 58028->58084 58032 4369b1 58033 4368ed 58032->58033 58096 43683b 58033->58096 58036 441abc 58121 44180a 58036->58121 58039 441b07 58139 43bf3a 58039->58139 58040 441aee 58153 4375e3 14 API calls __dosmaperr 58040->58153 58044 441af3 58154 4375f6 14 API calls __dosmaperr 58044->58154 58045 441b15 58155 4375e3 14 API calls __dosmaperr 58045->58155 58046 441b2c 58152 441775 CreateFileW 58046->58152 58050 441b00 58050->58023 58051 441b1a 58156 4375f6 14 API calls __dosmaperr 58051->58156 58053 441be2 GetFileType 58054 441c34 58053->58054 58055 441bed GetLastError 58053->58055 58161 43be85 15 API calls 2 library calls 58054->58161 58159 4375c0 14 API calls __dosmaperr 58055->58159 58056 441bb7 GetLastError 58158 4375c0 14 API calls __dosmaperr 58056->58158 58059 441b65 58059->58053 58059->58056 58157 441775 CreateFileW 58059->58157 58060 441bfb CloseHandle 58060->58044 58064 441c24 58060->58064 58063 441baa 58063->58053 58063->58056 58160 4375f6 14 API calls __dosmaperr 58064->58160 58065 441c55 58067 441ca1 58065->58067 58162 441984 71 API calls 2 library calls 58065->58162 58072 441ca8 58067->58072 58164 441522 71 API calls 3 library calls 58067->58164 58068 441c29 58068->58044 58071 441cd6 58071->58072 58073 441ce4 58071->58073 58163 43af48 28 API calls 2 library calls 58072->58163 58073->58050 58075 441d60 CloseHandle 58073->58075 58165 441775 CreateFileW 58075->58165 58076 441caf 58076->58050 58078 441d8b 58078->58076 58079 441d95 GetLastError 58078->58079 58166 4375c0 14 API calls __dosmaperr 58079->58166 58081 441da1 58167 43c04d 15 API calls 2 library calls 58081->58167 58083->58022 58085 43692a 58084->58085 58091 436921 58084->58091 58085->58091 58093 43a671 37 API calls 3 library calls 58085->58093 58087 43694a 58094 43b5fb 37 API calls __cftof 58087->58094 58089 436960 58095 43b628 37 API calls __cftof 58089->58095 58091->58032 58092 43b307 5 API calls __wsopen_s 58091->58092 58092->58032 58093->58087 58094->58089 58095->58091 58097 436863 58096->58097 58098 436849 58096->58098 58099 43686a 58097->58099 58100 436889 58097->58100 58114 4369cc 14 API calls _free 58098->58114 58113 436853 58099->58113 58115 4369e6 15 API calls __wsopen_s 58099->58115 58116 43b099 MultiByteToWideChar 58100->58116 58104 436898 58105 43689f GetLastError 58104->58105 58110 4368c5 58104->58110 58119 4369e6 15 API calls __wsopen_s 58104->58119 58117 4375c0 14 API calls __dosmaperr 58105->58117 58109 4368ab 58118 4375f6 14 API calls __dosmaperr 58109->58118 58110->58113 58120 43b099 MultiByteToWideChar 58110->58120 58111 4368dc 58111->58105 58111->58113 58113->58023 58113->58036 58114->58113 58115->58113 58116->58104 58117->58109 58118->58113 58119->58110 58120->58111 58122 441845 58121->58122 58123 44182b 58121->58123 58168 44179a 58122->58168 58123->58122 58175 4375f6 14 API calls __dosmaperr 58123->58175 58126 44183a 58176 436c5a 25 API calls __cftof 58126->58176 58128 44187d 58129 4418ac 58128->58129 58177 4375f6 14 API calls __dosmaperr 58128->58177 58136 4418ff 58129->58136 58179 439b60 25 API calls 2 library calls 58129->58179 58132 4418fa 58134 441977 58132->58134 58132->58136 58133 4418a1 58178 436c5a 25 API calls __cftof 58133->58178 58180 436c87 11 API calls CallUnexpected 58134->58180 58136->58039 58136->58040 58138 441983 58140 43bf46 CallCatchBlock 58139->58140 58183 438dc8 RtlEnterCriticalSection 58140->58183 58142 43bf4d 58143 43bf72 58142->58143 58148 43bfe1 RtlEnterCriticalSection 58142->58148 58149 43bf94 58142->58149 58187 43bd14 15 API calls 3 library calls 58143->58187 58147 43bf77 58147->58149 58188 43be62 RtlEnterCriticalSection 58147->58188 58148->58149 58150 43bfee RtlLeaveCriticalSection 58148->58150 58184 43c044 58149->58184 58150->58142 58152->58059 58153->58044 58154->58050 58155->58051 58156->58044 58157->58063 58158->58044 58159->58060 58160->58068 58161->58065 58162->58067 58163->58076 58164->58071 58165->58078 58166->58081 58167->58076 58169 4417b2 58168->58169 58172 4417cd 58169->58172 58181 4375f6 14 API calls __dosmaperr 58169->58181 58171 4417f1 58182 436c5a 25 API calls __cftof 58171->58182 58172->58128 58174 4417fc 58174->58128 58175->58126 58176->58122 58177->58133 58178->58129 58179->58132 58180->58138 58181->58171 58182->58174 58183->58142 58189 438e10 RtlLeaveCriticalSection 58184->58189 58186 43bfb4 58186->58045 58186->58046 58187->58147 58188->58149 58189->58186 58190 40c8e0 58191 40c937 58190->58191 58192 40c91f 58190->58192 58191->58192 58204 418de0 26 API calls 5 library calls 58191->58204 58194 40c95b 58192->58194 58195 40c988 SHFileOperation 58192->58195 58205 418de0 26 API calls 5 library calls 58192->58205 58194->58195 58199 40c9de ~ListArray 58195->58199 58197 40ca64 58213 436c6a 58197->58213 58198 40ca3e ~ListArray 58206 41cff1 58198->58206 58199->58197 58199->58198 58201 40ca60 58204->58192 58205->58195 58207 41cffa 58206->58207 58208 41cffc IsProcessorFeaturePresent 58206->58208 58207->58201 58210 41d223 58208->58210 58218 41d1e7 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 58210->58218 58212 41d306 58212->58201 58219 436bf6 25 API calls 2 library calls 58213->58219 58215 436c79 58220 436c87 11 API calls CallUnexpected 58215->58220 58217 436c86 58218->58212 58219->58215 58220->58217 58221 408780 58222 408786 58221->58222 58228 436729 58222->58228 58224 4087a6 58227 4087a0 58244 436672 58228->58244 58231 4367b7 58232 4367c3 CallCatchBlock 58231->58232 58233 4367e2 58232->58233 58234 4367cd 58232->58234 58243 4367dd 58233->58243 58300 438d5f RtlEnterCriticalSection 58233->58300 58298 4375f6 14 API calls __dosmaperr 58234->58298 58237 4367d2 58299 436c5a 25 API calls __cftof 58237->58299 58238 4367ff 58301 436740 65 API calls 4 library calls 58238->58301 58241 43680a 58302 436831 RtlLeaveCriticalSection ___scrt_uninitialize_crt 58241->58302 58243->58227 58246 43667e CallCatchBlock 58244->58246 58245 436685 58269 4375f6 14 API calls __dosmaperr 58245->58269 58246->58245 58248 4366a5 58246->58248 58250 4366b7 58248->58250 58251 4366aa 58248->58251 58249 43668a 58270 436c5a 25 API calls __cftof 58249->58270 58261 43a8c3 58250->58261 58271 4375f6 14 API calls __dosmaperr 58251->58271 58253 408793 58253->58224 58253->58231 58257 4366c7 58272 4375f6 14 API calls __dosmaperr 58257->58272 58258 4366d4 58273 436712 RtlLeaveCriticalSection ___scrt_uninitialize_crt 58258->58273 58262 43a8cf CallCatchBlock 58261->58262 58274 438dc8 RtlEnterCriticalSection 58262->58274 58264 43a8dd 58275 43a967 58264->58275 58269->58249 58270->58253 58271->58253 58272->58253 58273->58253 58274->58264 58282 43a98a 58275->58282 58276 43a9e2 58293 43d82f 14 API calls 3 library calls 58276->58293 58278 43a9eb 58294 43adf5 14 API calls __dosmaperr 58278->58294 58281 43a9f4 58283 43a8ea 58281->58283 58295 43b4c1 6 API calls _unexpected 58281->58295 58282->58276 58282->58282 58282->58283 58291 438d5f RtlEnterCriticalSection 58282->58291 58292 438d73 RtlLeaveCriticalSection 58282->58292 58288 43a923 58283->58288 58286 43aa13 58296 438d5f RtlEnterCriticalSection 58286->58296 58297 438e10 RtlLeaveCriticalSection 58288->58297 58290 4366c0 58290->58257 58290->58258 58291->58282 58292->58282 58293->58278 58294->58281 58295->58286 58296->58283 58297->58290 58298->58237 58299->58243 58300->58238 58301->58241 58302->58243 58303 407d30 58396 4340f0 58303->58396 58306 407db8 58398 417a00 58306->58398 58308 41cff1 CatchGuardHandler 5 API calls 58310 40836d 58308->58310 58309 407dc7 58414 405c10 58309->58414 58312 407dd2 58313 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58312->58313 58314 407df4 58313->58314 58315 405c10 51 API calls 58314->58315 58316 407dff GetModuleHandleA GetProcAddress 58315->58316 58319 407e25 ~ListArray 58316->58319 58318 407ea6 ~ListArray 58320 407ed3 GetNativeSystemInfo 58318->58320 58321 407ed7 GetSystemInfo 58318->58321 58319->58318 58322 408374 58319->58322 58326 407edd 58320->58326 58321->58326 58323 436c6a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58322->58323 58324 408379 58323->58324 58325 436c6a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58324->58325 58327 40837e 58325->58327 58328 408019 58326->58328 58329 407f3f 58326->58329 58351 407ee8 ~ListArray 58326->58351 58331 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58328->58331 58330 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58329->58330 58332 407f60 58330->58332 58333 408045 58331->58333 58334 405c10 51 API calls 58332->58334 58335 405c10 51 API calls 58333->58335 58336 407f67 58334->58336 58337 40804c 58335->58337 58338 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58336->58338 58339 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58337->58339 58340 407f7f 58338->58340 58341 408064 58339->58341 58343 405c10 51 API calls 58340->58343 58342 405c10 51 API calls 58341->58342 58344 40806b 58342->58344 58346 407f86 58343->58346 58345 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58344->58345 58348 40809c 58345->58348 58466 438bbe 40 API calls 58346->58466 58350 405c10 51 API calls 58348->58350 58349 407fb1 58349->58324 58349->58351 58352 4080a3 58350->58352 58351->58308 58467 405730 26 API calls 3 library calls 58352->58467 58354 4080b2 58355 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58354->58355 58356 4080ed 58355->58356 58357 405c10 51 API calls 58356->58357 58358 4080f4 58357->58358 58359 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58358->58359 58360 40810c 58359->58360 58361 405c10 51 API calls 58360->58361 58362 408113 58361->58362 58363 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58362->58363 58364 408144 58363->58364 58365 405c10 51 API calls 58364->58365 58366 40814b 58365->58366 58468 405730 26 API calls 3 library calls 58366->58468 58368 40815a 58369 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58368->58369 58370 408195 58369->58370 58371 405c10 51 API calls 58370->58371 58372 40819c 58371->58372 58373 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58372->58373 58374 4081b4 58373->58374 58375 405c10 51 API calls 58374->58375 58376 4081bb 58375->58376 58377 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58376->58377 58378 4081ec 58377->58378 58379 405c10 51 API calls 58378->58379 58380 4081f3 58379->58380 58469 405730 26 API calls 3 library calls 58380->58469 58382 408202 58383 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58382->58383 58384 40823d 58383->58384 58385 405c10 51 API calls 58384->58385 58386 408244 58385->58386 58387 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58386->58387 58388 40825c 58387->58388 58389 405c10 51 API calls 58388->58389 58390 408263 58389->58390 58391 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58390->58391 58392 408294 58391->58392 58393 405c10 51 API calls 58392->58393 58394 40829b 58393->58394 58470 405730 26 API calls 3 library calls 58394->58470 58397 407d96 GetVersionExW 58396->58397 58397->58306 58397->58351 58399 417a26 58398->58399 58400 417a2d 58399->58400 58401 417a81 58399->58401 58402 417a62 58399->58402 58400->58309 58409 417a76 std::_Rethrow_future_exception 58401->58409 58472 402480 26 API calls 4 library calls 58401->58472 58403 417ab9 58402->58403 58404 417a69 58402->58404 58473 402480 26 API calls 3 library calls 58403->58473 58471 402480 26 API calls 4 library calls 58404->58471 58408 417a6f 58408->58409 58410 436c6a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58408->58410 58409->58309 58411 417ac3 58410->58411 58413 417af1 ~ListArray __Cnd_destroy_in_situ __Mtx_destroy_in_situ Concurrency::details::_TaskCollection::~_TaskCollection 58411->58413 58474 41ba06 RtlEnterCriticalSection RtlLeaveCriticalSection Concurrency::details::_CancellationTokenState::_RegisterCallback 58411->58474 58413->58309 58475 405940 58414->58475 58416 405c54 58478 404b30 58416->58478 58419 405d17 ~ListArray 58420 41cff1 CatchGuardHandler 5 API calls 58419->58420 58422 405d39 58420->58422 58421 405d42 58423 436c6a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58421->58423 58422->58312 58424 405d47 Concurrency::details::SchedulerBase::ThrowSchedulerEvent 58423->58424 58425 405da7 RegOpenKeyExA 58424->58425 58426 405e00 RegCloseKey 58425->58426 58427 405e26 58426->58427 58427->58427 58485 4180c0 58427->58485 58429 405ea6 ~ListArray 58431 41cff1 CatchGuardHandler 5 API calls 58429->58431 58430 405e3e 58430->58429 58432 405ecd 58430->58432 58433 405ec9 58431->58433 58434 436c6a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58432->58434 58433->58312 58435 405ed2 RegOpenKeyExA 58434->58435 58437 405f47 RegCloseKey 58435->58437 58439 405f84 58437->58439 58438 405ffe ~ListArray 58440 41cff1 CatchGuardHandler 5 API calls 58438->58440 58439->58438 58441 406016 58439->58441 58442 406012 58440->58442 58443 436c6a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58441->58443 58442->58312 58444 40601b __wsopen_s 58443->58444 58445 4180c0 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 58444->58445 58446 406089 58445->58446 58447 4180c0 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 58446->58447 58448 4060bd 58447->58448 58449 4180c0 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 58448->58449 58450 4060ee 58449->58450 58451 4180c0 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 58450->58451 58452 40611f 58451->58452 58453 4180c0 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 58452->58453 58454 406150 RegOpenKeyExA 58453->58454 58456 4064b1 58454->58456 58455 4065b1 ~ListArray 58457 41cff1 CatchGuardHandler 5 API calls 58455->58457 58456->58455 58458 4065d7 58456->58458 58459 4065d3 58457->58459 58460 436c6a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58458->58460 58459->58312 58461 4065dc GetUserNameA LookupAccountNameA GetSidIdentifierAuthority 58460->58461 58463 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58461->58463 58464 4066a6 58463->58464 58465 405c10 43 API calls 58464->58465 58466->58349 58467->58354 58468->58368 58469->58382 58470->58351 58471->58408 58472->58409 58473->58408 58474->58413 58500 417f80 26 API calls 4 library calls 58475->58500 58477 40596b 58477->58416 58479 404dc2 58478->58479 58480 404b92 58478->58480 58479->58419 58479->58421 58482 404ce5 58480->58482 58501 436da6 40 API calls __fassign 58480->58501 58502 418ca0 26 API calls 4 library calls 58480->58502 58482->58479 58503 418ca0 26 API calls 4 library calls 58482->58503 58488 4180de CatchIt 58485->58488 58490 418104 58485->58490 58486 4181ee 58506 419270 26 API calls Concurrency::details::_CancellationTokenState::_RegisterCallback 58486->58506 58488->58430 58489 4181f3 58507 402480 26 API calls 3 library calls 58489->58507 58490->58486 58492 418158 58490->58492 58493 41817d 58490->58493 58492->58489 58504 402480 26 API calls 4 library calls 58492->58504 58498 418169 std::_Rethrow_future_exception 58493->58498 58505 402480 26 API calls 4 library calls 58493->58505 58494 4181f8 58497 436c6a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58497->58486 58498->58497 58499 4181d0 ~ListArray 58498->58499 58499->58430 58500->58477 58501->58480 58502->58480 58503->58482 58504->58498 58505->58498 58507->58494 58508 4087b2 58509 4087b6 58508->58509 58510 4087b8 GetFileAttributesA 58508->58510 58509->58510 58511 4087c4 58510->58511 58512 41d762 58513 41d76e CallCatchBlock 58512->58513 58538 41d488 58513->58538 58515 41d775 58516 41d8ce 58515->58516 58526 41d79f ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock CallUnexpected 58515->58526 58561 41dba5 4 API calls 2 library calls 58516->58561 58518 41d8d5 58562 436629 58518->58562 58522 41d8e3 58523 41d7be 58524 41d83f 58546 4395bc 58524->58546 58526->58523 58526->58524 58560 436603 37 API calls 3 library calls 58526->58560 58528 41d845 58550 416d30 58528->58550 58539 41d491 58538->58539 58566 41dd91 IsProcessorFeaturePresent 58539->58566 58541 41d49d 58567 4347c4 10 API calls 2 library calls 58541->58567 58543 41d4a2 58545 41d4a6 58543->58545 58568 4347e3 7 API calls 2 library calls 58543->58568 58545->58515 58547 4395c5 58546->58547 58548 4395ca 58546->58548 58569 439320 49 API calls 58547->58569 58548->58528 58551 416d3b 58550->58551 58570 40ce40 58551->58570 58553 416d45 58554 40d6d0 52 API calls 58553->58554 58555 416d4a 58554->58555 58556 414fc0 77 API calls 58555->58556 58557 416d4f 58556->58557 58558 416d00 CreateThread 58557->58558 58559 416d20 Sleep 58558->58559 58559->58559 58560->58524 58561->58518 58575 4364c7 58562->58575 58565 4365ed 23 API calls CallUnexpected 58565->58522 58566->58541 58567->58543 58568->58545 58569->58548 58571 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58570->58571 58572 40ce92 58571->58572 58573 405c10 51 API calls 58572->58573 58574 40ce9d 58573->58574 58576 4364e7 58575->58576 58577 4364d5 58575->58577 58587 43636e 58576->58587 58603 41dcc7 GetModuleHandleW 58577->58603 58580 4364da 58580->58576 58604 43656d GetModuleHandleExW 58580->58604 58582 41d8db 58582->58565 58586 43652a 58588 43637a CallCatchBlock 58587->58588 58610 438dc8 RtlEnterCriticalSection 58588->58610 58590 436384 58611 4363da 58590->58611 58592 436391 58615 4363af 58592->58615 58595 43652b 58620 43a302 GetPEB 58595->58620 58598 43655a 58601 43656d CallUnexpected 3 API calls 58598->58601 58599 43653a GetPEB 58599->58598 58600 43654a GetCurrentProcess TerminateProcess 58599->58600 58600->58598 58602 436562 ExitProcess 58601->58602 58603->58580 58605 4365af 58604->58605 58606 43658c GetProcAddress 58604->58606 58608 4365b5 FreeLibrary 58605->58608 58609 4364e6 58605->58609 58607 4365a1 58606->58607 58607->58605 58608->58609 58609->58576 58610->58590 58612 4363e6 CallCatchBlock 58611->58612 58613 436447 CallUnexpected 58612->58613 58618 4398a4 14 API calls CallUnexpected 58612->58618 58613->58592 58619 438e10 RtlLeaveCriticalSection 58615->58619 58617 43639d 58617->58582 58617->58595 58618->58613 58619->58617 58621 436535 58620->58621 58622 43a31c 58620->58622 58621->58598 58621->58599 58624 43b2c7 5 API calls _unexpected 58622->58624 58624->58621 58625 40d159 GetModuleFileNameA 58626 40d191 58625->58626 58626->58626 58627 4180c0 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 58626->58627 58628 40d1ad 58627->58628 58629 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58628->58629 58630 40d1c0 58629->58630 58631 405c10 51 API calls 58630->58631 58632 40d1cb 58631->58632 58634 40d1f4 58632->58634 58754 418f40 26 API calls 4 library calls 58632->58754 58673 418220 58634->58673 58636 40d27a ~ListArray 58637 40d57c 58636->58637 58639 40d441 ~ListArray 58636->58639 58638 436c6a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58637->58638 58640 40d581 58638->58640 58642 4180c0 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 58639->58642 58646 40d4e5 ~ListArray 58639->58646 58641 436c6a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58640->58641 58649 40d586 58641->58649 58644 40d480 58642->58644 58643 40d54a ~ListArray 58645 41cff1 CatchGuardHandler 5 API calls 58643->58645 58647 4180c0 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 58644->58647 58650 40d56b 58645->58650 58646->58640 58646->58643 58648 40d4ac 58647->58648 58651 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58648->58651 58652 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58649->58652 58653 40d4c7 58651->58653 58654 40d5dd 58652->58654 58655 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58653->58655 58656 405c10 51 API calls 58654->58656 58657 40d4dc 58655->58657 58658 40d5e5 58656->58658 58681 40b1a0 GetUserNameA 58657->58681 58660 418220 26 API calls 58658->58660 58661 40d5f5 58660->58661 58662 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58661->58662 58663 40d610 58662->58663 58664 405c10 51 API calls 58663->58664 58665 40d617 58664->58665 58666 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58665->58666 58667 40d62c 58666->58667 58668 405c10 51 API calls 58667->58668 58669 40d633 ~ListArray 58668->58669 58670 40d6aa ~ListArray 58669->58670 58671 436c6a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58669->58671 58672 40d6c9 58671->58672 58674 418292 58673->58674 58675 418248 58673->58675 58680 4182a1 CatchIt 58674->58680 58756 418f40 26 API calls 4 library calls 58674->58756 58675->58674 58676 418251 58675->58676 58755 419280 26 API calls 2 library calls 58676->58755 58679 41825a 58679->58636 58680->58636 58682 40b217 58681->58682 58682->58682 58683 4180c0 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 58682->58683 58684 40b233 58683->58684 58685 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58684->58685 58686 40b2dd 58685->58686 58687 40b3ad CoInitialize 58686->58687 58688 40b3d1 CoCreateInstance 58687->58688 58705 40b3fa ~ListArray 58687->58705 58689 40b780 58688->58689 58690 40b3f4 CoUninitialize 58688->58690 58691 40b7a6 58689->58691 58719 40b84b Concurrency::details::SchedulerBase::ThrowSchedulerEvent 58689->58719 58690->58705 58695 40b7c2 CoUninitialize 58691->58695 58696 40b7d9 CoUninitialize 58691->58696 58691->58705 58692 40b9e2 58693 436c6a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58692->58693 58694 40b9e7 58693->58694 58697 40ba46 CoInitialize 58694->58697 58695->58705 58698 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58696->58698 58699 40ba61 CoCreateInstance 58697->58699 58712 40ba87 ~ListArray 58697->58712 58700 40b7f3 58698->58700 58701 40ba81 CoUninitialize 58699->58701 58716 40bb07 58699->58716 58702 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58700->58702 58701->58712 58704 40b80b 58702->58704 58703 40b77b ~ListArray 58708 41cff1 CatchGuardHandler 5 API calls 58703->58708 58707 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58704->58707 58705->58692 58705->58703 58706 40bb05 ~ListArray 58709 41cff1 CatchGuardHandler 5 API calls 58706->58709 58711 40b823 58707->58711 58713 40b9de 58708->58713 58714 40bb86 58709->58714 58710 40bb8a 58715 436c6a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58710->58715 58717 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58711->58717 58712->58706 58712->58710 58713->58646 58714->58646 58718 40bb8f 58715->58718 58716->58712 58722 40bb40 CoUninitialize 58716->58722 58723 40bb54 CoUninitialize 58716->58723 58720 40b835 58717->58720 58728 40bbd6 Concurrency::details::SchedulerProxy::GrantAllocation Concurrency::details::SchedulerBase::ThrowSchedulerEvent 58718->58728 58730 40bd80 ~ListArray 58718->58730 58724 40b8cc GetLocalTime 58719->58724 58721 40b1a0 45 API calls 58720->58721 58721->58705 58725 40bb4f 58722->58725 58723->58712 58739 40b96b CoUninitialize 58724->58739 58725->58712 58726 40bdea ~ListArray 58727 41cff1 CatchGuardHandler 5 API calls 58726->58727 58731 40be0e 58727->58731 58732 40bbf6 CreateFileA InternetOpenA InternetOpenUrlA InternetReadFile 58728->58732 58729 40be1c 58733 436c6a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58729->58733 58730->58726 58730->58729 58731->58646 58735 40bc97 CloseHandle InternetCloseHandle InternetCloseHandle 58732->58735 58736 40bc68 58732->58736 58734 40be21 58733->58734 58737 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58735->58737 58736->58735 58738 40bc77 WriteFile InternetReadFile 58736->58738 58741 40bcba 58737->58741 58738->58735 58738->58736 58739->58705 58742 40bd05 ~ListArray 58741->58742 58744 40be12 58741->58744 58743 40bd6b ~ListArray 58742->58743 58757 436a44 42 API calls 2 library calls 58742->58757 58743->58730 58746 436c6a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58744->58746 58748 40be17 58746->58748 58747 40bd24 58758 406d70 26 API calls 2 library calls 58747->58758 58751 436c6a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58748->58751 58750 40bd32 RemoveDirectoryA 58750->58743 58753 40bd49 58750->58753 58751->58729 58753->58743 58753->58748 58754->58634 58755->58679 58756->58680 58757->58747 58758->58750 58759 40d79c 58760 40d7a7 58759->58760 58761 40d7cc ~ListArray 58759->58761 58760->58761 58762 40db6a 58760->58762 58765 40d905 GetModuleFileNameA 58761->58765 58763 436c6a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58762->58763 58764 40db6f 58763->58764 58766 4367b7 67 API calls 58764->58766 58767 40d940 58765->58767 58768 40db75 58766->58768 58767->58767 58770 4180c0 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 58767->58770 58784 4179c0 58768->58784 58775 40d95c 58770->58775 58772 417a00 Concurrency::details::_CancellationTokenState::_RegisterCallback 28 API calls 58773 40dba5 58772->58773 58774 4179c0 26 API calls 58773->58774 58778 40dbb8 58774->58778 58776 40db42 ~ListArray 58775->58776 58779 40dbcb 58775->58779 58777 41cff1 CatchGuardHandler 5 API calls 58776->58777 58780 40db63 58777->58780 58778->58779 58781 436629 23 API calls 58778->58781 58782 436c6a Concurrency::details::_CancellationTokenState::_RegisterCallback 25 API calls 58779->58782 58781->58779 58783 40dbd0 58782->58783 58785 4179e0 58784->58785 58785->58785 58786 4180c0 Concurrency::details::_CancellationTokenState::_RegisterCallback 26 API calls 58785->58786 58787 40db8a 58786->58787 58787->58772 58788 222003c 58789 2220049 58788->58789 58803 2220e0f SetErrorMode SetErrorMode 58789->58803 58794 2220265 58795 22202ce VirtualProtect 58794->58795 58797 222030b 58795->58797 58796 2220439 VirtualFree 58801 22205f4 LoadLibraryA 58796->58801 58802 22204be 58796->58802 58797->58796 58798 22204e3 LoadLibraryA 58798->58802 58800 22208c7 58801->58800 58802->58798 58802->58801 58804 2220223 58803->58804 58805 2220d90 58804->58805 58806 2220dad 58805->58806 58807 2220dbb GetPEB 58806->58807 58808 2220238 VirtualAlloc 58806->58808 58807->58808 58808->58794 58809 79d276 58810 79d285 58809->58810 58813 79da16 58810->58813 58815 79da31 58813->58815 58814 79da3a CreateToolhelp32Snapshot 58814->58815 58816 79da56 Module32First 58814->58816 58815->58814 58815->58816 58817 79da65 58816->58817 58819 79d28e 58816->58819 58820 79d6d5 58817->58820 58821 79d700 58820->58821 58822 79d711 VirtualAlloc 58821->58822 58823 79d749 58821->58823 58822->58823

                      Executed Functions

                      Function 0040AA09 Relevance: 48.8, APIs: 24, Strings: 3, Instructions: 1503COMMON
                      Download Yara Rule
                      APIs
                      • SetCurrentDirectoryA.KERNEL32(00000000,82CD4C3C,00000000), ref: 0040AA0C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: CurrentDirectory
                      • String ID: @3P$VUUU$h-F
                      • API String ID: 1611563598-1891901568
                      • Opcode ID: de469c50572d96fa831817a3e8334893a081dba1cd581f061f222784eee2821c
                      • Instruction ID: 9340701fd5f7403cf7ba50309dfb341378973f904e2d2e41fb1fe6cd50d97ea3
                      • Opcode Fuzzy Hash: de469c50572d96fa831817a3e8334893a081dba1cd581f061f222784eee2821c
                      • Instruction Fuzzy Hash: 4AC2C271A002089FDB18DF28CD89BDEB775EF45304F5081AEE409A72D1DB799A84CF99
                      Function 00409A00 Relevance: 30.4, APIs: 16, Strings: 1, Instructions: 668COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00408B30: GetTempPathA.KERNEL32(00000104,?,82CD4C3C,?,00000000), ref: 00408B77
                      • GetFileAttributesA.KERNEL32(00000000), ref: 00409A73
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: AttributesFilePathTemp
                      • String ID: T2F
                      • API String ID: 3199926297-3862687658
                      • Opcode ID: df180cf6ccc42a80ff8a097845aaf710529a4aa3076e3f0e8fe5be7919888161
                      • Instruction ID: f8d341d7b221fbf4855467c9c2f70b5ca956d984b14cba194293e40f11c0d304
                      • Opcode Fuzzy Hash: df180cf6ccc42a80ff8a097845aaf710529a4aa3076e3f0e8fe5be7919888161
                      • Instruction Fuzzy Hash: D942E770D00244DBEF14EBB8C6497DE7BB2AF06314F24466AD411773C2D77D5A848BAA
                      Function 00407D30 Relevance: 7.9, APIs: 5, Instructions: 422libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1028 407d30-407db2 call 4340f0 GetVersionExW 1031 408356-408373 call 41cff1 1028->1031 1032 407db8-407de0 call 417a00 call 405c10 1028->1032 1039 407de2 1032->1039 1040 407de4-407e06 call 417a00 call 405c10 1032->1040 1039->1040 1045 407e08 1040->1045 1046 407e0a-407e23 GetModuleHandleA GetProcAddress 1040->1046 1045->1046 1047 407e54-407e7f 1046->1047 1048 407e25-407e34 1046->1048 1049 407eb0-407ed1 1047->1049 1050 407e81-407e90 1047->1050 1051 407e36-407e44 1048->1051 1052 407e4a-407e51 call 41d663 1048->1052 1056 407ed3-407ed5 GetNativeSystemInfo 1049->1056 1057 407ed7 GetSystemInfo 1049->1057 1054 407e92-407ea0 1050->1054 1055 407ea6-407ead call 41d663 1050->1055 1051->1052 1058 408374 call 436c6a 1051->1058 1052->1047 1054->1055 1054->1058 1055->1049 1061 407edd-407ee6 1056->1061 1057->1061 1063 408379-40837f call 436c6a 1058->1063 1065 407f04-407f07 1061->1065 1066 407ee8-407eef 1061->1066 1070 4082f7-4082fa 1065->1070 1071 407f0d-407f16 1065->1071 1068 408351 1066->1068 1069 407ef5-407eff 1066->1069 1068->1031 1076 40834c 1069->1076 1070->1068 1074 4082fc-408305 1070->1074 1072 407f18-407f24 1071->1072 1073 407f29-407f2c 1071->1073 1072->1076 1077 407f32-407f39 1073->1077 1078 4082d4-4082d6 1073->1078 1079 408307-40830b 1074->1079 1080 40832c-40832f 1074->1080 1076->1068 1081 408019-4082bd call 417a00 call 405c10 call 417a00 call 405c10 call 405d50 call 417a00 call 405c10 call 405730 call 417a00 call 405c10 call 417a00 call 405c10 call 405d50 call 417a00 call 405c10 call 405730 call 417a00 call 405c10 call 417a00 call 405c10 call 405d50 call 417a00 call 405c10 call 405730 call 417a00 call 405c10 call 417a00 call 405c10 call 405d50 call 417a00 call 405c10 call 405730 1077->1081 1082 407f3f-407f9b call 417a00 call 405c10 call 417a00 call 405c10 call 405d50 1077->1082 1087 4082e4-4082e7 1078->1087 1088 4082d8-4082e2 1078->1088 1083 408320-40832a 1079->1083 1084 40830d-408312 1079->1084 1085 408331-40833b 1080->1085 1086 40833d-408349 1080->1086 1123 4082c3-4082cc 1081->1123 1110 407fa0-407fa7 1082->1110 1083->1068 1084->1083 1090 408314-40831e 1084->1090 1085->1068 1086->1076 1087->1068 1092 4082e9-4082f5 1087->1092 1088->1076 1090->1068 1092->1076 1112 407fa9 1110->1112 1113 407fab-407fcb call 438bbe 1110->1113 1112->1113 1118 408002-408004 1113->1118 1119 407fcd-407fdc 1113->1119 1118->1123 1124 40800a-408014 1118->1124 1121 407ff2-407fff call 41d663 1119->1121 1122 407fde-407fec 1119->1122 1121->1118 1122->1063 1122->1121 1123->1070 1128 4082ce 1123->1128 1124->1123 1128->1078
                      APIs
                      • GetVersionExW.KERNEL32(0000011C,82CD4C3C), ref: 00407DAA
                      • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407E0B
                      • GetProcAddress.KERNEL32(00000000), ref: 00407E12
                      • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407ED3
                      • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407ED7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: InfoSystem$AddressHandleModuleNativeProcVersion
                      • String ID:
                      • API String ID: 374719553-0
                      • Opcode ID: 43ca09576ce7c24a49e7d91595eab8dde10c4ec89019c759e4370e9cc0113e14
                      • Instruction ID: d767b28cf4d1304312a0b4bfeaf627bf696c138522586543ff54ff165ce39ac5
                      • Opcode Fuzzy Hash: 43ca09576ce7c24a49e7d91595eab8dde10c4ec89019c759e4370e9cc0113e14
                      • Instruction Fuzzy Hash: B4E10A70E00654A7DB14BB28CD0B39E7671AB82714F5442AEE815773C2DB7D4E858BCB
                      Function 0043652B Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1338 43652b-436538 call 43a302 1341 43655a-436566 call 43656d ExitProcess 1338->1341 1342 43653a-436548 GetPEB 1338->1342 1342->1341 1343 43654a-436554 GetCurrentProcess TerminateProcess 1342->1343 1343->1341
                      APIs
                      • GetCurrentProcess.KERNEL32(?,?,0043652A,?,?,?,?,?,00437661), ref: 0043654D
                      • TerminateProcess.KERNEL32(00000000,?,0043652A,?,?,?,?,?,00437661), ref: 00436554
                      • ExitProcess.KERNEL32 ref: 00436566
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$CurrentExitTerminate
                      • String ID:
                      • API String ID: 1703294689-0
                      • Opcode ID: 04b207d0b889d00e4800d5972e07640bc64685a596502c952aa2fb778607a5b5
                      • Instruction ID: 8ba592f2701f3bed1e9346099357e5860ce392234eb0f7d34856f934df6fdfbc
                      • Opcode Fuzzy Hash: 04b207d0b889d00e4800d5972e07640bc64685a596502c952aa2fb778607a5b5
                      • Instruction Fuzzy Hash: D7E0EC35000649BFCF116F59ED0D9493B69FB48746F059435FA0A86232CB7ADD92CF89
                      Function 0079DA16 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1482 79da16-79da2f 1483 79da31-79da33 1482->1483 1484 79da3a-79da46 CreateToolhelp32Snapshot 1483->1484 1485 79da35 1483->1485 1486 79da48-79da4e 1484->1486 1487 79da56-79da63 Module32First 1484->1487 1485->1484 1486->1487 1494 79da50-79da54 1486->1494 1488 79da6c-79da74 1487->1488 1489 79da65-79da66 call 79d6d5 1487->1489 1492 79da6b 1489->1492 1492->1488 1494->1483 1494->1487
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0079DA3E
                      • Module32First.KERNEL32(00000000,00000224), ref: 0079DA5E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801334266.000000000079D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0079D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_79d000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateFirstModule32SnapshotToolhelp32
                      • String ID:
                      • API String ID: 3833638111-0
                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                      • Instruction ID: 98af78eb304f4ac4d009d2af1ef0f717c7099204f802d6346d445e5031e8f78a
                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                      • Instruction Fuzzy Hash: 7BF0C231100710AFDB303AF4B88CA6EB6E8EF59364F104128E642914C0DAB8EC058660
                      Function 0040B1A0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                      Download Yara Rule
                      APIs
                      • GetUserNameA.ADVAPI32(?,?), ref: 0040B1ED
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: NameUser
                      • String ID:
                      • API String ID: 2645101109-0
                      • Opcode ID: 86a4361ad296d9a7c7be782d3087d9ac5decf79edf26736f0f3b57da14de4269
                      • Instruction ID: 04b2a403b83c723c030908a0a5e120f00658eb7981edf9051d4d18a2c30bc2f5
                      • Opcode Fuzzy Hash: 86a4361ad296d9a7c7be782d3087d9ac5decf79edf26736f0f3b57da14de4269
                      • Instruction Fuzzy Hash: 0B211AB191015CABDB2ACF54CD65BEAB7B8EB19704F0042DDA50A63281D7745B88CFA0
                      Function 00405C10 Relevance: 23.2, APIs: 8, Strings: 5, Instructions: 426COMMON
                      Download Yara Rule

                      Control-flow Graph

                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
                      • API String ID: 0-3963862150
                      • Opcode ID: cc3441c8cc69dd047227bf6c51d55cfe6d1894cac9eb61caf101bb13ff3a2e9e
                      • Instruction ID: 448877648adff1088d2a9d486534a169f5918e2e35df4f0b5b8ee8aeb0257759
                      • Opcode Fuzzy Hash: cc3441c8cc69dd047227bf6c51d55cfe6d1894cac9eb61caf101bb13ff3a2e9e
                      • Instruction Fuzzy Hash: 5DF1C170900248ABEB24DF54CD85BDEBBB9EB45304F5041AAF509A72C1DB789A84CF99
                      Function 00441ABC Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 828 441abc-441aec call 44180a 831 441b07-441b13 call 43bf3a 828->831 832 441aee-441af9 call 4375e3 828->832 837 441b15-441b2a call 4375e3 call 4375f6 831->837 838 441b2c-441b75 call 441775 831->838 839 441afb-441b02 call 4375f6 832->839 837->839 848 441b77-441b80 838->848 849 441be2-441beb GetFileType 838->849 846 441de1-441de5 839->846 853 441bb7-441bdd GetLastError call 4375c0 848->853 854 441b82-441b86 848->854 850 441c34-441c37 849->850 851 441bed-441c1e GetLastError call 4375c0 CloseHandle 849->851 857 441c40-441c46 850->857 858 441c39-441c3e 850->858 851->839 867 441c24-441c2f call 4375f6 851->867 853->839 854->853 859 441b88-441bb5 call 441775 854->859 862 441c4a-441c98 call 43be85 857->862 863 441c48 857->863 858->862 859->849 859->853 870 441cb7-441cdf call 441522 862->870 871 441c9a-441ca6 call 441984 862->871 863->862 867->839 878 441ce4-441d25 870->878 879 441ce1-441ce2 870->879 871->870 877 441ca8 871->877 880 441caa-441cb2 call 43af48 877->880 881 441d46-441d54 878->881 882 441d27-441d2b 878->882 879->880 880->846 883 441ddf 881->883 884 441d5a-441d5e 881->884 882->881 886 441d2d-441d41 882->886 883->846 884->883 887 441d60-441d93 CloseHandle call 441775 884->887 886->881 891 441d95-441dc1 GetLastError call 4375c0 call 43c04d 887->891 892 441dc7-441ddb 887->892 891->892 892->883
                      APIs
                        • Part of subcall function 00441775: CreateFileW.KERNELBASE(00000000,00000000,?,00441B65,?,?,00000000,?,00441B65,00000000,0000000C), ref: 00441792
                      • GetLastError.KERNEL32 ref: 00441BD0
                      • __dosmaperr.LIBCMT ref: 00441BD7
                      • GetFileType.KERNELBASE(00000000), ref: 00441BE3
                      • GetLastError.KERNEL32 ref: 00441BED
                      • __dosmaperr.LIBCMT ref: 00441BF6
                      • CloseHandle.KERNEL32(00000000), ref: 00441C16
                      • CloseHandle.KERNEL32(0043AC92), ref: 00441D63
                      • GetLastError.KERNEL32 ref: 00441D95
                      • __dosmaperr.LIBCMT ref: 00441D9C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                      • String ID: H
                      • API String ID: 4237864984-2852464175
                      • Opcode ID: 7e17bc01896d330f6a953f9dbc221eb630c8e931c060a5af7141eb9f4136a765
                      • Instruction ID: 908140145710097c147751781d0df85f7731599b948b663735adbecd062618f5
                      • Opcode Fuzzy Hash: 7e17bc01896d330f6a953f9dbc221eb630c8e931c060a5af7141eb9f4136a765
                      • Instruction Fuzzy Hash: 20A13972A041489FDF19DF68DC91BAE3BB1EB0A324F14015EE811EB3E1D7389942CB59
                      Function 0040D79C Relevance: 13.9, APIs: 9, Instructions: 446networkCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 897 40d79c-40d7a5 898 40d7d6-40d93d GetModuleFileNameA 897->898 899 40d7a7-40d7b6 897->899 912 40d940-40d945 898->912 900 40d7b8-40d7c6 899->900 901 40d7cc-40d7d3 call 41d663 899->901 900->901 903 40db6a-40dbc4 call 436c6a call 4367b7 call 4179c0 call 417a00 call 4179c0 call 4072b0 900->903 901->898 937 40dbcb-40dbd0 call 436c6a 903->937 940 40dbc6 call 436629 903->940 912->912 914 40d947-40db1b call 4180c0 call 419470 912->914 930 40db4c-40db69 call 41cff1 914->930 931 40db1d-40db2c 914->931 933 40db42-40db49 call 41d663 931->933 934 40db2e-40db3c 931->934 933->930 934->933 934->937 940->937
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040D913
                      • CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0040DA2F
                      • send.WS2_32(?,?,00000004,00000000), ref: 0040DC2E
                      • send.WS2_32(?,?,00000008,00000000), ref: 0040DC6A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: send$CreateDirectoryFileModuleName
                      • String ID:
                      • API String ID: 2319890793-0
                      • Opcode ID: 80b1132b2e69c19d12a8b7e2791303c1400add0845b9d63165f9072d547c2120
                      • Instruction ID: eff085a8820556ef2d338989dca7f7ae17fa1bf24247e87c950f3b595bb29a8c
                      • Opcode Fuzzy Hash: 80b1132b2e69c19d12a8b7e2791303c1400add0845b9d63165f9072d547c2120
                      • Instruction Fuzzy Hash: 02F10571D042189BDB24DB68CC49BDEB775AF45314F1042AEE409B72C2DB789EC8CB99
                      Function 0222003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 944 222003c-2220047 945 2220049 944->945 946 222004c-2220263 call 2220a3f call 2220e0f call 2220d90 VirtualAlloc 944->946 945->946 961 2220265-2220289 call 2220a69 946->961 962 222028b-2220292 946->962 966 22202ce-22203c2 VirtualProtect call 2220cce call 2220ce7 961->966 964 22202a1-22202b0 962->964 965 22202b2-22202cc 964->965 964->966 965->964 973 22203d1-22203e0 966->973 974 22203e2-2220437 call 2220ce7 973->974 975 2220439-22204b8 VirtualFree 973->975 974->973 977 22205f4-22205fe 975->977 978 22204be-22204cd 975->978 981 2220604-222060d 977->981 982 222077f-2220789 977->982 980 22204d3-22204dd 978->980 980->977 987 22204e3-2220505 LoadLibraryA 980->987 981->982 983 2220613-2220637 981->983 985 22207a6-22207b0 982->985 986 222078b-22207a3 982->986 988 222063e-2220648 983->988 989 22207b6-22207cb 985->989 990 222086e-22208be LoadLibraryA 985->990 986->985 991 2220517-2220520 987->991 992 2220507-2220515 987->992 988->982 995 222064e-222065a 988->995 993 22207d2-22207d5 989->993 1000 22208c7-22208f9 990->1000 994 2220526-2220547 991->994 992->994 996 22207d7-22207e0 993->996 997 2220824-2220833 993->997 998 222054d-2220550 994->998 995->982 999 2220660-222066a 995->999 1001 22207e2 996->1001 1002 22207e4-2220822 996->1002 1006 2220839-222083c 997->1006 1003 22205e0-22205ef 998->1003 1004 2220556-222056b 998->1004 1005 222067a-2220689 999->1005 1007 2220902-222091d 1000->1007 1008 22208fb-2220901 1000->1008 1001->997 1002->993 1003->980 1009 222056f-222057a 1004->1009 1010 222056d 1004->1010 1011 2220750-222077a 1005->1011 1012 222068f-22206b2 1005->1012 1006->990 1013 222083e-2220847 1006->1013 1008->1007 1015 222059b-22205bb 1009->1015 1016 222057c-2220599 1009->1016 1010->1003 1011->988 1017 22206b4-22206ed 1012->1017 1018 22206ef-22206fc 1012->1018 1019 222084b-222086c 1013->1019 1020 2220849 1013->1020 1027 22205bd-22205db 1015->1027 1016->1027 1017->1018 1021 222074b 1018->1021 1022 22206fe-2220748 1018->1022 1019->1006 1020->990 1021->1005 1022->1021 1027->998
                      APIs
                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0222024D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocVirtual
                      • String ID: cess$kernel32.dll
                      • API String ID: 4275171209-1230238691
                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                      • Instruction ID: a5aa8878187614c07cb25358c268be21001747cce68a0c6cb84b457b69a76e5d
                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                      • Instruction Fuzzy Hash: D2527B74A11229DFDB64CF98C984BACBBB1BF09304F1480D9E50DAB355DB31AA99CF14
                      Function 0040DACC Relevance: 6.2, APIs: 4, Instructions: 168COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1178 40dacc-40dad7 1179 40dad9-40dae7 1178->1179 1180 40daed-40db1b call 41d663 1178->1180 1179->1180 1181 40dbcb-40dbd0 call 436c6a 1179->1181 1187 40db4c-40db5e call 41cff1 1180->1187 1188 40db1d-40db2c 1180->1188 1193 40db63-40db69 1187->1193 1189 40db42-40db49 call 41d663 1188->1189 1190 40db2e-40db3c 1188->1190 1189->1187 1190->1181 1190->1189
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 49a191702b5d5566f94e71338abaa26562628b50816476b24f9623ef3bb52aa2
                      • Instruction ID: 38f2449521b5e83f10c936fa6f8dfcbe512f937044bec88a97e9488449440713
                      • Opcode Fuzzy Hash: 49a191702b5d5566f94e71338abaa26562628b50816476b24f9623ef3bb52aa2
                      • Instruction Fuzzy Hash: E941D472E041145BDB28CBB8CC857AEB7B5EF45324F10466EE815F33D1DA749944CB49
                      Function 004077B0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 468sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1195 4077b0-407810 call 418680 call 418320 1200 407812-40781e 1195->1200 1201 40783e-4078bd call 417a00 * 2 call 405c10 call 4180c0 call 4072b0 1195->1201 1202 407820-40782e 1200->1202 1203 407834-40783b call 41d663 1200->1203 1225 4078eb-4078f1 1201->1225 1226 4078bf-4078cb 1201->1226 1202->1203 1205 40797a call 436c6a 1202->1205 1203->1201 1211 40797f-407a4a call 436c6a call 417a00 call 405c10 call 418320 call 417a00 call 405c10 call 4180c0 call 4072b0 1205->1211 1256 407a74-407a85 Sleep 1211->1256 1257 407a4c-407a58 1211->1257 1230 4078f3-4078ff 1225->1230 1231 40791b-407933 1225->1231 1228 4078e1-4078e8 call 41d663 1226->1228 1229 4078cd-4078db 1226->1229 1228->1225 1229->1211 1229->1228 1234 407911-407918 call 41d663 1230->1234 1235 407901-40790f 1230->1235 1236 407935-407941 1231->1236 1237 40795d-407979 call 41cff1 1231->1237 1234->1231 1235->1211 1235->1234 1243 407953-40795a call 41d663 1236->1243 1244 407943-407951 1236->1244 1243->1237 1244->1211 1244->1243 1260 407a87-407a93 1256->1260 1261 407aaf-407ac8 call 41cff1 1256->1261 1258 407a6a-407a71 call 41d663 1257->1258 1259 407a5a-407a68 1257->1259 1258->1256 1259->1258 1263 407ac9 call 436c6a 1259->1263 1265 407aa5-407aac call 41d663 1260->1265 1266 407a95-407aa3 1260->1266 1267 407ace-407b1f call 436c6a call 406d70 1263->1267 1265->1261 1266->1265 1266->1267 1277 407b21 1267->1277 1278 407b23-407b30 SetCurrentDirectoryA 1267->1278 1277->1278 1279 407b32-407b3e 1278->1279 1280 407b5e-407c18 call 417a00 call 405c10 call 417a00 call 405c10 call 418320 call 418220 call 417a00 call 405c10 call 4180c0 call 4072b0 1278->1280 1281 407b40-407b4e 1279->1281 1282 407b54-407b5b call 41d663 1279->1282 1312 407c46-407c5e 1280->1312 1313 407c1a-407c26 1280->1313 1281->1282 1284 407d18 call 436c6a 1281->1284 1282->1280 1290 407d1d call 436c6a 1284->1290 1294 407d22-407d27 call 436c6a 1290->1294 1316 407c60-407c6c 1312->1316 1317 407c8c-407ca4 1312->1317 1314 407c28-407c36 1313->1314 1315 407c3c-407c43 call 41d663 1313->1315 1314->1290 1314->1315 1315->1312 1318 407c82-407c89 call 41d663 1316->1318 1319 407c6e-407c7c 1316->1319 1320 407ca6-407cb2 1317->1320 1321 407cce-407cd4 1317->1321 1318->1317 1319->1290 1319->1318 1324 407cc4-407ccb call 41d663 1320->1324 1325 407cb4-407cc2 1320->1325 1326 407cd6-407ce2 1321->1326 1327 407cfe-407d17 call 41cff1 1321->1327 1324->1321 1325->1290 1325->1324 1332 407cf4-407cfb call 41d663 1326->1332 1333 407ce4-407cf2 1326->1333 1332->1327 1333->1294 1333->1332
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep
                      • String ID: runas
                      • API String ID: 3472027048-4000483414
                      • Opcode ID: ee738bf8bf9f0de906e0374f4d219b384e7ae33defb4495508657303e1c5108b
                      • Instruction ID: 16d312adbf3c5a63ffdf7f0f3d7c95d875241b4f4b30525d3919e6496bc747c1
                      • Opcode Fuzzy Hash: ee738bf8bf9f0de906e0374f4d219b384e7ae33defb4495508657303e1c5108b
                      • Instruction Fuzzy Hash: D0E13C71E14144ABEB08EB78CD8679D7B72DF42304F60815EF405A73C6DB7D9A80879A
                      Function 0040C3A6 Relevance: 3.5, APIs: 2, Instructions: 532sleepCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1346 40c3a6-40c3aa 1347 40c3b0-40c438 call 417a00 call 405c10 call 4180c0 1346->1347 1348 40c839-40c881 1346->1348 1367 40c43a 1347->1367 1368 40c43c-40c45a call 419470 1347->1368 1352 40c883-40c88f 1348->1352 1353 40c8ab-40c8c6 call 41cff1 1348->1353 1355 40c8a1-40c8a8 call 41d663 1352->1355 1356 40c891-40c89f 1352->1356 1355->1353 1356->1355 1360 40c8d6-40c8db call 436c6a 1356->1360 1367->1368 1371 40c460-40c4cb call 417a00 call 405c10 call 4180c0 1368->1371 1372 40c4f8 1368->1372 1401 40c4cd 1371->1401 1402 40c4cf-40c4f0 call 419470 1371->1402 1373 40c4fb 1372->1373 1375 40c4ff-40c502 1373->1375 1378 40c504-40c50d 1375->1378 1379 40c53a-40c544 1375->1379 1378->1379 1383 40c50f-40c51a 1378->1383 1381 40c546-40c54f 1379->1381 1382 40c58f-40c599 1379->1382 1385 40c551-40c55d 1381->1385 1386 40c57d-40c58b 1381->1386 1387 40c5d1-40c5db 1382->1387 1388 40c59b-40c5a4 1382->1388 1389 40c530-40c537 call 41d663 1383->1389 1390 40c51c-40c52a 1383->1390 1395 40c573-40c57a call 41d663 1385->1395 1396 40c55f-40c56d 1385->1396 1386->1382 1392 40c614-40c618 1387->1392 1393 40c5dd-40c5e3 1387->1393 1388->1387 1397 40c5a6-40c5b1 1388->1397 1389->1379 1390->1389 1398 40c8c7 call 436c6a 1390->1398 1405 40c71b-40c72d call 4180c0 1392->1405 1406 40c61e-40c645 call 417a00 call 405c10 1392->1406 1393->1392 1400 40c5e5-40c5f4 1393->1400 1395->1386 1396->1395 1396->1398 1407 40c5b3-40c5c1 1397->1407 1408 40c5c7-40c5ce call 41d663 1397->1408 1413 40c8cc call 436c6a 1398->1413 1410 40c5f6-40c604 1400->1410 1411 40c60a-40c611 call 41d663 1400->1411 1401->1402 1402->1373 1425 40c4f2-40c4f6 1402->1425 1418 40c732-40c74d call 436729 1405->1418 1433 40c647 1406->1433 1434 40c649-40c65a 1406->1434 1407->1398 1407->1408 1408->1387 1410->1398 1410->1411 1411->1392 1426 40c8d1 1413->1426 1431 40c75d-40c765 1418->1431 1432 40c74f-40c758 call 4367b7 1418->1432 1425->1375 1426->1360 1429 40c8d1 call 436c6a 1426->1429 1429->1360 1438 40c770-40c78b call 436729 1431->1438 1445 40c805-40c80b 1432->1445 1433->1434 1435 40c65c-40c67c call 434250 1434->1435 1436 40c67e-40c689 call 418f40 1434->1436 1444 40c68e-40c698 1435->1444 1436->1444 1450 40c79d-40c7c9 call 417a00 * 2 call 40bb90 1438->1450 1451 40c78d-40c79b call 4367b7 1438->1451 1448 40c6c9-40c6e5 1444->1448 1449 40c69a-40c6a9 1444->1449 1445->1348 1447 40c80d-40c819 1445->1447 1452 40c81b-40c829 1447->1452 1453 40c82f-40c836 call 41d663 1447->1453 1457 40c6e7-40c707 call 434250 1448->1457 1458 40c709-40c719 call 418f40 1448->1458 1455 40c6ab-40c6b9 1449->1455 1456 40c6bf-40c6c6 call 41d663 1449->1456 1467 40c7cc-40c7e7 call 436729 1450->1467 1451->1467 1452->1426 1452->1453 1453->1348 1455->1413 1455->1456 1456->1448 1457->1418 1458->1418 1477 40c7f4-40c7f9 Sleep 1467->1477 1478 40c7e9-40c7f2 call 4367b7 1467->1478 1480 40c7fb-40c7ff 1477->1480 1478->1480 1480->1438 1480->1445
                      APIs
                        • Part of subcall function 00417A00: __Cnd_destroy_in_situ.LIBCPMT ref: 00417AF8
                        • Part of subcall function 00417A00: __Mtx_destroy_in_situ.LIBCPMT ref: 00417B01
                      • Sleep.KERNEL32(000003E8), ref: 0040C7F9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Cnd_destroy_in_situMtx_destroy_in_situSleep
                      • String ID:
                      • API String ID: 113500496-0
                      • Opcode ID: 0a7cb503edac44424bd4f6975314c444da3cd61ca8811e0566eebd0e793d9507
                      • Instruction ID: 5a5a39bdf66b3153d44a1018dc39ac7d8d4adb77eca0788226074bda14c0a91d
                      • Opcode Fuzzy Hash: 0a7cb503edac44424bd4f6975314c444da3cd61ca8811e0566eebd0e793d9507
                      • Instruction Fuzzy Hash: 4512A071A00108DBDB04DF68CDC5BDEBBB5EF49304F54822EE805A72D2D7399A85CB99
                      Function 00416D30 Relevance: 3.0, APIs: 2, Instructions: 23sleepthreadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1495 416d30-416d45 call 40a960 call 40ce40 call 40d6d0 1501 416d4a-416d54 CreateThread call 414fc0 call 406020 1495->1501 1507 416d20-416d27 Sleep 1501->1507 1507->1507
                      APIs
                        • Part of subcall function 00409A00: Sleep.KERNELBASE(00000064), ref: 0040A963
                        • Part of subcall function 00409A00: CreateMutexA.KERNELBASE(00000000,00000000,00463254), ref: 0040A981
                        • Part of subcall function 00409A00: GetLastError.KERNEL32 ref: 0040A989
                        • Part of subcall function 00409A00: GetLastError.KERNEL32 ref: 0040A99A
                        • Part of subcall function 00405C10: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,80000001,0000043f,00000008,00000423,00000008,00000422,00000008,00000419,00000008), ref: 0040617D
                      • CreateThread.KERNEL32(00000000,00000000,Function_00016C70,00000000,00000000,00000000), ref: 00416D10
                      • Sleep.KERNEL32(00007530), ref: 00416D25
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateErrorLastSleep$MutexOpenThread
                      • String ID:
                      • API String ID: 2377761554-0
                      • Opcode ID: 6382081bcbf8a9ed3d33521cf0e432a915f352317681496325614467e45a9fec
                      • Instruction ID: 0e677149ad7de975180ec068863c876e2b41020de11884c8df8d41ceb524a5b2
                      • Opcode Fuzzy Hash: 6382081bcbf8a9ed3d33521cf0e432a915f352317681496325614467e45a9fec
                      • Instruction Fuzzy Hash: 1FE08C75784304A6E21033F27C0BF997A109F09F15F26013AB25A3A1D2D9ECB08086EF
                      Function 02220E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1508 2220e0f-2220e24 SetErrorMode * 2 1509 2220e26 1508->1509 1510 2220e2b-2220e2c 1508->1510 1509->1510
                      APIs
                      • SetErrorMode.KERNELBASE(00000400,?,?,02220223,?,?), ref: 02220E19
                      • SetErrorMode.KERNELBASE(00000000,?,?,02220223,?,?), ref: 02220E1E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorMode
                      • String ID:
                      • API String ID: 2340568224-0
                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                      • Instruction ID: 7c1d722e716c44d41dba79f96e8b0476d66fe140f3df46cdf4c221c1b3a027ca
                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                      • Instruction Fuzzy Hash: 7CD0123115512877D7002AD4DC09BCD7B1CDF09B66F008011FB0DD9080C7B1964046E5
                      Function 0040D159 Relevance: 1.9, APIs: 1, Instructions: 386COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1511 40d159-40d18a GetModuleFileNameA 1512 40d191-40d196 1511->1512 1512->1512 1513 40d198-40d1f2 call 4180c0 call 417a00 call 405c10 call 40ca70 1512->1513 1522 40d1f4-40d1ff 1513->1522 1523 40d20b-40d226 call 418f40 1513->1523 1524 40d201 1522->1524 1525 40d203-40d209 1522->1525 1527 40d228-40d29b call 418220 1523->1527 1524->1525 1525->1527 1531 40d29d 1527->1531 1532 40d29f-40d2c0 call 419470 1527->1532 1531->1532 1535 40d2f1-40d319 1532->1535 1536 40d2c2-40d2d1 1532->1536 1537 40d34a-40d372 1535->1537 1538 40d31b-40d32a 1535->1538 1539 40d2d3-40d2e1 1536->1539 1540 40d2e7-40d2ee call 41d663 1536->1540 1545 40d3a3-40d3cb 1537->1545 1546 40d374-40d383 1537->1546 1543 40d340-40d347 call 41d663 1538->1543 1544 40d32c-40d33a 1538->1544 1539->1540 1541 40d57c call 436c6a 1539->1541 1540->1535 1559 40d581-40d648 call 436c6a call 409230 call 417a00 call 405c10 call 418220 call 417a00 call 405c10 call 417a00 call 405c10 call 405ee0 1541->1559 1543->1537 1544->1541 1544->1543 1547 40d3fc-40d41e 1545->1547 1548 40d3cd-40d3dc 1545->1548 1552 40d385-40d393 1546->1552 1553 40d399-40d3a0 call 41d663 1546->1553 1556 40d420-40d42b 1547->1556 1557 40d44b-40d452 1547->1557 1554 40d3f2-40d3f9 call 41d663 1548->1554 1555 40d3de-40d3ec 1548->1555 1552->1541 1552->1553 1553->1545 1554->1547 1555->1541 1555->1554 1562 40d441-40d448 call 41d663 1556->1562 1563 40d42d-40d43b 1556->1563 1564 40d4e8-40d4f1 1557->1564 1565 40d458-40d4e0 call 4180c0 * 2 call 417a00 * 2 call 40b1a0 1557->1565 1615 40d672-40d68a 1559->1615 1616 40d64a-40d656 1559->1616 1562->1557 1563->1541 1563->1562 1569 40d4f3-40d502 1564->1569 1570 40d51e-40d527 1564->1570 1603 40d4e5 1565->1603 1574 40d514-40d51b call 41d663 1569->1574 1575 40d504-40d512 1569->1575 1577 40d554-40d571 call 41cff1 1570->1577 1578 40d529-40d538 1570->1578 1574->1570 1575->1559 1575->1574 1584 40d54a-40d551 call 41d663 1578->1584 1585 40d53a-40d548 1578->1585 1584->1577 1585->1559 1585->1584 1603->1564 1619 40d6b4-40d6c3 1615->1619 1620 40d68c-40d698 1615->1620 1617 40d668-40d66f call 41d663 1616->1617 1618 40d658-40d666 1616->1618 1617->1615 1618->1617 1621 40d6c4-40d6c9 call 436c6a 1618->1621 1623 40d6aa-40d6b1 call 41d663 1620->1623 1624 40d69a-40d6a8 1620->1624 1623->1619 1624->1621 1624->1623
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0040D167
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileModuleName
                      • String ID:
                      • API String ID: 514040917-0
                      • Opcode ID: 9df6dc6c6b6516bd832a521bdb968700339736e89c6f6026bf061d540936f4fe
                      • Instruction ID: 136bb09125c68fe2e081d2bed29a15b875233fc51c93fcab2b4112f563e43fa9
                      • Opcode Fuzzy Hash: 9df6dc6c6b6516bd832a521bdb968700339736e89c6f6026bf061d540936f4fe
                      • Instruction Fuzzy Hash: 30E11971E002549BEB19DB68CD497DDBB71AF46308F1042DED4086B3C2DB799BC88B99
                      Function 0040D6D0 Relevance: 1.7, APIs: 1, Instructions: 164COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1630 40d6d0-40d93d call 40ca70 call 417a00 call 405c10 call 418680 call 418220 GetModuleFileNameA 1645 40d940-40d945 1630->1645 1645->1645 1646 40d947-40db1b call 4180c0 call 419470 1645->1646 1654 40db4c-40db69 call 41cff1 1646->1654 1655 40db1d-40db2c 1646->1655 1656 40db42-40db49 call 41d663 1655->1656 1657 40db2e-40db3c 1655->1657 1656->1654 1657->1656 1659 40dbcb-40dbd0 call 436c6a 1657->1659
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8c18bc24b5b40a2134f91a76ed29d8d8ee532285b02a30a0b6b595c82aba4457
                      • Instruction ID: 6ba3f6d73affff0805543805238ddc276f563b6c65a7d1c94091dbc822e03449
                      • Opcode Fuzzy Hash: 8c18bc24b5b40a2134f91a76ed29d8d8ee532285b02a30a0b6b595c82aba4457
                      • Instruction Fuzzy Hash: 2051FD70D042589BEB24DB68CD88BDEBBB1AB46304F5041EAD408672C2DB795FC8CF85
                      Function 0040C8E0 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1665 40c8e0-40c91d 1666 40c937-40c945 1665->1666 1667 40c91f-40c935 1665->1667 1668 40c94c-40c959 1666->1668 1669 40c947 call 418de0 1666->1669 1667->1668 1670 40c973-40c981 1668->1670 1671 40c95b-40c971 1668->1671 1669->1668 1672 40c988-40c9dc SHFileOperation 1670->1672 1673 40c983 call 418de0 1670->1673 1671->1672 1674 40ca06-40ca1e 1672->1674 1675 40c9de-40c9ea 1672->1675 1673->1672 1678 40ca20-40ca2c 1674->1678 1679 40ca48-40ca63 call 41cff1 1674->1679 1676 40c9fc-40ca03 call 41d663 1675->1676 1677 40c9ec-40c9fa 1675->1677 1676->1674 1677->1676 1680 40ca64-40ca69 call 436c6a 1677->1680 1682 40ca3e-40ca45 call 41d663 1678->1682 1683 40ca2e-40ca3c 1678->1683 1682->1679 1683->1680 1683->1682
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c4513db9c8ca4ea5d03b4e6baea22fc72861bf157a0bb9fd0c640f3efb5b9add
                      • Instruction ID: 6f1343131b8dd863bc46bdb2e422fc6909b0f8608393747acf9dbc8e3f269829
                      • Opcode Fuzzy Hash: c4513db9c8ca4ea5d03b4e6baea22fc72861bf157a0bb9fd0c640f3efb5b9add
                      • Instruction Fuzzy Hash: 38315C7161024CAFEB04DFA8C985BDEBBB5FB49704F50422AF805A72C1D7799980CB98
                      Function 0043AC53 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: __wsopen_s
                      • String ID:
                      • API String ID: 3347428461-0
                      • Opcode ID: b179973e2016f215b0ef3759c58dae6fc3af94d4a8fe8fa67ffe374620a294ef
                      • Instruction ID: a66abbd6648e96b8c426010f02d88ffd1877682ffd29169a79776235427ef3c3
                      • Opcode Fuzzy Hash: b179973e2016f215b0ef3759c58dae6fc3af94d4a8fe8fa67ffe374620a294ef
                      • Instruction Fuzzy Hash: 551118B1A0420AAFCB05DF59E94199B7BF4EF48304F04406AF805AB351D670DD21DB69
                      Function 00441A2E Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID:
                      • API String ID: 269201875-0
                      • Opcode ID: 0da8171cac030f6b45925a7c5248a00485fab8e2398974f4a4f83c3fb58f0ae8
                      • Instruction ID: c9b0d8fa498f0fd219daed50f945327353b6da4e75b16bd436644be4f456858a
                      • Opcode Fuzzy Hash: 0da8171cac030f6b45925a7c5248a00485fab8e2398974f4a4f83c3fb58f0ae8
                      • Instruction Fuzzy Hash: DE014F72C01159BFDF01EFE88C01AEE7FB5AF08314F14416AF914F2161E6358A65DB95
                      Function 00441775 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • CreateFileW.KERNELBASE(00000000,00000000,?,00441B65,?,?,00000000,?,00441B65,00000000,0000000C), ref: 00441792
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateFile
                      • String ID:
                      • API String ID: 823142352-0
                      • Opcode ID: efd75a4b3e0d0f44703b7e6113a489f3725145c46bff7276ab7cb2ca30d4afc5
                      • Instruction ID: 728716dea2d8701cc34847fc6eeab83fc4e7ccc419190b368175d6442f09313a
                      • Opcode Fuzzy Hash: efd75a4b3e0d0f44703b7e6113a489f3725145c46bff7276ab7cb2ca30d4afc5
                      • Instruction Fuzzy Hash: 10D06C3201020DBBDF028F84DC06EDE3BAAFB48715F014150BA1856020C732E861AB94
                      Function 004087B2 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesA.KERNELBASE(?), ref: 004087B9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 1c359e556df86ff6f81b295afed9701b7315f92a1b1b96a2d875eaf16d26da57
                      • Instruction ID: cf245ddd44955969ee6657244a22e3e52baad1822ae61319476e7950b8878db5
                      • Opcode Fuzzy Hash: 1c359e556df86ff6f81b295afed9701b7315f92a1b1b96a2d875eaf16d26da57
                      • Instruction Fuzzy Hash: CEC0803801060006DD1C06385F49555330655537B53F40BBDE4F16B2F5CB3D5807D608
                      Function 004087B0 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                      Download Yara Rule
                      APIs
                      • GetFileAttributesA.KERNELBASE(?), ref: 004087B9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: AttributesFile
                      • String ID:
                      • API String ID: 3188754299-0
                      • Opcode ID: 91263034b88fd9d872aba8cf726a75655e3cadde92fadada609a05562aff1eac
                      • Instruction ID: eec6361e8626f86b60cf0449171d9436f9a85d39230ea77d0a5306f3f4484108
                      • Opcode Fuzzy Hash: 91263034b88fd9d872aba8cf726a75655e3cadde92fadada609a05562aff1eac
                      • Instruction Fuzzy Hash: 83C0803801020047DA1C4B386F49515331699537353F00B7DE4B16B2F5CB3EC403C758
                      Function 0079D6D5 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0079D726
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801334266.000000000079D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0079D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_79d000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                      • Instruction ID: f74288998e36e0291ff450e26d7345354e703b957fd8a8c4fe40877afe3f1737
                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                      • Instruction Fuzzy Hash: 48112B79A00208EFDB01DF98C985E98BBF5AF08350F058094F9489B362D775EA50DB90

                      Non-executed Functions

                      Function 0041C768 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0041C76E
                      • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0041C77C
                      • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0041C78D
                      • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0041C79E
                      • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0041C7AF
                      • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0041C7C0
                      • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0041C7D1
                      • GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0041C7E2
                      • GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 0041C7F3
                      • GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0041C804
                      • GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0041C815
                      • GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0041C826
                      • GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0041C837
                      • GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0041C848
                      • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0041C859
                      • GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0041C86A
                      • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0041C87B
                      • GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0041C88C
                      • GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 0041C89D
                      • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 0041C8AE
                      • GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 0041C8BF
                      • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0041C8D0
                      • GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 0041C8E1
                      • GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 0041C8F2
                      • GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 0041C903
                      • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0041C914
                      • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0041C925
                      • GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 0041C936
                      • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0041C947
                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0041C958
                      • GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 0041C969
                      • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0041C97A
                      • GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 0041C98B
                      • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0041C99C
                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 0041C9AD
                      • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 0041C9BE
                      • GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 0041C9CF
                      • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 0041C9E0
                      • GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 0041C9F1
                      • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 0041CA02
                      • GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 0041CA13
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$HandleModule
                      • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                      • API String ID: 667068680-295688737
                      • Opcode ID: 7095254045faed2553d93f0c9490efac9b80fc04d73eb81a88eda45e0edda8b1
                      • Instruction ID: b27cf2173bd35c32a824bf4ef6feeb97883ccbcf9f0634586d8c00e0a98c48d7
                      • Opcode Fuzzy Hash: 7095254045faed2553d93f0c9490efac9b80fc04d73eb81a88eda45e0edda8b1
                      • Instruction Fuzzy Hash: A5612A75952710EBD7016FB4BC4DF893AB8EA09B93B608537F905D21B2E6F88104CB6D
                      Function 004070A0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 121memoryprocessthreadCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004070CD
                      • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0040712B
                      • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00407144
                      • GetThreadContext.KERNEL32(?,00000000), ref: 00407159
                      • ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 00407179
                      • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 004071BB
                      • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 004071D8
                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00407291
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ProcessVirtual$AllocMemory$ContextCreateFileFreeModuleNameReadThreadWrite
                      • String ID: $VUUU$invalid stoi argument
                      • API String ID: 3796053839-3954507777
                      • Opcode ID: 27f6c6112b243df7e53398a743d978e592acbef08456db8e92c72c1a99b34ae4
                      • Instruction ID: 38b2a2fa096ae382cc622da32822fc99d79a3e7951b2d8ee4b07a12606b8df86
                      • Opcode Fuzzy Hash: 27f6c6112b243df7e53398a743d978e592acbef08456db8e92c72c1a99b34ae4
                      • Instruction Fuzzy Hash: 59418D74644301BFE7609F50DC06FAA7BE8BF88B05F000529FA84E62D1D7B4E944CB9A
                      Function 02227157 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 174processmemorythreadCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 02227334
                      • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02227392
                      • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 022273AB
                      • GetThreadContext.KERNEL32(?,00000000), ref: 022273C0
                      • ReadProcessMemory.KERNEL32(?,00458DF8,?,00000004,00000000), ref: 022273E0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$AllocContextCreateFileMemoryModuleNameReadThreadVirtual
                      • String ID: VUUU
                      • API String ID: 338953623-2040033107
                      • Opcode ID: 8d52878efc5f8f8a1e952e44b6c95f7c24c53631ccf418eeef8ebfb25720e601
                      • Instruction ID: 8bce480760e74251ddca99dc60a730c062c8cf350933052aa22269a9d743ca94
                      • Opcode Fuzzy Hash: 8d52878efc5f8f8a1e952e44b6c95f7c24c53631ccf418eeef8ebfb25720e601
                      • Instruction Fuzzy Hash: F451D270654301BFD7109BA4DC05F6ABBF9BF84B15F404429FA44AA2D0DBB5E908CF5A
                      Function 0224107A Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 0224117D
                      • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 022411C9
                        • Part of subcall function 022428C4: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 022429B7
                      • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 02241235
                      • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 02241251
                      • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 022412A5
                      • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 022412D2
                      • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 02241328
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
                      • String ID: (
                      • API String ID: 2943730970-3887548279
                      • Opcode ID: 97f5cfb5054145a50c69719e5e21d6391f3292fc1eddb95c28002738003bc8bd
                      • Instruction ID: 2ffdb721810a634a1f56198f74085159981e9323d1499a5621b458a7c8b24465
                      • Opcode Fuzzy Hash: 97f5cfb5054145a50c69719e5e21d6391f3292fc1eddb95c28002738003bc8bd
                      • Instruction Fuzzy Hash: EBB18FB0A10616EFDB1CCF98D980B7DBBB5FF44704F144169D809AB658DB70B990CBA4
                      Function 00420E13 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00420F16
                      • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00420F62
                        • Part of subcall function 0042265D: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 00422750
                      • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00420FCE
                      • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00420FEA
                      • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 0042103E
                      • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 0042106B
                      • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 004210C1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
                      • String ID: (
                      • API String ID: 2943730970-3887548279
                      • Opcode ID: 4022e65b4033ba6d99f09e60be676279313672c4fcdd80b72ccf6c64c13963d5
                      • Instruction ID: d8c2f6391a379bc46cf5e5d5dc6ad3851f43131c5326ae158e38cbfcee68216d
                      • Opcode Fuzzy Hash: 4022e65b4033ba6d99f09e60be676279313672c4fcdd80b72ccf6c64c13963d5
                      • Instruction Fuzzy Hash: 89B18BB0A00625EFCB28CF58E980A7AB7F4FF48700F51416EE905AB751D374A981CB99
                      Function 02241869 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 02242F63: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 02242F76
                      • Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 0224187B
                        • Part of subcall function 02243076: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 022430A0
                      • Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 022419AD
                      • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 02241A0D
                      • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 02241A19
                      • Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 02241A54
                      • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 02241A75
                      • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 02241A81
                      • Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 02241A8A
                      • Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 02241AA2
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::Manager::Resource$Allocation$CoresDynamic$AdjustCoreDataDistributePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalHandleIdleIncreaseInitializeLoadedProcessResetScheduler
                      • String ID:
                      • API String ID: 3189225155-0
                      • Opcode ID: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
                      • Instruction ID: 2df57e818cb351bb23aebaa20f60ffc7e6d811aaed13e282e95d50b99efb91c8
                      • Opcode Fuzzy Hash: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
                      • Instruction Fuzzy Hash: 57814E71E106269FCB1CCFA8C580A6DB7F6FF48704B1545AED449A7709CB70E991CB90
                      Function 00421602 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00422CFC: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00422D0F
                      • Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 00421614
                        • Part of subcall function 00422E0F: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 00422E39
                      • Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 00421746
                      • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 004217A6
                      • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 004217B2
                      • Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 004217ED
                      • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 0042180E
                      • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 0042181A
                      • Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 00421823
                      • Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 0042183B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::Manager::Resource$Allocation$CoresDynamic$AdjustCoreDataDistributePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalHandleIdleIncreaseInitializeLoadedProcessResetScheduler
                      • String ID:
                      • API String ID: 3189225155-0
                      • Opcode ID: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
                      • Instruction ID: 90d9306956e5cc9bb6704af0189ae29657119f80b0b7e1970bf61bc55afc2ad7
                      • Opcode Fuzzy Hash: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
                      • Instruction Fuzzy Hash: FA818C71F00225AFCB18DFA9D580A6EB7F1FF98304B6542AED405A7711CB74AD42CB88
                      Function 00442517 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 373timeCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$InformationTimeZone
                      • String ID: XgE
                      • API String ID: 597776487-2984570469
                      • Opcode ID: 2b6728d1d25a7a4dc5655f9f1937d483343b97d9f8a5c2cfc13cb8f05322008e
                      • Instruction ID: df7d7efe0813b1fc9665f027b9df2e4c66d539f3229410abaef311319f10ac1b
                      • Opcode Fuzzy Hash: 2b6728d1d25a7a4dc5655f9f1937d483343b97d9f8a5c2cfc13cb8f05322008e
                      • Instruction Fuzzy Hash: 4AC14B71900205ABFB10AF69CE517AFBBA9EF45354F9500AFF88097391E7B88E41C758
                      Function 004431A8 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: __floor_pentium4
                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                      • API String ID: 4168288129-2761157908
                      • Opcode ID: ce3e69247486671be022874f0fc313c548611864b1c6192d43177eab318c758e
                      • Instruction ID: 6746934c2724dc80c2da897f8f258f2c486a7fd656fecb76804e093dbfd1dcc1
                      • Opcode Fuzzy Hash: ce3e69247486671be022874f0fc313c548611864b1c6192d43177eab318c758e
                      • Instruction Fuzzy Hash: 44C23971E046288FEB25CE28DD407EAB7B5EB88745F1441EBD84DE7240E778AE818F45
                      Function 0224EEAF Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0224EEE8
                        • Part of subcall function 02249196: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 022491B7
                      • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 0224EF4E
                      • Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 0224EF66
                      • Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 0224EF73
                        • Part of subcall function 0224EA16: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0224EA3E
                        • Part of subcall function 0224EA16: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0224EAD6
                        • Part of subcall function 0224EA16: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0224EAE0
                        • Part of subcall function 0224EA16: Concurrency::location::_Assign.LIBCMT ref: 0224EB14
                        • Part of subcall function 0224EA16: Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0224EB1C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveAssignBindCommitConcurrency::location::_GroupPointsReclaimResolveRunnableSafeScheduleSegmentThrowTokenTraceTrigger
                      • String ID:
                      • API String ID: 2363638799-0
                      • Opcode ID: 61a48eb18c36016cf9376c863cf090d5461b458c764e45c256d8a2d92b022f72
                      • Instruction ID: 65a7fbff3619c4509968c92e12b1910256fbf27ff3705a92ac6bbfd96297c6a0
                      • Opcode Fuzzy Hash: 61a48eb18c36016cf9376c863cf090d5461b458c764e45c256d8a2d92b022f72
                      • Instruction Fuzzy Hash: F251A3359202159BDF19EF90C884BADB776AF84314F0641A8ED026B399CF71AE05CBA0
                      Function 0042EC48 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042EC81
                        • Part of subcall function 00428F2F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00428F50
                      • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 0042ECE7
                      • Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 0042ECFF
                      • Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 0042ED0C
                        • Part of subcall function 0042E7AF: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0042E7D7
                        • Part of subcall function 0042E7AF: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0042E86F
                        • Part of subcall function 0042E7AF: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0042E879
                        • Part of subcall function 0042E7AF: Concurrency::location::_Assign.LIBCMT ref: 0042E8AD
                        • Part of subcall function 0042E7AF: Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0042E8B5
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveAssignBindCommitConcurrency::location::_GroupPointsReclaimResolveRunnableSafeScheduleSegmentThrowTokenTraceTrigger
                      • String ID:
                      • API String ID: 2363638799-0
                      • Opcode ID: 61a48eb18c36016cf9376c863cf090d5461b458c764e45c256d8a2d92b022f72
                      • Instruction ID: 5e7ff754d2b343dc4c16742e0cc3e1cb9d27b644ec3e5e3051372794b2f11420
                      • Opcode Fuzzy Hash: 61a48eb18c36016cf9376c863cf090d5461b458c764e45c256d8a2d92b022f72
                      • Instruction Fuzzy Hash: 8051E335B10225EBCF14DF52D885BAEB771AF44314F5540AAE9027B392CB78AE02CB95
                      Function 02256D15 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 02256E0D
                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 02256E17
                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 02256E24
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                      • String ID:
                      • API String ID: 3906539128-0
                      • Opcode ID: 2eca57a45cd8ef25c7ed16031d4a9fd0f8fa1a06597ba881db52fdbbd8b3e27b
                      • Instruction ID: a9defb1dd7096f30f734d048413e54c6758a2633e495932d46d22dca25c503c2
                      • Opcode Fuzzy Hash: 2eca57a45cd8ef25c7ed16031d4a9fd0f8fa1a06597ba881db52fdbbd8b3e27b
                      • Instruction Fuzzy Hash: 3231B574911329ABCB21DF64DC88BDDBBB8BF08311F5041EAE81CA6250EB709B818F45
                      Function 00436AAE Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00436BA6
                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00436BB0
                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00436BBD
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                      • String ID:
                      • API String ID: 3906539128-0
                      • Opcode ID: 2eca57a45cd8ef25c7ed16031d4a9fd0f8fa1a06597ba881db52fdbbd8b3e27b
                      • Instruction ID: 1f0ad2aab0448583845f395018efff8d75f4c1db1d39540b3f2c6e774d71cf18
                      • Opcode Fuzzy Hash: 2eca57a45cd8ef25c7ed16031d4a9fd0f8fa1a06597ba881db52fdbbd8b3e27b
                      • Instruction Fuzzy Hash: 5D31C474901329ABCB21DF69DD897CDBBB4BF08314F5091EAE40CA7291E7749B818F49
                      Function 02256792 Relevance: 4.5, APIs: 3, Instructions: 20COMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32(?,?,02256791,?,?,?,?,?,022578C8), ref: 022567B4
                      • TerminateProcess.KERNEL32(00000000,?,02256791,?,?,?,?,?,022578C8), ref: 022567BB
                      • ExitProcess.KERNEL32 ref: 022567CD
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$CurrentExitTerminate
                      • String ID:
                      • API String ID: 1703294689-0
                      • Opcode ID: 04b207d0b889d00e4800d5972e07640bc64685a596502c952aa2fb778607a5b5
                      • Instruction ID: b04bfedde48d2dd19ab64d475f616e3b49c3c8df563dad66cea2adcbab5b0b61
                      • Opcode Fuzzy Hash: 04b207d0b889d00e4800d5972e07640bc64685a596502c952aa2fb778607a5b5
                      • Instruction Fuzzy Hash: 17E0B635010718ABDF116F94DD48A983B6AEB40742F548924FC058A535CB36D981CB45
                      Function 0222092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: .$GetProcAddress.$l
                      • API String ID: 0-2784972518
                      • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                      • Instruction ID: 6a2197bd6a543a9cec8c846d293008827625cc018505a6f3886cf1f22a33292c
                      • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                      • Instruction Fuzzy Hash: BE316BB6911619DFDB20CF99C880AADBBF5FF18724F14404AD441B7214D7B2EA49CFA4
                      Function 02262F77 Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 38f1bd2685e55997c2703fc258bc759cbf20cb8828056bff6a68c166f696af58
                      • Instruction ID: 006c3fd5d3773f2c17a7a9c321395bf0c97a7d049ca369ab144f654161d86bf7
                      • Opcode Fuzzy Hash: 38f1bd2685e55997c2703fc258bc759cbf20cb8828056bff6a68c166f696af58
                      • Instruction Fuzzy Hash: 74F14F72E102199FDF14CFA9C884AADFBF1FF88714F1582A9D919AB344D731A941CB90
                      Function 00442D10 Relevance: 3.4, APIs: 2, Instructions: 450COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4febeba0e6df1972b290d54c079ebb9eef800fd61dd105ca4b93d43a1305ea1a
                      • Instruction ID: 0f1af51de5af96b730dc073be6187f45225b05d1e39be70f77c0bb50ba676d41
                      • Opcode Fuzzy Hash: 4febeba0e6df1972b290d54c079ebb9eef800fd61dd105ca4b93d43a1305ea1a
                      • Instruction Fuzzy Hash: 9BF14F71E002199FEF14CFA9C9806AEB7B1FF88714F25826EE915A7344D735AE01CB94
                      Function 022672B0 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,022672AB,?,?,00000008,?,?,02266131,00000000), ref: 022674DD
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionRaise
                      • String ID:
                      • API String ID: 3997070919-0
                      • Opcode ID: 36254a7a5f10b6b788354df259e86d50cce653991a31e3785c17a1f2ceddeed1
                      • Instruction ID: 8fd5d49cfe4829bef035e05c1a60c1cf9e432da5f6b5c48cba4bb7caa32624fe
                      • Opcode Fuzzy Hash: 36254a7a5f10b6b788354df259e86d50cce653991a31e3785c17a1f2ceddeed1
                      • Instruction Fuzzy Hash: 31B14E32620605CFD715CF68D48AB65BBF0FF45368F298698E899CF2A5C335E991CB40
                      Function 00447049 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00447044,?,?,00000008,?,?,00445ECA,00000000), ref: 00447276
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionRaise
                      • String ID:
                      • API String ID: 3997070919-0
                      • Opcode ID: 36254a7a5f10b6b788354df259e86d50cce653991a31e3785c17a1f2ceddeed1
                      • Instruction ID: 7a8e5148774215697cf91bc212fe3b67d35b5c5a8621f41dfb32136176b2c313
                      • Opcode Fuzzy Hash: 36254a7a5f10b6b788354df259e86d50cce653991a31e3785c17a1f2ceddeed1
                      • Instruction Fuzzy Hash: 9CB15D31614605DFE728CF28C486B657BE0FF45365F258699E89ACF3A1C339E982CB44
                      Function 0041DD91 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                      Download Yara Rule
                      APIs
                      • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0041DDA7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: FeaturePresentProcessor
                      • String ID:
                      • API String ID: 2325560087-0
                      • Opcode ID: 9aa71377ddf51d54108bd68bc2459ad0f115ceeb009950e0c4d0192850e4ba90
                      • Instruction ID: 73b31feacec7ce9fe7b0550b3c6203be5604da4ad9e3037c20952e2b0bfc5a30
                      • Opcode Fuzzy Hash: 9aa71377ddf51d54108bd68bc2459ad0f115ceeb009950e0c4d0192850e4ba90
                      • Instruction Fuzzy Hash: E251B0B2D05B068BDB15CF58D8917AAB7F1FB48304F24856BC405EB350E3B8A980CF59
                      Function 0225DE74 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c254cc85ab78f1b64420c7fda183827d5ac03fcf9b54031427e7e9148f272146
                      • Instruction ID: 570a967a228276ab11149b6e4e1161509f80bf543e50b47658a13463b6584235
                      • Opcode Fuzzy Hash: c254cc85ab78f1b64420c7fda183827d5ac03fcf9b54031427e7e9148f272146
                      • Instruction Fuzzy Hash: A141A871C142296FDB20DFA9CC88AEAB7B9AF45304F1442D9E85DD3214DA359E848F10
                      Function 0043DC0D Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c254cc85ab78f1b64420c7fda183827d5ac03fcf9b54031427e7e9148f272146
                      • Instruction ID: 3d492b1ce9647cc9b8e1ba87239a284fe88898690c8d91de180f89449a84ea2b
                      • Opcode Fuzzy Hash: c254cc85ab78f1b64420c7fda183827d5ac03fcf9b54031427e7e9148f272146
                      • Instruction Fuzzy Hash: 2241C6B1C0421DAEDB20DF69DC89AAAB7B9EF49304F1452DEE41DD3201DA389E84CF54
                      Function 0041CB97 Relevance: 1.5, APIs: 1, Instructions: 9nativeCOMMON
                      Download Yara Rule
                      APIs
                      • NtFlushProcessWriteBuffers.NTDLL ref: 0041CBAA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: BuffersFlushProcessWrite
                      • String ID:
                      • API String ID: 2982998374-0
                      • Opcode ID: 20c4ea3e2129b60a1e4d1eea87152ba57400039f21031a1d2e21638d1c4937de
                      • Instruction ID: 734eec717fe04ada3b4bcf7b1b1ccceb46d859c39f6a646686bea7d52c1b0365
                      • Opcode Fuzzy Hash: 20c4ea3e2129b60a1e4d1eea87152ba57400039f21031a1d2e21638d1c4937de
                      • Instruction Fuzzy Hash: DFB09236A1B93047CA512B14BC4859E7714AA80B1270A01A6E805A72348A54AD828BDD
                      Function 0041DD0A Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                      Download Yara Rule
                      APIs
                      • SetUnhandledExceptionFilter.KERNEL32(Function_0001DD16,0041D755), ref: 0041DD0F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionFilterUnhandled
                      • String ID:
                      • API String ID: 3192549508-0
                      • Opcode ID: 43c617bf8b0786d196ab8e975300d48b22b3ddc598e3c16071a78d30c9f3b4c1
                      • Instruction ID: acbc3c9ff04c2f6a81d4fdca068cfbd79b9dcce843e89fee5e28ccbd35d34f0d
                      • Opcode Fuzzy Hash: 43c617bf8b0786d196ab8e975300d48b22b3ddc598e3c16071a78d30c9f3b4c1
                      • Instruction Fuzzy Hash:
                      Function 0225819D Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 0
                      • API String ID: 0-4108050209
                      • Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                      • Instruction ID: bab9042ad20b8e7ccdddab3020e7a1b13b4106ddaef13513f2d78a92e5fbd74f
                      • Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                      • Instruction Fuzzy Hash: 2C515B31634BB6AADB3849E888957BE6B969B02308F04C519CC42DB29DDBF19DC4C717
                      Function 00437F36 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 0
                      • API String ID: 0-4108050209
                      • Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                      • Instruction ID: b34b47e9f09f915a8cdca993c5e9340bbf8146411caf7b554e1449dba65cbcf0
                      • Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
                      • Instruction Fuzzy Hash: C15128B02087446ADB3C4A2888957BFE7AAAB1D304F14351FF4C297392CE5D9D4A925E
                      Function 02244058 Relevance: 1.4, Strings: 1, Instructions: 173COMMONLIBRARYCODE
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 4
                      • API String ID: 0-4088798008
                      • Opcode ID: 5578bbf268cf1d7a6cc11f772dbe90f91f38951ddd0f84b7ddcb6c1c960a0822
                      • Instruction ID: bb966f72c6da79f877479a72edf9f4d4a420de4e6a026d3ce7a14577b7fbcf0d
                      • Opcode Fuzzy Hash: 5578bbf268cf1d7a6cc11f772dbe90f91f38951ddd0f84b7ddcb6c1c960a0822
                      • Instruction Fuzzy Hash: 76613AB1E106169FCB1CDF89C580A6EB7B1BF58314F25816DD809A7719CB30EA92CF94
                      Function 00423DF1 Relevance: 1.4, Strings: 1, Instructions: 173COMMONLIBRARYCODE
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 4
                      • API String ID: 0-4088798008
                      • Opcode ID: 5578bbf268cf1d7a6cc11f772dbe90f91f38951ddd0f84b7ddcb6c1c960a0822
                      • Instruction ID: d3640ea578d556721f4490aaac2cfbcd5f657f790f84d66c55eb6511df690334
                      • Opcode Fuzzy Hash: 5578bbf268cf1d7a6cc11f772dbe90f91f38951ddd0f84b7ddcb6c1c960a0822
                      • Instruction Fuzzy Hash: 75612C71E002259FCB18CF49E680A6EB7B1BF58715F66816ED805A7305C738EE46CF94
                      Function 02225047 Relevance: .7, Instructions: 701COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: aca00c27e9f0dc5049bb43eb222e30ca6b7b035fc8865b45e586624c015778d4
                      • Instruction ID: eb605be20576830f6b34c25644e00d6787cf5f33f001ef57d4ebdc8b7b80a678
                      • Opcode Fuzzy Hash: aca00c27e9f0dc5049bb43eb222e30ca6b7b035fc8865b45e586624c015778d4
                      • Instruction Fuzzy Hash: B0225EB3F515145BDB0CCA5DDCA27ECB2E3AFD8214B0E813DA40AE3345EA79D9158648
                      Function 00404DE0 Relevance: .7, Instructions: 701COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: aca00c27e9f0dc5049bb43eb222e30ca6b7b035fc8865b45e586624c015778d4
                      • Instruction ID: eb605be20576830f6b34c25644e00d6787cf5f33f001ef57d4ebdc8b7b80a678
                      • Opcode Fuzzy Hash: aca00c27e9f0dc5049bb43eb222e30ca6b7b035fc8865b45e586624c015778d4
                      • Instruction Fuzzy Hash: B0225EB3F515145BDB0CCA5DDCA27ECB2E3AFD8214B0E813DA40AE3345EA79D9158648
                      Function 02224D97 Relevance: .2, Instructions: 230COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1ff74d21853a1a9411e81bdca10e899a59f84e873a7064e611779bfdc9a01e76
                      • Instruction ID: 765a9223ef13c487c7557e4308376b8ec88d615155af8b150fc28ead185312b7
                      • Opcode Fuzzy Hash: 1ff74d21853a1a9411e81bdca10e899a59f84e873a7064e611779bfdc9a01e76
                      • Instruction Fuzzy Hash: 1D814570A102669FEB05DFA8C8807FEBBB1FF59304F044269D810A7392C7769549CBA0
                      Function 00404B30 Relevance: .2, Instructions: 230COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1ff74d21853a1a9411e81bdca10e899a59f84e873a7064e611779bfdc9a01e76
                      • Instruction ID: f9f22bcb052e71eb439f106f0b20dd6b4beb7377a8a8d7e69e270393853b03d6
                      • Opcode Fuzzy Hash: 1ff74d21853a1a9411e81bdca10e899a59f84e873a7064e611779bfdc9a01e76
                      • Instruction Fuzzy Hash: 618123B0E042459FEB15CF69D8807EEBBF1BF99300F15027AC910A7392D3789945CBA8
                      Function 02267B22 Relevance: .1, Instructions: 104COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 52dbd9b1eed41be0fe82de8a4e6ef126f6fae99cdba63995ffaced5ebaf03370
                      • Instruction ID: 583a05ad65c015775002a6f5a34a5a101764e96eb3b5dabceae10d602535845b
                      • Opcode Fuzzy Hash: 52dbd9b1eed41be0fe82de8a4e6ef126f6fae99cdba63995ffaced5ebaf03370
                      • Instruction Fuzzy Hash: 8121B673F2053947770CC47ECC5627DB6E1C68C501745423AE8A6EA2C1D968D917E2E4
                      Function 004478BB Relevance: .1, Instructions: 104COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 52dbd9b1eed41be0fe82de8a4e6ef126f6fae99cdba63995ffaced5ebaf03370
                      • Instruction ID: be9a9c8fc00186763e8d7bb87cc8d3a0b677fa6828bf284c090cc4d7b2bb0282
                      • Opcode Fuzzy Hash: 52dbd9b1eed41be0fe82de8a4e6ef126f6fae99cdba63995ffaced5ebaf03370
                      • Instruction Fuzzy Hash: D121B673F2043947770CC47E8C5227DB6E1C78C541745423AE8A6EA2C1D968D917E2E4
                      Function 02267A02 Relevance: .1, Instructions: 81COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a58c8da4f76282e75a4e86e97fff01a13a6512019c1140d55cc266cde0378697
                      • Instruction ID: fc7dbe4ab7f789fa8446eb6208853af504e3fa59e1f321da6a345a46afbd145e
                      • Opcode Fuzzy Hash: a58c8da4f76282e75a4e86e97fff01a13a6512019c1140d55cc266cde0378697
                      • Instruction Fuzzy Hash: E011C623F30C255B675C81AD8C172BAA2D2EBD814471F433AD826E7384E8A4DF13C290
                      Function 0044779B Relevance: .1, Instructions: 81COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a58c8da4f76282e75a4e86e97fff01a13a6512019c1140d55cc266cde0378697
                      • Instruction ID: f958b488d66865dd5c15af34d8bdfeb75cad4d2fb9f4de2ca6ead72c17438f02
                      • Opcode Fuzzy Hash: a58c8da4f76282e75a4e86e97fff01a13a6512019c1140d55cc266cde0378697
                      • Instruction Fuzzy Hash: 2411C633F30C255B775C81AD8C172BAA5D2EBD824070F433AD826E7284E9A4DE23D290
                      Function 02268AC7 Relevance: .1, Instructions: 76COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                      • Instruction ID: f01e117b03540b6e54e0c6ac50fffa06fb29e76f11ee4d63bd7bec7665b60f62
                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                      • Instruction Fuzzy Hash: 6111E6F72200434796248EADD8BC6BAA385EBCA12872C527AD081CB65CD32291CCD603
                      Function 00448860 Relevance: .1, Instructions: 76COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                      • Instruction ID: e52f5ae1c551d0b315bb206a3a6972e81541c048b5448aa17bd28fef73111c1e
                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                      • Instruction Fuzzy Hash: 75112B7720018243F6049A2DC8B45BFA795EFC63217AC437FD1414B758DA2AD945960C
                      Function 0079D2F3 Relevance: .1, Instructions: 61COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801334266.000000000079D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0079D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_79d000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                      • Instruction ID: f73571a3cd52b6841f89c0c44af1fcb126d8ef482ca214e26987b55d401b127d
                      • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                      • Instruction Fuzzy Hash: A3118E72340100EFDB54DF55EC81EA673EAEB89321B298165ED08CB312E679EC01C760
                      Function 02220D90 Relevance: .0, Instructions: 43COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                      • Instruction ID: 33d328c6e6b51499a0493901d7a211dd3e6fc250b23fa79115fce0d1352aa079
                      • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                      • Instruction Fuzzy Hash: 94012B766216109FDF21CFA0C804FAA33F9FB96205F0540B4E906D7245E771AA45CB80
                      Function 0225A569 Relevance: .0, Instructions: 22COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                      • Instruction ID: 74ade48e69ea90781232b1ccdfdd54ec47320655880325ad07253ab9096a92cc
                      • Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                      • Instruction Fuzzy Hash: 88E04672D22238EBCB15DBD88905D8AF3EDEB48B04B1585A6B902D7114C270DE00CBD0
                      Function 0043A302 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                      • Instruction ID: 18748302d0d64b74df810d503f589c32a7cabfcbb23ff82dab2ad40ae5c0e835
                      • Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                      • Instruction Fuzzy Hash: 51E08C72961228EBCB15DB99C90498AF3ECEB4DB08F65109BF901D3250C274DE00C7D4
                      Function 0041F028 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 229COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041F2BB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: std::invalid_argument::invalid_argument
                      • String ID: pEvents
                      • API String ID: 2141394445-2498624650
                      • Opcode ID: 6fac62366cbd6f5e6cb8ab906c87716b022ac4ce341200765e397ba53b1eaef3
                      • Instruction ID: 66998cc49b15140c198e060e127dcf308e046c772bddf22695f73d3154dbb627
                      • Opcode Fuzzy Hash: 6fac62366cbd6f5e6cb8ab906c87716b022ac4ce341200765e397ba53b1eaef3
                      • Instruction Fuzzy Hash: 0D819F35D00218DBCF14DFA5C981BEEB7B1AF54314F14406AE801A7282D77DAD8ACB59
                      Function 0225F5C6 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 113COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___free_lconv_mon.LIBCMT ref: 0225F60A
                        • Part of subcall function 0225F1A3: _free.LIBCMT ref: 0225F1C0
                        • Part of subcall function 0225F1A3: _free.LIBCMT ref: 0225F1D2
                        • Part of subcall function 0225F1A3: _free.LIBCMT ref: 0225F1E4
                        • Part of subcall function 0225F1A3: _free.LIBCMT ref: 0225F1F6
                        • Part of subcall function 0225F1A3: _free.LIBCMT ref: 0225F208
                        • Part of subcall function 0225F1A3: _free.LIBCMT ref: 0225F21A
                        • Part of subcall function 0225F1A3: _free.LIBCMT ref: 0225F22C
                        • Part of subcall function 0225F1A3: _free.LIBCMT ref: 0225F23E
                        • Part of subcall function 0225F1A3: _free.LIBCMT ref: 0225F250
                        • Part of subcall function 0225F1A3: _free.LIBCMT ref: 0225F262
                        • Part of subcall function 0225F1A3: _free.LIBCMT ref: 0225F274
                        • Part of subcall function 0225F1A3: _free.LIBCMT ref: 0225F286
                        • Part of subcall function 0225F1A3: _free.LIBCMT ref: 0225F298
                      • _free.LIBCMT ref: 0225F5FF
                        • Part of subcall function 0225B05C: HeapFree.KERNEL32(00000000,00000000,?,0225F334,?,00000000,?,?,?,0225F35B,?,00000007,?,?,0225F75D,?), ref: 0225B072
                        • Part of subcall function 0225B05C: GetLastError.KERNEL32(?,?,0225F334,?,00000000,?,?,?,0225F35B,?,00000007,?,?,0225F75D,?,?), ref: 0225B084
                      • _free.LIBCMT ref: 0225F621
                      • _free.LIBCMT ref: 0225F636
                      • _free.LIBCMT ref: 0225F641
                      • _free.LIBCMT ref: 0225F663
                      • _free.LIBCMT ref: 0225F676
                      • _free.LIBCMT ref: 0225F684
                      • _free.LIBCMT ref: 0225F68F
                      • _free.LIBCMT ref: 0225F6C7
                      • _free.LIBCMT ref: 0225F6CE
                      • _free.LIBCMT ref: 0225F6EB
                      • _free.LIBCMT ref: 0225F703
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                      • String ID: 8"F$`'F
                      • API String ID: 161543041-3117062166
                      • Opcode ID: 922a2dd1448a5ec672de729c29137a8fc27b2943f4b4aaf69956ccaefb2f6592
                      • Instruction ID: fa89c52fac7e61c27ea03374e3c2054de5eb4bf3025bf3ce3dc2bef9c2fb6fde
                      • Opcode Fuzzy Hash: 922a2dd1448a5ec672de729c29137a8fc27b2943f4b4aaf69956ccaefb2f6592
                      • Instruction Fuzzy Hash: A2316031521312DFDB316AB9D944B5777E9BF01368F10C419E868D79A8DB71A840CF10
                      Function 0043F35F Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 113COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___free_lconv_mon.LIBCMT ref: 0043F3A3
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EF59
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EF6B
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EF7D
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EF8F
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFA1
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFB3
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFC5
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFD7
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFE9
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFFB
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043F00D
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043F01F
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043F031
                      • _free.LIBCMT ref: 0043F398
                        • Part of subcall function 0043ADF5: HeapFree.KERNEL32(00000000,00000000,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?), ref: 0043AE0B
                        • Part of subcall function 0043ADF5: GetLastError.KERNEL32(?,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?,?), ref: 0043AE1D
                      • _free.LIBCMT ref: 0043F3BA
                      • _free.LIBCMT ref: 0043F3CF
                      • _free.LIBCMT ref: 0043F3DA
                      • _free.LIBCMT ref: 0043F3FC
                      • _free.LIBCMT ref: 0043F40F
                      • _free.LIBCMT ref: 0043F41D
                      • _free.LIBCMT ref: 0043F428
                      • _free.LIBCMT ref: 0043F460
                      • _free.LIBCMT ref: 0043F467
                      • _free.LIBCMT ref: 0043F484
                      • _free.LIBCMT ref: 0043F49C
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                      • String ID: 8"F$`'F
                      • API String ID: 161543041-3117062166
                      • Opcode ID: 922a2dd1448a5ec672de729c29137a8fc27b2943f4b4aaf69956ccaefb2f6592
                      • Instruction ID: 543839021cf0bf63342fab8d7291383f9c2b30be018e8c543b9015e977d3828c
                      • Opcode Fuzzy Hash: 922a2dd1448a5ec672de729c29137a8fc27b2943f4b4aaf69956ccaefb2f6592
                      • Instruction Fuzzy Hash: 0C31A232A00201DFEB206A3AD845B5B73E6EF18315F10642FE485D7691DF78EC94CB19
                      Function 0223F28F Relevance: 24.2, APIs: 16, Instructions: 229COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 0223F296
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0223F522
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: H_prolog3std::invalid_argument::invalid_argument
                      • String ID:
                      • API String ID: 1590901807-0
                      • Opcode ID: 6fac62366cbd6f5e6cb8ab906c87716b022ac4ce341200765e397ba53b1eaef3
                      • Instruction ID: af384daadc24acf47f5da7dab7b62573e34af680242d5ea9758b33c209499a4d
                      • Opcode Fuzzy Hash: 6fac62366cbd6f5e6cb8ab906c87716b022ac4ce341200765e397ba53b1eaef3
                      • Instruction Fuzzy Hash: F681BFB1D20319DBCF26DFE8EA80BEEB7B5BF04314F254019D901AB689DB74A945CB50
                      Function 0041D029 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 51libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • InitializeCriticalSectionAndSpinCount.KERNEL32(00465750,00000FA0,?,?,0041D007), ref: 0041D035
                      • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,0041D007), ref: 0041D040
                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0041D007), ref: 0041D051
                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0041D063
                      • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0041D071
                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0041D007), ref: 0041D094
                      • ___scrt_fastfail.LIBCMT ref: 0041D0A5
                      • RtlDeleteCriticalSection.NTDLL(00465750), ref: 0041D0B0
                      • CloseHandle.KERNEL32(00000000,?,?,0041D007), ref: 0041D0C0
                      Strings
                      • WakeAllConditionVariable, xrefs: 0041D069
                      • kernel32.dll, xrefs: 0041D04C
                      • SleepConditionVariableCS, xrefs: 0041D05D
                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 0041D03B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
                      • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                      • API String ID: 3578986977-3242537097
                      • Opcode ID: 5773b3b592dab99726245edcd6fa20dcc163fa756fd668b0a9920edcf870acc0
                      • Instruction ID: da8957fb05adf3e2478d3987b837cced664d2ae1275a3d1fb98c7f3dc6632c06
                      • Opcode Fuzzy Hash: 5773b3b592dab99726245edcd6fa20dcc163fa756fd668b0a9920edcf870acc0
                      • Instruction Fuzzy Hash: 1501B575E40B11ABDB211B75AC08F9B3A98DB45B57F140132FC05D22A1EAB9CC41CA6E
                      Function 02252938 Relevance: 22.7, APIs: 15, Instructions: 231COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 0225294A
                        • Part of subcall function 02252748: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0225276B
                      • Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 0225296B
                      • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 02252978
                      • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 022529C6
                      • Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 02252A4D
                      • Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 02252A60
                      • Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 02252AAD
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocal_NextObjectPeriodicRunnablesScanSlot
                      • String ID:
                      • API String ID: 2530155754-0
                      • Opcode ID: c59a2110c268144207470cacd74e4257a298ce88abd0f6ffd6155045285da657
                      • Instruction ID: 04830e437756c8b4769f67755408b4265e97664ac7622c309fe4609d1bd3c4e9
                      • Opcode Fuzzy Hash: c59a2110c268144207470cacd74e4257a298ce88abd0f6ffd6155045285da657
                      • Instruction Fuzzy Hash: DD81B03092026AEBDF26CFE4C950BFE7B72AF05308F048198EC412B2D9C7769955DB61
                      Function 004326D1 Relevance: 22.7, APIs: 15, Instructions: 231COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 004326E3
                        • Part of subcall function 004324E1: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00432504
                      • Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 00432704
                      • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 00432711
                      • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 0043275F
                      • Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 004327E6
                      • Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 004327F9
                      • Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 00432846
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocal_NextObjectPeriodicRunnablesScanSlot
                      • String ID:
                      • API String ID: 2530155754-0
                      • Opcode ID: c59a2110c268144207470cacd74e4257a298ce88abd0f6ffd6155045285da657
                      • Instruction ID: fb03d83531a47042b93fe6564ff1c061b34d3f88821af197b1cf19dfef14ec32
                      • Opcode Fuzzy Hash: c59a2110c268144207470cacd74e4257a298ce88abd0f6ffd6155045285da657
                      • Instruction Fuzzy Hash: 6B81C270900249ABDF169F54CA41BBF7BB1AF0D308F04509AEC4127352C7BA8D16DB65
                      Function 02244745 Relevance: 22.7, APIs: 15, Instructions: 189timeregistryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 0224474C
                      • ListArray.LIBCONCRT ref: 0224479F
                        • Part of subcall function 02244580: RtlInitializeSListHead.NTDLL(?), ref: 0224464C
                        • Part of subcall function 02244580: RtlInitializeSListHead.NTDLL(?), ref: 02244656
                      • ListArray.LIBCONCRT ref: 022447D3
                      • Hash.LIBCMT ref: 0224483C
                      • Hash.LIBCMT ref: 0224484C
                      • RtlInitializeSListHead.NTDLL(?), ref: 022448E1
                      • RtlInitializeSListHead.NTDLL(?), ref: 022448EE
                      • RtlInitializeSListHead.NTDLL(?), ref: 022448FB
                      • RtlInitializeSListHead.NTDLL(?), ref: 02244908
                        • Part of subcall function 02249EA8: std::bad_exception::bad_exception.LIBCMT ref: 02249ECA
                      • RegisterWaitForSingleObject.KERNEL32(?,00000000,00427A15,?,000000FF,00000000), ref: 02244990
                      • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 022449B2
                      • GetLastError.KERNEL32(022456F2,?,?,00000000,?,?), ref: 022449C4
                      • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 022449E1
                        • Part of subcall function 0223FE11: CreateTimerQueueTimer.KERNEL32(?,?,00000000,?,?,022456F2,00000008,?,022449E6,?,00000000,00427A06,?,7FFFFFFF,7FFFFFFF,00000000), ref: 0223FE29
                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02244A0B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: List$HeadInitialize$Timer$ArrayCreateHashQueueRegister$AsyncConcurrency::details::Concurrency::details::platform::__Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorH_prolog3LastLibraryLoadObjectSingleWaitstd::bad_exception::bad_exception
                      • String ID:
                      • API String ID: 1224710184-0
                      • Opcode ID: cff4f1584c67b4dd39a057eedf59500e630592c2a8e2e850217cf0530dd3835e
                      • Instruction ID: 9a20646509f7a925173a49f4615cd199fa4342b3368d29d11f20ad35086b8ba9
                      • Opcode Fuzzy Hash: cff4f1584c67b4dd39a057eedf59500e630592c2a8e2e850217cf0530dd3835e
                      • Instruction Fuzzy Hash: AE8152B0A21B52BBD718DFB4C844BD9FBA9BF08700F10421BE52897280DBB4A564CFD1
                      Function 004244DE Relevance: 21.2, APIs: 14, Instructions: 189timeregistryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ListArray.LIBCONCRT ref: 00424538
                        • Part of subcall function 00424319: RtlInitializeSListHead.NTDLL(?), ref: 004243E5
                        • Part of subcall function 00424319: RtlInitializeSListHead.NTDLL(?), ref: 004243EF
                      • ListArray.LIBCONCRT ref: 0042456C
                      • Hash.LIBCMT ref: 004245D5
                      • Hash.LIBCMT ref: 004245E5
                      • RtlInitializeSListHead.NTDLL(?), ref: 0042467A
                      • RtlInitializeSListHead.NTDLL(?), ref: 00424687
                      • RtlInitializeSListHead.NTDLL(?), ref: 00424694
                      • RtlInitializeSListHead.NTDLL(?), ref: 004246A1
                        • Part of subcall function 00429C41: std::bad_exception::bad_exception.LIBCMT ref: 00429C63
                      • RegisterWaitForSingleObject.KERNEL32(?,00000000,00427A15,?,000000FF,00000000), ref: 00424729
                      • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0042474B
                      • GetLastError.KERNEL32(0042548B,?,?,00000000,?,?), ref: 0042475D
                      • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 0042477A
                        • Part of subcall function 0041FBAA: CreateTimerQueueTimer.KERNEL32(?,?,00000000,?,?,0042548B,00000008,?,0042477F,?,00000000,00427A06,?,7FFFFFFF,7FFFFFFF,00000000), ref: 0041FBC2
                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004247A4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: List$HeadInitialize$Timer$ArrayCreateHashQueueRegister$AsyncConcurrency::details::Concurrency::details::platform::__Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastLibraryLoadObjectSingleWaitstd::bad_exception::bad_exception
                      • String ID:
                      • API String ID: 2750799244-0
                      • Opcode ID: cff4f1584c67b4dd39a057eedf59500e630592c2a8e2e850217cf0530dd3835e
                      • Instruction ID: 8edcf0d5cb27459604d76cf7b2957bb715be8d06604c13dd231c773c6d0fd610
                      • Opcode Fuzzy Hash: cff4f1584c67b4dd39a057eedf59500e630592c2a8e2e850217cf0530dd3835e
                      • Instruction Fuzzy Hash: 37816EB0B10B22AAD708DF75D845BD9FBA8BF49704F50021FF42897281CBB8A564CBD5
                      Function 02242A99 Relevance: 19.7, APIs: 13, Instructions: 223COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 02242AA8
                        • Part of subcall function 02243D93: GetVersionExW.KERNEL32(?), ref: 02243DB7
                        • Part of subcall function 02243D93: Concurrency::details::WinRT::Initialize.LIBCONCRT ref: 02243E56
                      • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 02242ABC
                      • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 02242ADD
                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02242B46
                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02242B7A
                        • Part of subcall function 02240A54: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 02240A74
                      • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 02242BFA
                        • Part of subcall function 022425C3: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 022425D7
                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 02242C42
                        • Part of subcall function 02240A29: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02240A45
                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 02242C56
                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 02242C67
                      • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 02242CB4
                      • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 02242CD9
                      • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 02242CE5
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Manager::Resource$Affinity$Apply$Restrictions$Information$Topology$CaptureProcessRestriction::Version$CleanupConcurrency::details::platform::__FindGroupInitializeLimitsLogicalProcessorRetrieveSystem
                      • String ID:
                      • API String ID: 4140532746-0
                      • Opcode ID: 9abd196dbe3760ed533f204942a39c663444424dc11bb6fb8cf1de85ffcec6e8
                      • Instruction ID: 3c4f476d0517c9d4602bf8b11f21a4a6cfddc4156cff0d2aca1c3c7f445912c0
                      • Opcode Fuzzy Hash: 9abd196dbe3760ed533f204942a39c663444424dc11bb6fb8cf1de85ffcec6e8
                      • Instruction Fuzzy Hash: C981D671A20616DFCB1CDFEAD89067DB7B1BF48704B15423EE841A7248EF706A40CB55
                      Function 00422832 Relevance: 19.7, APIs: 13, Instructions: 223COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 00422841
                        • Part of subcall function 00423B2C: GetVersionExW.KERNEL32(?), ref: 00423B50
                        • Part of subcall function 00423B2C: Concurrency::details::WinRT::Initialize.LIBCONCRT ref: 00423BEF
                      • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00422855
                      • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00422876
                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004228DF
                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00422913
                        • Part of subcall function 004207ED: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 0042080D
                      • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00422993
                        • Part of subcall function 0042235C: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 00422370
                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 004229DB
                        • Part of subcall function 004207C2: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004207DE
                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 004229EF
                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00422A00
                      • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00422A4D
                      • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00422A72
                      • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00422A7E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Manager::Resource$Affinity$Apply$Restrictions$Information$Topology$CaptureProcessRestriction::Version$CleanupConcurrency::details::platform::__FindGroupInitializeLimitsLogicalProcessorRetrieveSystem
                      • String ID:
                      • API String ID: 4140532746-0
                      • Opcode ID: 9abd196dbe3760ed533f204942a39c663444424dc11bb6fb8cf1de85ffcec6e8
                      • Instruction ID: e80cf76bb90d4b83ff5cf9a0939ff877604985d568bc9a9fcea241cccaa3ebda
                      • Opcode Fuzzy Hash: 9abd196dbe3760ed533f204942a39c663444424dc11bb6fb8cf1de85ffcec6e8
                      • Instruction Fuzzy Hash: 0481BF71B00526ABCB18DF69FA9057EB7F1BB48704B94403ED441A3741EBB8A981CB9D
                      Function 0041FA71 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 60libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,00423BE6), ref: 0041FA7F
                      • GetProcAddress.KERNEL32(00000000,SetThreadGroupAffinity), ref: 0041FA8D
                      • GetProcAddress.KERNEL32(00000000,GetThreadGroupAffinity), ref: 0041FA9B
                      • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumberEx), ref: 0041FAC9
                      • GetLastError.KERNEL32(?,?,?,00423BE6), ref: 0041FAE4
                      • GetLastError.KERNEL32(?,?,?,00423BE6), ref: 0041FAF0
                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041FB06
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorHandleModule
                      • String ID: GetCurrentProcessorNumberEx$GetThreadGroupAffinity$SetThreadGroupAffinity$kernel32.dll
                      • API String ID: 1654681794-465693683
                      • Opcode ID: 7fe6c5ece6de4c50eb3fb3b842b885c674e1d20cdf18a0be90147e923e9c19f3
                      • Instruction ID: d2013d26350a1230dd44c523f95b164804869e8c7fe68790ab887d0678fdf32d
                      • Opcode Fuzzy Hash: 7fe6c5ece6de4c50eb3fb3b842b885c674e1d20cdf18a0be90147e923e9c19f3
                      • Instruction Fuzzy Hash: 800165396003116F97107BB5BC4ABAB7AACAD04756724053BF805D2293EAACD449866D
                      Function 0225550C Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsInExceptionSpec.LIBVCRUNTIME ref: 02255607
                      • type_info::operator==.LIBVCRUNTIME ref: 0225562E
                      • ___TypeMatch.LIBVCRUNTIME ref: 0225573A
                      • CatchIt.LIBVCRUNTIME ref: 0225578F
                      • IsInExceptionSpec.LIBVCRUNTIME ref: 02255815
                      • _UnwindNestedFrames.LIBCMT ref: 0225589C
                      • CallUnexpected.LIBVCRUNTIME ref: 022558B7
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                      • String ID: csm$csm$csm
                      • API String ID: 4234981820-393685449
                      • Opcode ID: ad1611b132c96cd88c093627677e3344dfa0a654fa7a6ed2c70fbeb10c1165a9
                      • Instruction ID: 96558366151d10a8ecfccb53829d3176f2626b4acfa99254b6faa9eab7471b34
                      • Opcode Fuzzy Hash: ad1611b132c96cd88c093627677e3344dfa0a654fa7a6ed2c70fbeb10c1165a9
                      • Instruction Fuzzy Hash: 9FC16C7182022ADFCF25DFE4C8849AEBBB6BF04314F84855AEC116B219D735D9A1CF91
                      Function 004352A5 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsInExceptionSpec.LIBVCRUNTIME ref: 004353A0
                      • type_info::operator==.LIBVCRUNTIME ref: 004353C7
                      • ___TypeMatch.LIBVCRUNTIME ref: 004354D3
                      • CatchIt.LIBVCRUNTIME ref: 00435528
                      • IsInExceptionSpec.LIBVCRUNTIME ref: 004355AE
                      • _UnwindNestedFrames.LIBCMT ref: 00435635
                      • CallUnexpected.LIBVCRUNTIME ref: 00435650
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                      • String ID: csm$csm$csm
                      • API String ID: 4234981820-393685449
                      • Opcode ID: ad1611b132c96cd88c093627677e3344dfa0a654fa7a6ed2c70fbeb10c1165a9
                      • Instruction ID: 7946f23dea792be26d4820a62e4550dff79cbb7357508b3bf55c7f92dc133849
                      • Opcode Fuzzy Hash: ad1611b132c96cd88c093627677e3344dfa0a654fa7a6ed2c70fbeb10c1165a9
                      • Instruction Fuzzy Hash: C3C1AA71800609EFCF19DF95C881AAEBBB5BF1C315F04615BE8156B206C338EA51CF99
                      Function 02252BD7 Relevance: 16.7, APIs: 11, Instructions: 222COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 02252BE9
                        • Part of subcall function 02252748: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0225276B
                      • Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 02252C0A
                      • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 02252C17
                      • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 02252C65
                      • Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 02252D0D
                      • Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 02252D3F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
                      • String ID:
                      • API String ID: 1256429809-0
                      • Opcode ID: df65faca3598a56f4a1189fa951469fdc42dcddc43790275eedfd99cb695ca9a
                      • Instruction ID: cc51e56438882ca3831db6e0964322ffcd4275ce46a798fe68ef365dade6eb85
                      • Opcode Fuzzy Hash: df65faca3598a56f4a1189fa951469fdc42dcddc43790275eedfd99cb695ca9a
                      • Instruction Fuzzy Hash: 7971A27092022AEBDF05CFD4C980BBE7BB6AF45304F048299FC416B29AC772D915DB61
                      Function 00432970 Relevance: 16.7, APIs: 11, Instructions: 222COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 00432982
                        • Part of subcall function 004324E1: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00432504
                      • Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 004329A3
                      • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 004329B0
                      • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 004329FE
                      • Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 00432AA6
                      • Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 00432AD8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
                      • String ID:
                      • API String ID: 1256429809-0
                      • Opcode ID: df65faca3598a56f4a1189fa951469fdc42dcddc43790275eedfd99cb695ca9a
                      • Instruction ID: 2c3f4ac1ddb9b2e884700b4006eb7aadb935b7841f65a9e333380771e6a1d96e
                      • Opcode Fuzzy Hash: df65faca3598a56f4a1189fa951469fdc42dcddc43790275eedfd99cb695ca9a
                      • Instruction Fuzzy Hash: 8271BC70A00249AFDF15DF54CA80BBFBBB1AF49308F04509AEC416B352C7B9AD16DB65
                      Function 0224EC90 Relevance: 16.6, APIs: 11, Instructions: 148windowCOMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0224ECE0
                        • Part of subcall function 02249196: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 022491B7
                      • Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 0224ECF9
                      • Concurrency::location::_Assign.LIBCMT ref: 0224ED0F
                      • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedSet.LIBCONCRT ref: 0224ED7C
                      • Concurrency::details::SchedulerBase::ClearQuickCacheSlot.LIBCMT ref: 0224ED84
                      • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0224EDAB
                      • Concurrency::details::VirtualProcessor::EnsureAllTasksVisible.LIBCONCRT ref: 0224EDB7
                      • Concurrency::details::SchedulerBase::VirtualProcessorIdle.LIBCONCRT ref: 0224EDEF
                      • Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0224EE0E
                      • Concurrency::details::SchedulerBase::VirtualProcessorIdle.LIBCONCRT ref: 0224EE1C
                      • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedClear.LIBCONCRT ref: 0224EE43
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Base::$ContextVirtual$Processor::QuickScheduler$ClearCountedEventIdleInterlockedProcessorReferenceSet::$AssignAvailableBlockedCacheConcurrency::location::_DeactivateEnsureInternalMakeSlotSpinTasksThrowTraceUntilVisible
                      • String ID:
                      • API String ID: 3608406545-0
                      • Opcode ID: a39cb41113445c8b37c8e93bd00c54bcce78915a73e61bcd78f9524f0075e564
                      • Instruction ID: 196d0aa617b443e0f23efe1fcb9758079d4be21ebc403aaba938ee9cc992df26
                      • Opcode Fuzzy Hash: a39cb41113445c8b37c8e93bd00c54bcce78915a73e61bcd78f9524f0075e564
                      • Instruction Fuzzy Hash: 915186747103149FDB08EF94C484BAD77A6BF49310F1541A5ED455F28ACF70A805CF62
                      Function 0042EA29 Relevance: 16.6, APIs: 11, Instructions: 148windowCOMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042EA79
                        • Part of subcall function 00428F2F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00428F50
                      • Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 0042EA92
                      • Concurrency::location::_Assign.LIBCMT ref: 0042EAA8
                      • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedSet.LIBCONCRT ref: 0042EB15
                      • Concurrency::details::SchedulerBase::ClearQuickCacheSlot.LIBCMT ref: 0042EB1D
                      • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0042EB44
                      • Concurrency::details::VirtualProcessor::EnsureAllTasksVisible.LIBCONCRT ref: 0042EB50
                      • Concurrency::details::SchedulerBase::VirtualProcessorIdle.LIBCONCRT ref: 0042EB88
                      • Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0042EBA7
                      • Concurrency::details::SchedulerBase::VirtualProcessorIdle.LIBCONCRT ref: 0042EBB5
                      • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedClear.LIBCONCRT ref: 0042EBDC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Base::$ContextVirtual$Processor::QuickScheduler$ClearCountedEventIdleInterlockedProcessorReferenceSet::$AssignAvailableBlockedCacheConcurrency::location::_DeactivateEnsureInternalMakeSlotSpinTasksThrowTraceUntilVisible
                      • String ID:
                      • API String ID: 3608406545-0
                      • Opcode ID: a39cb41113445c8b37c8e93bd00c54bcce78915a73e61bcd78f9524f0075e564
                      • Instruction ID: b79df771f0ce3d1fcd239dae8b84d8a96fbc808fd590aacba6511f1f6f03bb9e
                      • Opcode Fuzzy Hash: a39cb41113445c8b37c8e93bd00c54bcce78915a73e61bcd78f9524f0075e564
                      • Instruction Fuzzy Hash: 995183347002249FDB04EF55D485BAE7765FF49315F9840AAED069B383CB78AC01CB6A
                      Function 0040BE82 Relevance: 15.3, APIs: 10, Instructions: 343networkfilesleepCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32(000005DC), ref: 0040BEB8
                      • InternetOpenW.WININET(00458DC8,00000000,00000000,00000000,00000000), ref: 0040BEC7
                      • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0040BEEB
                      • HttpOpenRequestA.WININET(?,00000000), ref: 0040BF35
                      • HttpSendRequestA.WININET(?,00000000), ref: 0040BFF5
                      • InternetReadFile.WININET(?,?,000003FF,?), ref: 0040C0A7
                      • InternetReadFile.WININET(?,00000000,000003FF,?), ref: 0040C160
                      • InternetCloseHandle.WININET(?), ref: 0040C187
                      • InternetCloseHandle.WININET(?), ref: 0040C18F
                      • InternetCloseHandle.WININET(?), ref: 0040C197
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSendSleep
                      • String ID:
                      • API String ID: 1439999335-0
                      • Opcode ID: f215b8e2ea09d3ecaada130b4dc6c3e3702a4eea93e94d9dbc2753dde293878e
                      • Instruction ID: 71497d68164bda9dcaa66ce95f0c59154e79fc335b3d255b1b18961781db6419
                      • Opcode Fuzzy Hash: f215b8e2ea09d3ecaada130b4dc6c3e3702a4eea93e94d9dbc2753dde293878e
                      • Instruction Fuzzy Hash: 50D1D5B0A10118DBDB24DF28CD88B9D7B75EF45304F5082AAF909A72D2D7399AC4CF59
                      Function 02246C41 Relevance: 15.1, APIs: 10, Instructions: 144COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 02246C86
                      • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 02246CB8
                      • List.LIBCONCRT ref: 02246CF3
                      • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 02246D04
                      • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 02246D20
                      • List.LIBCONCRT ref: 02246D5B
                      • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 02246D6C
                      • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 02246D87
                      • List.LIBCONCRT ref: 02246DC2
                      • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 02246DCF
                        • Part of subcall function 02246146: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 0224615E
                        • Part of subcall function 02246146: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 02246170
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                      • String ID:
                      • API String ID: 3403738998-0
                      • Opcode ID: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
                      • Instruction ID: 17e692762fb62ee51c2491804304d4ad37892c6c763c985360660e8d47654d7f
                      • Opcode Fuzzy Hash: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
                      • Instruction Fuzzy Hash: 89514EB1A10219AFDB08DFA5C594BFDB3B9FF09344F4540A9E915AB285DB30AE44CF90
                      Function 004269DA Relevance: 15.1, APIs: 10, Instructions: 144COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00426A1F
                      • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00426A51
                      • List.LIBCONCRT ref: 00426A8C
                      • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00426A9D
                      • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00426AB9
                      • List.LIBCONCRT ref: 00426AF4
                      • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00426B05
                      • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426B20
                      • List.LIBCONCRT ref: 00426B5B
                      • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426B68
                        • Part of subcall function 00425EDF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00425EF7
                        • Part of subcall function 00425EDF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00425F09
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                      • String ID:
                      • API String ID: 3403738998-0
                      • Opcode ID: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
                      • Instruction ID: 579499c82c18d5a5ade90e723c63f8c40f3c28f02b2f1580fedc01109288aa91
                      • Opcode Fuzzy Hash: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
                      • Instruction Fuzzy Hash: 9C516170B00229ABDB04DF65D495BEEB7A8FF08304F45406EE915EB381DB78AE45CB94
                      Function 0225A7C0 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 0225A7D6
                        • Part of subcall function 0225B05C: HeapFree.KERNEL32(00000000,00000000,?,0225F334,?,00000000,?,?,?,0225F35B,?,00000007,?,?,0225F75D,?), ref: 0225B072
                        • Part of subcall function 0225B05C: GetLastError.KERNEL32(?,?,0225F334,?,00000000,?,?,?,0225F35B,?,00000007,?,?,0225F75D,?,?), ref: 0225B084
                      • _free.LIBCMT ref: 0225A7E2
                      • _free.LIBCMT ref: 0225A7ED
                      • _free.LIBCMT ref: 0225A7F8
                      • _free.LIBCMT ref: 0225A803
                      • _free.LIBCMT ref: 0225A80E
                      • _free.LIBCMT ref: 0225A819
                      • _free.LIBCMT ref: 0225A824
                      • _free.LIBCMT ref: 0225A82F
                      • _free.LIBCMT ref: 0225A83D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 1702a0a1dc840abddd1c64ba95121113f610cdca08529299edb68c6a0e13c010
                      • Instruction ID: aad0d84523c21a5474cd1a3f32659618d2a4d3217226d98608631b2c347306f6
                      • Opcode Fuzzy Hash: 1702a0a1dc840abddd1c64ba95121113f610cdca08529299edb68c6a0e13c010
                      • Instruction Fuzzy Hash: B121BB76910218EFCB11EFD4C881DDD7BB9BF08354F008165AA299B565DB31DA44CF80
                      Function 0043A559 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 0043A56F
                        • Part of subcall function 0043ADF5: HeapFree.KERNEL32(00000000,00000000,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?), ref: 0043AE0B
                        • Part of subcall function 0043ADF5: GetLastError.KERNEL32(?,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?,?), ref: 0043AE1D
                      • _free.LIBCMT ref: 0043A57B
                      • _free.LIBCMT ref: 0043A586
                      • _free.LIBCMT ref: 0043A591
                      • _free.LIBCMT ref: 0043A59C
                      • _free.LIBCMT ref: 0043A5A7
                      • _free.LIBCMT ref: 0043A5B2
                      • _free.LIBCMT ref: 0043A5BD
                      • _free.LIBCMT ref: 0043A5C8
                      • _free.LIBCMT ref: 0043A5D6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 1702a0a1dc840abddd1c64ba95121113f610cdca08529299edb68c6a0e13c010
                      • Instruction ID: d5756e4be776d265c631e914caca5967b4e144ec79bf9f4ded6797d03f0bc009
                      • Opcode Fuzzy Hash: 1702a0a1dc840abddd1c64ba95121113f610cdca08529299edb68c6a0e13c010
                      • Instruction Fuzzy Hash: C021E776940108FFCB01EFA9C881CDE7BBABF08345F0051AAF5459B521EB35EA94CB85
                      Function 00445A82 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlDecodePointer.NTDLL(?), ref: 00445A9B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: DecodePointer
                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                      • API String ID: 3527080286-3064271455
                      • Opcode ID: 7e11b681a690fd98a2b640cdef5f2481af1cc968e8b139b6733d987c9b93043a
                      • Instruction ID: 8f21642526c0a384525b0a78e457c39df1912065d7a9ddf966662cad22d26739
                      • Opcode Fuzzy Hash: 7e11b681a690fd98a2b640cdef5f2481af1cc968e8b139b6733d987c9b93043a
                      • Instruction Fuzzy Hash: EE517E74904E4ADBEF109F58E88C5AE7F74FB05310F148157D880AA356CB789A2ACF1D
                      Function 00427364 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 80threadCOMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 004273B0
                      • SwitchToThread.KERNEL32(?), ref: 004273D3
                      • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 004273F2
                      • Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 0042740E
                      • Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 00427419
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00427440
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementSwitchThreadstd::invalid_argument::invalid_argument
                      • String ID: count$ppVirtualProcessorRoots
                      • API String ID: 3791123369-3650809737
                      • Opcode ID: c12b9fb7ade3771b82fb90936bc3b93d705f62869cacdabd48ca9c13149a27d9
                      • Instruction ID: 910b0151320ec7fd7557316ad521234f334c06ab70371bbe18cdfb5d61862d5e
                      • Opcode Fuzzy Hash: c12b9fb7ade3771b82fb90936bc3b93d705f62869cacdabd48ca9c13149a27d9
                      • Instruction Fuzzy Hash: A8219334B00229EFCB10EF55D485AAEBBB5BF09344F54406AEC0197351CB38AE05CB98
                      Function 00426E1C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57COMMON
                      Download Yara Rule
                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 00426E36
                      • GetCurrentProcess.KERNEL32 ref: 00426E3E
                      • DuplicateHandle.KERNEL32(00000000,000000FF,00000000,00000000,00000000,00000000,00000002), ref: 00426E53
                      • SafeRWList.LIBCONCRT ref: 00426E73
                        • Part of subcall function 00424E6E: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00424E7F
                        • Part of subcall function 00424E6E: List.LIBCMT ref: 00424E89
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00426E85
                      • GetLastError.KERNEL32 ref: 00426E94
                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00426EAA
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorHandleLastLock::_ReaderSafeWriteWriterstd::invalid_argument::invalid_argument
                      • String ID: eventObject
                      • API String ID: 165577817-1680012138
                      • Opcode ID: b62cbed1bd16eb0b2b2c40c5403938e97f3cad696c6ba2539ab88a788b3ccb2b
                      • Instruction ID: 2eb99b2fab9b0e49766b11680856393b7410886275509e22dbc04e0cf8104fc6
                      • Opcode Fuzzy Hash: b62cbed1bd16eb0b2b2c40c5403938e97f3cad696c6ba2539ab88a788b3ccb2b
                      • Instruction Fuzzy Hash: 5D11E379600214EBDB14EBA4EC8AFEE3768AF04306F61416AF505A61D2DB389A04C66D
                      Function 02265939 Relevance: 13.8, APIs: 9, Instructions: 301COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f581972419559139547d94a09d48a4cf01951f6f19e23db2bc11059fe6a6d649
                      • Instruction ID: 777a9996a78de642e6e2595c202202f59044fb79256f27f40eeb015da457fc97
                      • Opcode Fuzzy Hash: f581972419559139547d94a09d48a4cf01951f6f19e23db2bc11059fe6a6d649
                      • Instruction Fuzzy Hash: F8C1F5B1E2430A9FDB11CFD8D888BBDBBB2BF49314F404068D815AB299D7749991CF61
                      Function 004456D2 Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f581972419559139547d94a09d48a4cf01951f6f19e23db2bc11059fe6a6d649
                      • Instruction ID: ee9b374b754267b3a96934832a8bfcd590faa4b6eb17edeb4b1fb680e658e9fc
                      • Opcode Fuzzy Hash: f581972419559139547d94a09d48a4cf01951f6f19e23db2bc11059fe6a6d649
                      • Instruction Fuzzy Hash: A3C114B0A04649EFEF15DF99C880BAEBBB1AF49314F00416BE441A7393D7789901CF69
                      Function 0223C6B9 Relevance: 13.6, APIs: 9, Instructions: 138threadCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: CurrentThread$_xtime_get$Xtime_diff_to_millis2
                      • String ID:
                      • API String ID: 3943753294-0
                      • Opcode ID: 614b4e817c589673b728cf08dcfac44524a47e1cde47449f47a12751e0a585f6
                      • Instruction ID: 94d7aaa4f4de0701fdcb41bd4d504ab62f2cafa3e51b03c055b3ac6fb5b94104
                      • Opcode Fuzzy Hash: 614b4e817c589673b728cf08dcfac44524a47e1cde47449f47a12751e0a585f6
                      • Instruction Fuzzy Hash: 29518FB4920206DFCF12DFA4C9849ADB7B9FF08315B1440ABD806AB169CB30ED41CF95
                      Function 02247B48 Relevance: 13.6, APIs: 9, Instructions: 106timeCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 02247B6A
                        • Part of subcall function 02245F1F: __EH_prolog3_catch.LIBCMT ref: 02245F26
                        • Part of subcall function 02245F1F: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 02245F5F
                      • Concurrency::details::SchedulerBase::NotifyThrottledContext.LIBCONCRT ref: 02247B78
                        • Part of subcall function 02246B84: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 02246BA9
                        • Part of subcall function 02246B84: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 02246BCC
                      • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 02247B91
                      • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 02247B9D
                        • Part of subcall function 02245F1F: RtlInterlockedPopEntrySList.NTDLL(?), ref: 02245FA8
                        • Part of subcall function 02245F1F: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 02245FD7
                        • Part of subcall function 02245F1F: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 02245FE5
                      • Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 02247BE9
                      • Concurrency::location::_Assign.LIBCMT ref: 02247C0A
                      • Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 02247C12
                      • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 02247C24
                      • Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 02247C54
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Base::$Scheduler$Context$Throttling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_EntryExerciseFoundH_prolog3_catchInterlockedListNextNotifyProcessor::RingSchedulingSpinStartupThrottledTicket::TimerUntilWith
                      • String ID:
                      • API String ID: 2678502038-0
                      • Opcode ID: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
                      • Instruction ID: 1c287195d95cc4bc237a3558884f567a3ef1bbbe32438a1a38b4ab4b778e5563
                      • Opcode Fuzzy Hash: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
                      • Instruction Fuzzy Hash: 0331F430B203566BDF1EAAF884817FEF7BA9F41304F0404A9C865E7248DF255A45CBE1
                      Function 004278E1 Relevance: 13.6, APIs: 9, Instructions: 106timeCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00427903
                        • Part of subcall function 00425CB8: __EH_prolog3_catch.LIBCMT ref: 00425CBF
                        • Part of subcall function 00425CB8: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00425CF8
                      • Concurrency::details::SchedulerBase::NotifyThrottledContext.LIBCONCRT ref: 00427911
                        • Part of subcall function 0042691D: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 00426942
                        • Part of subcall function 0042691D: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 00426965
                      • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 0042792A
                      • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00427936
                        • Part of subcall function 00425CB8: RtlInterlockedPopEntrySList.NTDLL(?), ref: 00425D41
                        • Part of subcall function 00425CB8: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 00425D70
                        • Part of subcall function 00425CB8: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 00425D7E
                      • Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 00427982
                      • Concurrency::location::_Assign.LIBCMT ref: 004279A3
                      • Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 004279AB
                      • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 004279BD
                      • Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 004279ED
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Base::$Scheduler$Context$Throttling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_EntryExerciseFoundH_prolog3_catchInterlockedListNextNotifyProcessor::RingSchedulingSpinStartupThrottledTicket::TimerUntilWith
                      • String ID:
                      • API String ID: 2678502038-0
                      • Opcode ID: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
                      • Instruction ID: be26d28973ab40e19276e1e39a9ed43843e9869f42fe47dc141d3d43563d5587
                      • Opcode Fuzzy Hash: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
                      • Instruction Fuzzy Hash: 9F314670B083715AEF16AA7854927FF77B59F01304F4401ABD485D7342DA2C4D8AC3D9
                      Function 02250BEC Relevance: 13.6, APIs: 9, Instructions: 69threadCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 02250C02
                      • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,02245F15,?), ref: 02250C14
                      • GetCurrentThread.KERNEL32 ref: 02250C1C
                      • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,02245F15,?), ref: 02250C24
                      • DuplicateHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000002,?,?,?,?,?,?,02245F15,?), ref: 02250C3D
                      • Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 02250C5E
                        • Part of subcall function 02240478: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 02240492
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,02245F15,?), ref: 02250C70
                      • GetLastError.KERNEL32(?,?,?,?,?,02245F15,?), ref: 02250C9B
                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02250CB1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThread$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateHandleReferenceRegisterWait
                      • String ID:
                      • API String ID: 1293880212-0
                      • Opcode ID: ca3b420515bcbb23f0314330c0ebaf985fd69accfaa50322e501786fcfee08c6
                      • Instruction ID: d7646e8ca1cee5302398c3cbe80bee60b25848e9e40baf47ce1ed0acc05271ca
                      • Opcode Fuzzy Hash: ca3b420515bcbb23f0314330c0ebaf985fd69accfaa50322e501786fcfee08c6
                      • Instruction Fuzzy Hash: A9116679A10311ABD710ABF19D49F9E3BA8AF0A302F084035FD46DA156EB70D6048B36
                      Function 00430985 Relevance: 13.6, APIs: 9, Instructions: 69threadCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 0043099B
                      • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00425CAE,?), ref: 004309AD
                      • GetCurrentThread.KERNEL32 ref: 004309B5
                      • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00425CAE,?), ref: 004309BD
                      • DuplicateHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000002,?,?,?,?,?,?,00425CAE,?), ref: 004309D6
                      • Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 004309F7
                        • Part of subcall function 00420211: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 0042022B
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00425CAE,?), ref: 00430A09
                      • GetLastError.KERNEL32(?,?,?,?,?,00425CAE,?), ref: 00430A34
                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00430A4A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThread$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateHandleReferenceRegisterWait
                      • String ID:
                      • API String ID: 1293880212-0
                      • Opcode ID: ca3b420515bcbb23f0314330c0ebaf985fd69accfaa50322e501786fcfee08c6
                      • Instruction ID: 58a410a88ddb3f2405c1133c244b860286e3bd8ce2c4f5659541a2373579a810
                      • Opcode Fuzzy Hash: ca3b420515bcbb23f0314330c0ebaf985fd69accfaa50322e501786fcfee08c6
                      • Instruction Fuzzy Hash: 07112779600301ABD700AFB1BD5AF9B3BA89F19701F14017AF945D6253EA78D800873A
                      Function 0226277E Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 373timeCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$InformationTimeZone
                      • String ID: XgE$XgE
                      • API String ID: 597776487-1765908331
                      • Opcode ID: 1b696d6c4c17f14bd2cd532e520e2bf73148f9a8717794c16fbf28e545bba7b4
                      • Instruction ID: be6dd9ca0ad14b8518377538c6e2af219176ae353ed8d9567ce96bf80c846c28
                      • Opcode Fuzzy Hash: 1b696d6c4c17f14bd2cd532e520e2bf73148f9a8717794c16fbf28e545bba7b4
                      • Instruction Fuzzy Hash: D9C13A73920316DBDB249FE8CC48BBE7BAAEF45314F1442A9DC409B298E7758D85CB50
                      Function 02225E77 Relevance: 12.4, APIs: 8, Instructions: 426COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d2c1a298e8fecfe48cef90fb9b18945fd86a062cf10d1e3a8c03b853429e7ba7
                      • Instruction ID: 4d8d90d01d9b0130ed3407c1a1213f893047b4bddbe8bdd51b1f3a046a4ae4e8
                      • Opcode Fuzzy Hash: d2c1a298e8fecfe48cef90fb9b18945fd86a062cf10d1e3a8c03b853429e7ba7
                      • Instruction Fuzzy Hash: 96F1F5B191025CABDB24CF54CC84BEDBBBAFF44304F5042A9E508A72C5DB759A88CF55
                      Function 00434840 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON
                      Download Yara Rule
                      APIs
                      • _ValidateLocalCookies.LIBCMT ref: 00434877
                      • ___except_validate_context_record.LIBVCRUNTIME ref: 0043487F
                      • _ValidateLocalCookies.LIBCMT ref: 00434908
                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00434933
                      • _ValidateLocalCookies.LIBCMT ref: 00434988
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                      • String ID: S9C$csm
                      • API String ID: 1170836740-582408667
                      • Opcode ID: a4331c987b1b53513cbe21c672c92ef55e4810aa54a37fe5f5d469cf9e84ef45
                      • Instruction ID: 6575625a84691e9b1f9b7e8611f910fc559112cced3487189da3a48804891882
                      • Opcode Fuzzy Hash: a4331c987b1b53513cbe21c672c92ef55e4810aa54a37fe5f5d469cf9e84ef45
                      • Instruction Fuzzy Hash: 7141E874A00208ABCF10DF69C844ADF7BB4BF89318F14815BE8149B392D779EA11CF99
                      Function 0043B17D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77COMMONLIBRARYCODE
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: G"@$api-ms-$ext-ms-
                      • API String ID: 0-3963426706
                      • Opcode ID: b882474e2421becce6f7ac3255c006c5444dc2a1b8804bcc2ed4a91c923f1653
                      • Instruction ID: bce6c0f499f03009e687f81e13829494c96e42a1ade786342b8d5ba6f6eadec1
                      • Opcode Fuzzy Hash: b882474e2421becce6f7ac3255c006c5444dc2a1b8804bcc2ed4a91c923f1653
                      • Instruction Fuzzy Hash: 82210875A41714ABCB214B65AC4CB2F3758DB097A0F2027A3FE55A7391D738ED0086ED
                      Function 0041EE5F Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _SpinWait.LIBCONCRT ref: 0041EEBC
                      • Concurrency::details::WaitBlock::WaitBlock.LIBCMT ref: 0041EEC8
                      • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 0041EEE1
                      • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0041EF0F
                      • Concurrency::Context::Block.LIBCONCRT ref: 0041EF31
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Wait$BlockConcurrency::details::_Lock::_Scoped_lock$Block::Concurrency::Concurrency::details::Context::ReaderReentrantScoped_lock::_Scoped_lock::~_SpinWriter
                      • String ID: iA
                      • API String ID: 1182035702-1118743441
                      • Opcode ID: 51f1a6270a472bcdd30247f4592d3322b934ddd74063de143c259ec6416e4012
                      • Instruction ID: dbfce4fa691d0a98bc3aa8749e6742a9d80362ff2df78e67c0c5db40cb0b6eee
                      • Opcode Fuzzy Hash: 51f1a6270a472bcdd30247f4592d3322b934ddd74063de143c259ec6416e4012
                      • Instruction Fuzzy Hash: 1321F374C002099ADF24DFA6C4456EEB7F0FF14324F10052FE851A22C1E7B84AC6CB48
                      Function 0225ECF5 Relevance: 12.2, APIs: 8, Instructions: 203COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$___from_strstr_to_strchr
                      • String ID:
                      • API String ID: 3409252457-0
                      • Opcode ID: b36ae6f94d372ff64b4da89c0af13a455d4f54d85b457d19ac11513aadbc6f32
                      • Instruction ID: fc0e79ffec364c70d891c6332922b2209e39a298341cb0d579a214193cf1c89e
                      • Opcode Fuzzy Hash: b36ae6f94d372ff64b4da89c0af13a455d4f54d85b457d19ac11513aadbc6f32
                      • Instruction Fuzzy Hash: 1E5104B1D24336AEDB24AFF4D840A6D7BA9AF05324F06C16AED14971C8EF718640CF55
                      Function 0043EA8E Relevance: 12.2, APIs: 8, Instructions: 203COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$___from_strstr_to_strchr
                      • String ID:
                      • API String ID: 3409252457-0
                      • Opcode ID: 7e13cb0b5705e9cade751d436b5392716494f0a3c8e39469c6473571ee0f5945
                      • Instruction ID: f99befb810c5c4866eaf564f7dd7d7d58b29b2c8e151ae40169767ee9d3e76c4
                      • Opcode Fuzzy Hash: 7e13cb0b5705e9cade751d436b5392716494f0a3c8e39469c6473571ee0f5945
                      • Instruction Fuzzy Hash: CC513670D05306AFDB24AFBB9841A6E7BA4DF0D314F00616FE510972C1EA7D9940CB4D
                      Function 00436FB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141pipeCOMMON
                      Download Yara Rule
                      APIs
                      • GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00436EE6), ref: 00436FD6
                      • GetFileInformationByHandle.KERNEL32(?,?), ref: 00437030
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00436EE6,?,000000FF,00000000,00000000), ref: 004370BE
                      • __dosmaperr.LIBCMT ref: 004370C5
                      • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00437102
                        • Part of subcall function 0043732A: __dosmaperr.LIBCMT ref: 0043735F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
                      • String ID: nC
                      • API String ID: 1206951868-4036674207
                      • Opcode ID: 19e1070b04fb49a2dd5738f37f72da11fb3a5a43ccc6689087d144dd6161f976
                      • Instruction ID: 47e44e870bed0e4f5047e2c803f8af1af40435cbdbdaacedd5eb414e92fa1372
                      • Opcode Fuzzy Hash: 19e1070b04fb49a2dd5738f37f72da11fb3a5a43ccc6689087d144dd6161f976
                      • Instruction Fuzzy Hash: 25415EB6904604ABCF389FB6DC459ABBBF9EF48300F10542EF996D3211E638D940CB25
                      Function 00431B29 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104threadCOMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00431B42
                        • Part of subcall function 00431E11: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,0043188A), ref: 00431E21
                      • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 00431B57
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00431B66
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00431C2A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::std::invalid_argument::invalid_argument$ExecutionFreeIdleObjectProcessorProxy::ResetRoot::SingleSuspendThreadVirtualWait
                      • String ID: pContext$switchState
                      • API String ID: 1312548968-2660820399
                      • Opcode ID: 84332b62cc3de3cfa4170185330e29230a9dc1dcd046b531a1b7116e20220df0
                      • Instruction ID: b863e61c3d732dd5109429b6f29941dee9b5abb7f1e972ae7809c7e47913e2a3
                      • Opcode Fuzzy Hash: 84332b62cc3de3cfa4170185330e29230a9dc1dcd046b531a1b7116e20220df0
                      • Instruction Fuzzy Hash: 8331D835A00204ABCF05EF64C881AAEB775FF4C314F20556BED1197362EB79EE05CA98
                      Function 0224EA16 Relevance: 10.6, APIs: 7, Instructions: 102COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0224EA3E
                        • Part of subcall function 0224E7AB: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0224E7DE
                        • Part of subcall function 0224E7AB: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0224E800
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0224EABB
                      • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0224EAC7
                      • Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0224EAD6
                      • Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0224EAE0
                      • Concurrency::location::_Assign.LIBCMT ref: 0224EB14
                      • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0224EB1C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
                      • String ID:
                      • API String ID: 1924466884-0
                      • Opcode ID: 68357d3375aa4ffdda60a85fea681dfadbeefaeb1374d27128ca733c89973d16
                      • Instruction ID: a3e87d7f4c1129017b054366c4c87f82a50afb0234435f355478a928dd52de61
                      • Opcode Fuzzy Hash: 68357d3375aa4ffdda60a85fea681dfadbeefaeb1374d27128ca733c89973d16
                      • Instruction Fuzzy Hash: DB418A39A10215DFDB05EFA4C884BADB7B6FF48310F1581A9DD4A9B389DB30A941CF91
                      Function 0042E7AF Relevance: 10.6, APIs: 7, Instructions: 102COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0042E7D7
                        • Part of subcall function 0042E544: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0042E577
                        • Part of subcall function 0042E544: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0042E599
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042E854
                      • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0042E860
                      • Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0042E86F
                      • Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0042E879
                      • Concurrency::location::_Assign.LIBCMT ref: 0042E8AD
                      • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0042E8B5
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
                      • String ID:
                      • API String ID: 1924466884-0
                      • Opcode ID: 68357d3375aa4ffdda60a85fea681dfadbeefaeb1374d27128ca733c89973d16
                      • Instruction ID: 01245f0547eb729828e98329900f8f6e173d559f1909e94d2917f6101dcd408e
                      • Opcode Fuzzy Hash: 68357d3375aa4ffdda60a85fea681dfadbeefaeb1374d27128ca733c89973d16
                      • Instruction Fuzzy Hash: 19415A39A00214EFCF00EF65D484AADB7B5FF48314F5480AAED499B382DB34A941CB95
                      Function 0043DFE3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 6C$C:\Users\user\Desktop\A1E1u0Rnel.exe
                      • API String ID: 0-3581369470
                      • Opcode ID: dd2dd9f4d129958e1b06d5edd0e164f71e48155ec8fa6cde618221c2102e1a72
                      • Instruction ID: fd95ef61c06ac132fca33f58cee54c31b72be5874fd36115616c9f4bad4a65b4
                      • Opcode Fuzzy Hash: dd2dd9f4d129958e1b06d5edd0e164f71e48155ec8fa6cde618221c2102e1a72
                      • Instruction Fuzzy Hash: 8521C171605219BFDB34AF669C80E2B77BCEF08368F10551AF52892292E769EC009769
                      Function 0223F0C6 Relevance: 10.6, APIs: 7, Instructions: 73COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 0223F0CD
                      • _SpinWait.LIBCONCRT ref: 0223F123
                      • Concurrency::details::WaitBlock::WaitBlock.LIBCMT ref: 0223F12F
                      • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 0223F148
                      • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0223F176
                      • Concurrency::Context::Block.LIBCONCRT ref: 0223F198
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Wait$BlockConcurrency::details::_Lock::_Scoped_lock$Block::Concurrency::Concurrency::details::Context::H_prolog3ReaderReentrantScoped_lock::_Scoped_lock::~_SpinWriter
                      • String ID:
                      • API String ID: 1888882079-0
                      • Opcode ID: 51f1a6270a472bcdd30247f4592d3322b934ddd74063de143c259ec6416e4012
                      • Instruction ID: 42305938fff900d0db5b377049ce4a2223333c30045f34e74142eca9decbeb81
                      • Opcode Fuzzy Hash: 51f1a6270a472bcdd30247f4592d3322b934ddd74063de143c259ec6416e4012
                      • Instruction Fuzzy Hash: C321A3B0C2030A8ADF2ADFE4EA447EEB7F1BF04314F50051AD4A5A65A8E7B18644CFD1
                      Function 0225F342 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0225F30A: _free.LIBCMT ref: 0225F32F
                      • _free.LIBCMT ref: 0225F390
                        • Part of subcall function 0225B05C: HeapFree.KERNEL32(00000000,00000000,?,0225F334,?,00000000,?,?,?,0225F35B,?,00000007,?,?,0225F75D,?), ref: 0225B072
                        • Part of subcall function 0225B05C: GetLastError.KERNEL32(?,?,0225F334,?,00000000,?,?,?,0225F35B,?,00000007,?,?,0225F75D,?,?), ref: 0225B084
                      • _free.LIBCMT ref: 0225F39B
                      • _free.LIBCMT ref: 0225F3A6
                      • _free.LIBCMT ref: 0225F3FA
                      • _free.LIBCMT ref: 0225F405
                      • _free.LIBCMT ref: 0225F410
                      • _free.LIBCMT ref: 0225F41B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: f2c9cbcbdea25c70db4e9b8930aae965ae4a61b9cabad425459c8f385a1b4d78
                      • Instruction ID: f333ff0b656353a53e905873811f90f83e2fa2419616f82c982644a182ba7180
                      • Opcode Fuzzy Hash: f2c9cbcbdea25c70db4e9b8930aae965ae4a61b9cabad425459c8f385a1b4d78
                      • Instruction Fuzzy Hash: 4B11B732952764F6E930B7F0DD05FD7779E7F01300F4088156E99AAC98C638B5048E40
                      Function 0043F0DB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0043F0A3: _free.LIBCMT ref: 0043F0C8
                      • _free.LIBCMT ref: 0043F129
                        • Part of subcall function 0043ADF5: HeapFree.KERNEL32(00000000,00000000,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?), ref: 0043AE0B
                        • Part of subcall function 0043ADF5: GetLastError.KERNEL32(?,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?,?), ref: 0043AE1D
                      • _free.LIBCMT ref: 0043F134
                      • _free.LIBCMT ref: 0043F13F
                      • _free.LIBCMT ref: 0043F193
                      • _free.LIBCMT ref: 0043F19E
                      • _free.LIBCMT ref: 0043F1A9
                      • _free.LIBCMT ref: 0043F1B4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: f2c9cbcbdea25c70db4e9b8930aae965ae4a61b9cabad425459c8f385a1b4d78
                      • Instruction ID: c3a7340a8ef7a1c42761e22c66233c02557cf0a4384e4ec730fa78aa122713dc
                      • Opcode Fuzzy Hash: f2c9cbcbdea25c70db4e9b8930aae965ae4a61b9cabad425459c8f385a1b4d78
                      • Instruction Fuzzy Hash: BC118131940B04AAD930B7B2CC07FCB77EE9F08719F40183EB699A6053DA2EB5594656
                      Function 0223FCD8 Relevance: 10.6, APIs: 7, Instructions: 60libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(004512B4,?,00000000,00000000,?,?,?,02243E4D), ref: 0223FCE6
                      • GetProcAddress.KERNEL32(00000000,0045177C), ref: 0223FCF4
                      • GetProcAddress.KERNEL32(00000000,00451794), ref: 0223FD02
                      • GetProcAddress.KERNEL32(00000000,004517AC), ref: 0223FD30
                      • GetLastError.KERNEL32(?,?,?,02243E4D), ref: 0223FD4B
                      • GetLastError.KERNEL32(?,?,?,02243E4D), ref: 0223FD57
                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0223FD6D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorHandleModule
                      • String ID:
                      • API String ID: 1654681794-0
                      • Opcode ID: 7fe6c5ece6de4c50eb3fb3b842b885c674e1d20cdf18a0be90147e923e9c19f3
                      • Instruction ID: c8c2ec8dd676f85205986556c2cb752de128155c36d60837a8e9063ba6c74857
                      • Opcode Fuzzy Hash: 7fe6c5ece6de4c50eb3fb3b842b885c674e1d20cdf18a0be90147e923e9c19f3
                      • Instruction Fuzzy Hash: D401E57AA203056AD3157BF57D8CBA737ACA904B52B200637F901D21A6EFA8C4048A2D
                      Function 02237067 Relevance: 9.3, APIs: 6, Instructions: 336COMMON
                      Download Yara Rule
                      APIs
                      • __Mtx_unlock.LIBCPMT ref: 02237138
                      • std::_Rethrow_future_exception.LIBCPMT ref: 02237189
                      • std::_Rethrow_future_exception.LIBCPMT ref: 02237199
                      • __Mtx_unlock.LIBCPMT ref: 0223723C
                      • __Mtx_unlock.LIBCPMT ref: 02237342
                      • __Mtx_unlock.LIBCPMT ref: 0223737D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Mtx_unlock$Rethrow_future_exceptionstd::_
                      • String ID:
                      • API String ID: 1997747980-0
                      • Opcode ID: 411bbcd3c98b8483f8dc7711dd14b2669908e861b9d7381f1d8c4d8a9dcadb8d
                      • Instruction ID: 771506cdd3ccf6b96d92f8679a1b22efbb38d33d3b6594e0a782336fad46dfad
                      • Opcode Fuzzy Hash: 411bbcd3c98b8483f8dc7711dd14b2669908e861b9d7381f1d8c4d8a9dcadb8d
                      • Instruction Fuzzy Hash: C7C1EEF19103499BDF22DFE4C844BAEFBF5AF01314F00452ED816A7699EB71A908CB61
                      Function 00416E00 Relevance: 9.3, APIs: 6, Instructions: 336COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041C6AC: mtx_do_lock.LIBCPMT ref: 0041C6B4
                      • __Mtx_unlock.LIBCPMT ref: 00416ED1
                      • std::_Rethrow_future_exception.LIBCPMT ref: 00416F22
                      • std::_Rethrow_future_exception.LIBCPMT ref: 00416F32
                      • __Mtx_unlock.LIBCPMT ref: 00416FD5
                      • __Mtx_unlock.LIBCPMT ref: 004170DB
                      • __Mtx_unlock.LIBCPMT ref: 00417116
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Mtx_unlock$Rethrow_future_exceptionstd::_$mtx_do_lock
                      • String ID:
                      • API String ID: 95294986-0
                      • Opcode ID: 046fbe0f4980c1b9ef584b946209c84bf0753a82647ed566538800b283741cc2
                      • Instruction ID: d5c402bd19617442db253326e825c470d249229bcec99b7fb150ec4f877a8494
                      • Opcode Fuzzy Hash: 046fbe0f4980c1b9ef584b946209c84bf0753a82647ed566538800b283741cc2
                      • Instruction Fuzzy Hash: D2C1E171904304ABDB20DFA5C945BEBBBF4AF04314F00456FE81697782EB79A984CB65
                      Function 0225FF27 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetConsoleCP.KERNEL32(?,02228A07,00000000), ref: 0225FF6F
                      • __fassign.LIBCMT ref: 0226014E
                      • __fassign.LIBCMT ref: 0226016B
                      • WriteFile.KERNEL32(?,02228A07,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 022601B3
                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 022601F3
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0226029F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileWrite__fassign$ConsoleErrorLast
                      • String ID:
                      • API String ID: 4031098158-0
                      • Opcode ID: aeaffaf03d6c38a690940c40d1bea6644629eb38ec1b3c0d319535d1d52f1a6c
                      • Instruction ID: 6c5bf9846a2073a38975c2644666f5df7a18d3a6b04299d75c90bb33f37cf6d1
                      • Opcode Fuzzy Hash: aeaffaf03d6c38a690940c40d1bea6644629eb38ec1b3c0d319535d1d52f1a6c
                      • Instruction Fuzzy Hash: 86D1BC72D102599FCB11CFE8C884AFDBBB5FF49304F28416AE855BB245D770AA86CB50
                      Function 0043FCC0 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetConsoleCP.KERNEL32(?,004087A0,00000000), ref: 0043FD08
                      • __fassign.LIBCMT ref: 0043FEE7
                      • __fassign.LIBCMT ref: 0043FF04
                      • WriteFile.KERNEL32(?,004087A0,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0043FF4C
                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0043FF8C
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00440038
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileWrite__fassign$ConsoleErrorLast
                      • String ID:
                      • API String ID: 4031098158-0
                      • Opcode ID: d91de68776c85008b4a445cc7eb9458582a7ab784aea8d95e54cc580eb993dda
                      • Instruction ID: b1fa4e01d1e6861320541c535ea6890982759e22aeb82642623fb23c4c1d3398
                      • Opcode Fuzzy Hash: d91de68776c85008b4a445cc7eb9458582a7ab784aea8d95e54cc580eb993dda
                      • Instruction Fuzzy Hash: 2BD19D71D002589FDF15CFA8D980AEDBBB5BF49304F28016AE855FB342E634A946CB58
                      Function 0224EB44 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::location::_Assign.LIBCMT ref: 0224EB85
                      • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0224EB8D
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0224EBB7
                      • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0224EBC0
                      • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0224EC43
                      • Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 0224EC4B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
                      • String ID:
                      • API String ID: 3929269971-0
                      • Opcode ID: e357eccba9f9281a6441e24871b6c677031b298cf17b8db731c946c7b8307f67
                      • Instruction ID: 7ed87468f21cb48eaed2679d2282b95350835feaa5d36a098fb5aae897274513
                      • Opcode Fuzzy Hash: e357eccba9f9281a6441e24871b6c677031b298cf17b8db731c946c7b8307f67
                      • Instruction Fuzzy Hash: 93414179A10619EFDB09EFA4C894A6DB7B6FF88310F058159E80697794CF74AE01CF81
                      Function 0042E8DD Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::location::_Assign.LIBCMT ref: 0042E91E
                      • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0042E926
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042E950
                      • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0042E959
                      • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0042E9DC
                      • Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 0042E9E4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
                      • String ID:
                      • API String ID: 3929269971-0
                      • Opcode ID: e357eccba9f9281a6441e24871b6c677031b298cf17b8db731c946c7b8307f67
                      • Instruction ID: e456b2d5945dcb9d16af89579036fa7bc11e47face3e2a4e749ba7397f49833a
                      • Opcode Fuzzy Hash: e357eccba9f9281a6441e24871b6c677031b298cf17b8db731c946c7b8307f67
                      • Instruction Fuzzy Hash: A7418079B00219EFCB09DF65D454A6DB7B1FF48310F00816AE806A7391CB38AE41CF85
                      Function 0041ECE6 Relevance: 9.1, APIs: 6, Instructions: 101COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 0041ECED
                      • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 0041ED17
                        • Part of subcall function 0041F3DD: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 0041F3FA
                      • __alloca_probe_16.LIBCMT ref: 0041ED53
                      • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 0041ED94
                      • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0041EDC6
                      • __freea.LIBCMT ref: 0041EDEC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3_Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter__alloca_probe_16__freea
                      • String ID:
                      • API String ID: 1319684358-0
                      • Opcode ID: 905480babbdb8262410189c15cedbadfc3d9fa68bc29489cc7bbb29755aa4237
                      • Instruction ID: e5ba4aa972b5b687e82aeba40850cce8f465bb6681a4cf65264b7c2e3798f256
                      • Opcode Fuzzy Hash: 905480babbdb8262410189c15cedbadfc3d9fa68bc29489cc7bbb29755aa4237
                      • Instruction Fuzzy Hash: 3C31A3B5E001068BCB14DFAAD5415EEB7B4EF49314F64406FE805E7351DB389D82C799
                      Function 0224A28D Relevance: 9.1, APIs: 6, Instructions: 73threadCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 0224A2D0
                        • Part of subcall function 0224B7C7: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 0224B816
                      • GetCurrentThread.KERNEL32 ref: 0224A2DA
                      • Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 0224A2E6
                        • Part of subcall function 022405EF: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 02240601
                        • Part of subcall function 02240A7B: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 02240A82
                      • Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 0224A329
                        • Part of subcall function 0224B779: SetEvent.KERNEL32(?,?,0224A32E,0224B0C2,00000000,?,00000000,0224B0C2,00000004,0224B76E,?,00000000,?,?,00000000), ref: 0224B7BD
                      • Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 0224A332
                        • Part of subcall function 0224ADA8: __EH_prolog3.LIBCMT ref: 0224ADAF
                        • Part of subcall function 0224ADA8: List.LIBCONCRT ref: 0224ADDE
                      • Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 0224A342
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Proxy::Scheduler$AffinityThread$Concurrency::details::platform::__CoreCurrentExecutionGroupHardwareIncrement$Affinity::BorrowedCountEventFixedH_prolog3ListResourceResource::StateSubscriptionToggle
                      • String ID:
                      • API String ID: 2908504212-0
                      • Opcode ID: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
                      • Instruction ID: d48ffae41a664d3e19c4b8fb1380f45050c426aa7d0b1538041eb522339e2b39
                      • Opcode Fuzzy Hash: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
                      • Instruction Fuzzy Hash: 7621ED31520B119FCB28EFA5D9A08AAF3F6FF48304700491EE8429B660DF74F900CB91
                      Function 0042A026 Relevance: 9.1, APIs: 6, Instructions: 73threadCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 0042A069
                        • Part of subcall function 0042B560: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 0042B5AF
                      • GetCurrentThread.KERNEL32 ref: 0042A073
                      • Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 0042A07F
                        • Part of subcall function 00420388: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 0042039A
                        • Part of subcall function 00420814: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 0042081B
                      • Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 0042A0C2
                        • Part of subcall function 0042B512: SetEvent.KERNEL32(?,?,0042A0C7,0042AE5B,00000000,?,00000000,0042AE5B,00000004,0042B507,?,00000000,?,?,00000000), ref: 0042B556
                      • Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 0042A0CB
                        • Part of subcall function 0042AB41: List.LIBCONCRT ref: 0042AB77
                      • Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 0042A0DB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Proxy::Scheduler$AffinityThread$Concurrency::details::platform::__CoreCurrentExecutionGroupHardwareIncrement$Affinity::BorrowedCountEventFixedListResourceResource::StateSubscriptionToggle
                      • String ID:
                      • API String ID: 318399070-0
                      • Opcode ID: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
                      • Instruction ID: 786c6bbc9f4db79065070eee32726b74de41850732c6b9a0a53a64165b4dd308
                      • Opcode Fuzzy Hash: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
                      • Instruction Fuzzy Hash: 5721E031600B249FCB24EF66E9908ABF3F5FF48304740455EE942A7651CB38F805CB9A
                      Function 0043CBDF Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 320COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _strrchr
                      • String ID: vC
                      • API String ID: 3213747228-1921080006
                      • Opcode ID: 59c984e0335d750eb7e229aa4273084cd5aafbd0618d532e588fc2a2f53891da
                      • Instruction ID: 8cae4ceb00b15cc6f8fe4719d8afecb37dc1afbf88934ae700027118ad1b5c75
                      • Opcode Fuzzy Hash: 59c984e0335d750eb7e229aa4273084cd5aafbd0618d532e588fc2a2f53891da
                      • Instruction Fuzzy Hash: DEB1F3329046459FEB15CF28C8C27AEBBA5EF49344F24916BE855FB341D6389D02CB68
                      Function 0225519E Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,02255195,02253D59,0223B7BC,00462014,?,00000000,0044B3E8,000000FF,?,02222691,?,?), ref: 022551AC
                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 022551BA
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 022551D3
                      • SetLastError.KERNEL32(00000000,?,02255195,02253D59,0223B7BC,00462014,?,00000000,0044B3E8,000000FF,?,02222691,?,?), ref: 02255225
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLastValue___vcrt_
                      • String ID:
                      • API String ID: 3852720340-0
                      • Opcode ID: 7eadf9bba742c64d85f45994d498b9432cfa87c48bb13d385963a09ab129d98a
                      • Instruction ID: 521fc24a0eac1885522b3351bd0b26fa7d1265041efb75cd91a3ecf7aea80281
                      • Opcode Fuzzy Hash: 7eadf9bba742c64d85f45994d498b9432cfa87c48bb13d385963a09ab129d98a
                      • Instruction Fuzzy Hash: D80128325397327DE61017F47C84A2A2A4BEB007747608339FE24890F8FFF14850C685
                      Function 00434F37 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,00434F2E,00433AF2,0041B555,82CD4C3C,?,00000000,0044B3E8,000000FF,?,0040242A,?,?), ref: 00434F45
                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00434F53
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00434F6C
                      • SetLastError.KERNEL32(00000000,?,00434F2E,00433AF2,0041B555,82CD4C3C,?,00000000,0044B3E8,000000FF,?,0040242A,?,?), ref: 00434FBE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLastValue___vcrt_
                      • String ID:
                      • API String ID: 3852720340-0
                      • Opcode ID: 7eadf9bba742c64d85f45994d498b9432cfa87c48bb13d385963a09ab129d98a
                      • Instruction ID: 15ffdb8e0af02f49516ecf1b0bf4576f7fedfc7d9ef3b4932012a3e501010d40
                      • Opcode Fuzzy Hash: 7eadf9bba742c64d85f45994d498b9432cfa87c48bb13d385963a09ab129d98a
                      • Instruction Fuzzy Hash: 0701283250C7227DAA2027757C4599BAA86EB4A3B8F24223FF724402E1EF9D5C01968D
                      Function 0223FE82 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0223FE90
                      • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0223FE96
                      • GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0223FEC3
                      • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0223FECD
                      • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0223FEDF
                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0223FEF5
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error
                      • String ID:
                      • API String ID: 2808382621-0
                      • Opcode ID: 0b9f535693bf9840a9ed197670659dc31b2ab51e471b9d9d389deb6254926a20
                      • Instruction ID: 543ea38df50fb27e1ad26bce7f5627c62498577cc00b3886a6d4802417e29196
                      • Opcode Fuzzy Hash: 0b9f535693bf9840a9ed197670659dc31b2ab51e471b9d9d389deb6254926a20
                      • Instruction Fuzzy Hash: 6F01FC7A9203166BD711ABF5FD44BAF37B8EF41752F100436F809E2896DB34D5048B65
                      Function 0041FC1B Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0041FC29
                      • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0041FC2F
                      • GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0041FC5C
                      • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0041FC66
                      • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0041FC78
                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041FC8E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error
                      • String ID:
                      • API String ID: 2808382621-0
                      • Opcode ID: 0b9f535693bf9840a9ed197670659dc31b2ab51e471b9d9d389deb6254926a20
                      • Instruction ID: 03917569e0bc54ee2298924e5aad4e28c925d034798c30f2cdbb860cd2e6707d
                      • Opcode Fuzzy Hash: 0b9f535693bf9840a9ed197670659dc31b2ab51e471b9d9d389deb6254926a20
                      • Instruction Fuzzy Hash: 9F01DD3564020567D700AB66EC49BEB7768BF41712B54043BFC01D1152EB2CE549979D
                      Function 02262959 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00456758), ref: 022629C3
                      • _free.LIBCMT ref: 022629B1
                        • Part of subcall function 0225B05C: HeapFree.KERNEL32(00000000,00000000,?,0225F334,?,00000000,?,?,?,0225F35B,?,00000007,?,?,0225F75D,?), ref: 0225B072
                        • Part of subcall function 0225B05C: GetLastError.KERNEL32(?,?,0225F334,?,00000000,?,?,?,0225F35B,?,00000007,?,?,0225F75D,?,?), ref: 0225B084
                      • _free.LIBCMT ref: 02262B7D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapInformationLastTimeZone
                      • String ID: XgE$XgE
                      • API String ID: 2155170405-1765908331
                      • Opcode ID: c6433087ed30f2a2da2807838542e42bb6de4ad70922db091af99d7f7348fe1d
                      • Instruction ID: 2fb685d77d8b61bddab7b326d8e5d5964d671f85023fb9e52272d8f678a42832
                      • Opcode Fuzzy Hash: c6433087ed30f2a2da2807838542e42bb6de4ad70922db091af99d7f7348fe1d
                      • Instruction Fuzzy Hash: B951F772910316EBDB20EFE48C489BE77BDEF44314B15436ADC10A7298E7B48E80CB95
                      Function 0040DBE0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: mtx_do_lock
                      • String ID: list too long
                      • API String ID: 1389037287-1124181908
                      • Opcode ID: e8db10ea1e9f31c1c4c8cd784e01dfd0d2ddfc129ac8cf217fbe486e9ba11e96
                      • Instruction ID: 0007737cba0ef289931fff910482b9d26868eafb82600a80664d17b7d07a3ec6
                      • Opcode Fuzzy Hash: e8db10ea1e9f31c1c4c8cd784e01dfd0d2ddfc129ac8cf217fbe486e9ba11e96
                      • Instruction Fuzzy Hash: F951CA71D04718ABDB10DF65CC8AB9AB3B8EF14714F1041ABF80DA7281E778A985CF59
                      Function 0043182A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85threadCOMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00431885
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004318A4
                      • Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 004318EB
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$ExecutionFreeIdleProcessorProxy::Root::SpinSuspendThreadUntilVirtualstd::invalid_argument::invalid_argument
                      • String ID: pContext
                      • API String ID: 1284976207-2046700901
                      • Opcode ID: e9b064e3ffac3daba16c5b096d74077ea667223e78b02618e4975b94426a83e1
                      • Instruction ID: d01a77f2ab9abe46547ca181dc4035302de0eae64105b64324a031690df06c10
                      • Opcode Fuzzy Hash: e9b064e3ffac3daba16c5b096d74077ea667223e78b02618e4975b94426a83e1
                      • Instruction Fuzzy Hash: 3421EA35B006159BCB19B765D895ABD73A5BF98338F04112BE411872E1CB6CAC428A9D
                      Function 0225E24A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                      Download Yara Rule
                      Strings
                      • C:\Users\user\Desktop\A1E1u0Rnel.exe, xrefs: 0225E24F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: C:\Users\user\Desktop\A1E1u0Rnel.exe
                      • API String ID: 0-3990406446
                      • Opcode ID: 83d649548dc4756340e3f4fa4cdfd0894265a7358bbde176a04f29cefd39949e
                      • Instruction ID: 223f8bf305640e047a44ba65ea7b036448c5a5bab3e147aeff036514e38bdd92
                      • Opcode Fuzzy Hash: 83d649548dc4756340e3f4fa4cdfd0894265a7358bbde176a04f29cefd39949e
                      • Instruction Fuzzy Hash: 3C21B3B1A24626BFDB10AFE19C84E7AB79EEF00375701C524ED25D6158DB70DE408BA0
                      Function 02249EFC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_catch.LIBCMT ref: 02249F03
                      • std::bad_exception::bad_exception.LIBCMT ref: 02249F65
                      • Concurrency::SchedulerPolicy::_ResolvePolicyValues.LIBCONCRT ref: 02249FA7
                      • std::bad_exception::bad_exception.LIBCMT ref: 02249FD1
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: std::bad_exception::bad_exception$Concurrency::H_prolog3_catchPolicyPolicy::_ResolveSchedulerValues
                      • String ID: 8[F
                      • API String ID: 3836581985-331943168
                      • Opcode ID: a4d644558bc095dc33be146fbd05eccc5a98fec7c23d9a48cae62212641850da
                      • Instruction ID: a71749aff5f30f6e33e13425a4d0fcc638d032850417193b0e166d1e11de0c94
                      • Opcode Fuzzy Hash: a4d644558bc095dc33be146fbd05eccc5a98fec7c23d9a48cae62212641850da
                      • Instruction Fuzzy Hash: 3821CF729602049FDB09EFE4D884AAEB7B5EF04310B11412AE505AB298DF71BD86CF55
                      Function 0043727C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _wcsrchr
                      • String ID: .bat$.cmd$.com$.exe
                      • API String ID: 1752292252-4019086052
                      • Opcode ID: eebd850b759d80cb09b7359ab37ad9482216c276737184da2b80f0523ace37d9
                      • Instruction ID: 2fe954d65b4b50834951edb994104e0446c73801206968c056bf44c713a15be5
                      • Opcode Fuzzy Hash: eebd850b759d80cb09b7359ab37ad9482216c276737184da2b80f0523ace37d9
                      • Instruction Fuzzy Hash: 8D01086760861635663520199E0276713888BCABB8F25202FFDA4F73C1EF8CDD42A1EC
                      Function 00424EA2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulingNode::AddVirtualProcessor.LIBCONCRT ref: 00424F01
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00424F24
                      • Concurrency::details::CacheLocalScheduleGroupSegment::CacheLocalScheduleGroupSegment.LIBCONCRT ref: 00424F66
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: CacheConcurrency::details::GroupLocalSchedule$Node::ProcessorSchedulingSegmentSegment::Virtualstd::invalid_argument::invalid_argument
                      • String ID: count$ppVirtualProcessorRoots
                      • API String ID: 18808576-3650809737
                      • Opcode ID: 0f050f97b8179aa4ac2a16646d21eb55e2bc560f4bbb76bd7718e5c12f5aa014
                      • Instruction ID: 0fe100e528eb00baa15785fa13c2d5db46de6353967fcf2c4de188508199a33a
                      • Opcode Fuzzy Hash: 0f050f97b8179aa4ac2a16646d21eb55e2bc560f4bbb76bd7718e5c12f5aa014
                      • Instruction Fuzzy Hash: 43210034B00224EFCB04EF99D881EAD73A0FF88315F40406FE40697692CB74AE01CB58
                      Function 0225A8D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,?,02256BB1,?,?,?,?,022578C8,?), ref: 0225A8DD
                      • _free.LIBCMT ref: 0225A93A
                      • _free.LIBCMT ref: 0225A970
                      • SetLastError.KERNEL32(00000000,00462170,000000FF,?,?,02256BB1,?,?,?,?,022578C8,?), ref: 0225A97B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast_free
                      • String ID: x!F
                      • API String ID: 2283115069-3062043068
                      • Opcode ID: 4f2ed3d34f35961fd0f18177c3173820742fc9700b75869c829352158ce47360
                      • Instruction ID: fc36f244e9703bac482c8540298f60df6db2368cb525bd138bd4d1f656368649
                      • Opcode Fuzzy Hash: 4f2ed3d34f35961fd0f18177c3173820742fc9700b75869c829352158ce47360
                      • Instruction Fuzzy Hash: 6711CA322347317AD63126F45C86E7A125BBBC27B9B26C335FE24921ECEAB28C054516
                      Function 0043A671 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,?,0043694A,?,?,?,?,00437661,?), ref: 0043A676
                      • _free.LIBCMT ref: 0043A6D3
                      • _free.LIBCMT ref: 0043A709
                      • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,0043694A,?,?,?,?,00437661,?), ref: 0043A714
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast_free
                      • String ID: x!F
                      • API String ID: 2283115069-3062043068
                      • Opcode ID: 4f2ed3d34f35961fd0f18177c3173820742fc9700b75869c829352158ce47360
                      • Instruction ID: 8cce909c9ac14f6c448446a217854be9d18c12721b99b88a770a56678c5f8ba9
                      • Opcode Fuzzy Hash: 4f2ed3d34f35961fd0f18177c3173820742fc9700b75869c829352158ce47360
                      • Instruction Fuzzy Hash: 2511AB312447007A961166766C86A2B215AD7D937DF24213FF3A4462D2EEAD8C32515F
                      Function 0225AA2F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,?,02257862,022224AE), ref: 0225AA34
                      • _free.LIBCMT ref: 0225AA91
                      • _free.LIBCMT ref: 0225AAC7
                      • SetLastError.KERNEL32(00000000,00462170,000000FF,?,02257862,022224AE), ref: 0225AAD2
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast_free
                      • String ID: x!F
                      • API String ID: 2283115069-3062043068
                      • Opcode ID: 56f9d83506fe0b5766636a44d0cab5e527ac01f444b2ac40f8d129dc50e40d0b
                      • Instruction ID: 7b76627faab2e6122cb0bb2addaeebea0430b1b8362c49f3750cae890c969447
                      • Opcode Fuzzy Hash: 56f9d83506fe0b5766636a44d0cab5e527ac01f444b2ac40f8d129dc50e40d0b
                      • Instruction Fuzzy Hash: 18110C312347317EDB1167F45D81E7A23ABABC2778B148335FE14921ECEEB68C054915
                      Function 0043A7C8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,?,004375FB,00402247), ref: 0043A7CD
                      • _free.LIBCMT ref: 0043A82A
                      • _free.LIBCMT ref: 0043A860
                      • SetLastError.KERNEL32(00000000,00000008,000000FF,?,004375FB,00402247), ref: 0043A86B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast_free
                      • String ID: x!F
                      • API String ID: 2283115069-3062043068
                      • Opcode ID: 56f9d83506fe0b5766636a44d0cab5e527ac01f444b2ac40f8d129dc50e40d0b
                      • Instruction ID: 43a0ef826740dec3b5b6cec3c960c44763b9b2bf66f2e005ed7dcd0d28945869
                      • Opcode Fuzzy Hash: 56f9d83506fe0b5766636a44d0cab5e527ac01f444b2ac40f8d129dc50e40d0b
                      • Instruction Fuzzy Hash: 0A1106312847003A961132765CC5E6B221AEBC977DF24223BF764822D2EFAECC23415F
                      Function 00435FB7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: api-ms-
                      • API String ID: 0-2084034818
                      • Opcode ID: 65fe2d25819fbcf81a19c36cb243a6994e9bb55f4a4ff3c1705520088a00f9a9
                      • Instruction ID: e982735470ecda22ca74b33b30026038f59a5160edbe4d0761f7899da1883318
                      • Opcode Fuzzy Hash: 65fe2d25819fbcf81a19c36cb243a6994e9bb55f4a4ff3c1705520088a00f9a9
                      • Instruction Fuzzy Hash: 72110F35901726BBC736CB68DC45A1F37749F097A1F325523ED01A7391D638DD008AE8
                      Function 022522FE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
                      Download Yara Rule
                      APIs
                      • StructuredWorkStealingQueue.LIBCMT ref: 0225231E
                      • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0225232F
                      • StructuredWorkStealingQueue.LIBCMT ref: 02252365
                      • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 02252376
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Work$Concurrency::details::ItemItem::QueueStealingStructured
                      • String ID: e
                      • API String ID: 3804418703-4024072794
                      • Opcode ID: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                      • Instruction ID: e74ed2d7a03654f80fa7537b88564264c2bb81e8045daa9d254a20e5e328fb39
                      • Opcode Fuzzy Hash: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                      • Instruction Fuzzy Hash: C311A731131226FBDB15DEE8C84066F77A9AF01364B14C269EC06DF299DB71E905CF90
                      Function 00432097 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
                      Download Yara Rule
                      APIs
                      • StructuredWorkStealingQueue.LIBCMT ref: 004320B7
                      • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 004320C8
                      • StructuredWorkStealingQueue.LIBCMT ref: 004320FE
                      • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0043210F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Work$Concurrency::details::ItemItem::QueueStealingStructured
                      • String ID: e
                      • API String ID: 3804418703-4024072794
                      • Opcode ID: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                      • Instruction ID: 1ff5ec0336f97ae43b1f0b8f375a3bc5f2b05840f56227257267f5d03aa7fa4d
                      • Opcode Fuzzy Hash: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                      • Instruction Fuzzy Hash: 9411C131200104ABDF45DE69CB8166B73A4AF0A328F14D05BFD068F242DBF9D905CB99
                      Function 0222ABC7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55sleepsynchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32(00000064), ref: 0222ABCA
                      • CreateMutexA.KERNEL32(00000000,00000000,00463254), ref: 0222ABE8
                      • GetLastError.KERNEL32 ref: 0222ABF0
                      • GetLastError.KERNEL32 ref: 0222AC01
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$CreateMutexSleep
                      • String ID: T2F
                      • API String ID: 3645482037-3862687658
                      • Opcode ID: 187082659592547e38ccbb39052786932d1335d10d1d45dc72119e21490735fa
                      • Instruction ID: d773e172bc497da1d57abe584971b7796033600a9066e19fb5008db7ffd6c336
                      • Opcode Fuzzy Hash: 187082659592547e38ccbb39052786932d1335d10d1d45dc72119e21490735fa
                      • Instruction Fuzzy Hash: 2A01F431640300FBE7109FA8FC08F5A7769E740B22F600A35F515D75D4DB799948CB59
                      Function 0043656D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00436562,?,?,0043652A,?,?,?), ref: 00436582
                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00436595
                      • FreeLibrary.KERNEL32(00000000,?,?,00436562,?,?,0043652A,?,?,?), ref: 004365B8
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressFreeHandleLibraryModuleProc
                      • String ID: CorExitProcess$mscoree.dll
                      • API String ID: 4061214504-1276376045
                      • Opcode ID: 149a4b1e0247f71675fe1653e9c2ac55fef454062cb741321ed7f61413657623
                      • Instruction ID: dbc2b550f678300173dffafd29bb25114a02185772f501870b49608a3602ef38
                      • Opcode Fuzzy Hash: 149a4b1e0247f71675fe1653e9c2ac55fef454062cb741321ed7f61413657623
                      • Instruction Fuzzy Hash: C4F01235941319FBDB129B50ED0EB9E7A79EB04757F154072F805A22A1CB78CF04DB98
                      Function 0041D199 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                      Download Yara Rule
                      APIs
                      • SleepConditionVariableCS.KERNELBASE(?,0041D136,00000064), ref: 0041D1BC
                      • RtlLeaveCriticalSection.NTDLL(00465750), ref: 0041D1C6
                      • WaitForSingleObjectEx.KERNEL32(00468680,00000000,?,0041D136,00000064,?,771B0F00,?,004075ED,00468680), ref: 0041D1D7
                      • RtlEnterCriticalSection.NTDLL(00465750), ref: 0041D1DE
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                      • String ID: PWF
                      • API String ID: 3269011525-4189640852
                      • Opcode ID: 797b37c2cabad88e9ba561759b38bac6fac545db67df0b7ba0c67b1f35825c1a
                      • Instruction ID: 46656ffccb6e8e596dcc74b2c483e7fba3308dd0c831886d2789c24014a254a2
                      • Opcode Fuzzy Hash: 797b37c2cabad88e9ba561759b38bac6fac545db67df0b7ba0c67b1f35825c1a
                      • Instruction Fuzzy Hash: 75E01235641B24F7CB021B50EC09B8E3F58EB05753F144032FA05661619B659D40DBDF
                      Function 004467A9 Relevance: 7.7, APIs: 5, Instructions: 244COMMON
                      Download Yara Rule
                      APIs
                      • GetCPInfo.KERNEL32(00791F50,00791F50,?,7FFFFFFF,?,?,00446A65,00791F50,00791F50,?,00791F50,?,?,?,?,00791F50), ref: 0044684C
                      • __alloca_probe_16.LIBCMT ref: 00446902
                      • __alloca_probe_16.LIBCMT ref: 00446998
                      • __freea.LIBCMT ref: 00446A03
                      • __freea.LIBCMT ref: 00446A0F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: __alloca_probe_16__freea$Info
                      • String ID:
                      • API String ID: 2330168043-0
                      • Opcode ID: c93d5030befdd3412ed34437d1360547b5edfd3f1e8b3b9334df1f5af1b906f8
                      • Instruction ID: 261b0646ef3bb21783759df69fc444e01875a83395626589d87ed72ffed4e1ba
                      • Opcode Fuzzy Hash: c93d5030befdd3412ed34437d1360547b5edfd3f1e8b3b9334df1f5af1b906f8
                      • Instruction Fuzzy Hash: 4481C172D006459BEF20AF658881AEF7BB5DF0B354F1A405BE904B7341E739CC458BAA
                      Function 00444C14 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                      Download Yara Rule
                      APIs
                      • __alloca_probe_16.LIBCMT ref: 00444C98
                      • __alloca_probe_16.LIBCMT ref: 00444D5E
                      • __freea.LIBCMT ref: 00444DCA
                        • Part of subcall function 0043B04B: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0043B07D
                      • __freea.LIBCMT ref: 00444DD3
                      • __freea.LIBCMT ref: 00444DF6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: __freea$__alloca_probe_16$AllocateHeap
                      • String ID:
                      • API String ID: 1423051803-0
                      • Opcode ID: 1f817f6d5ac6458dcc7bc62f3b6682248ba7d3e94ffd72069e84dbc94cae19ff
                      • Instruction ID: 3df8754f567642f5bc12b9c6ac1686bc91f11376b98a6e44c20c24ac8824f300
                      • Opcode Fuzzy Hash: 1f817f6d5ac6458dcc7bc62f3b6682248ba7d3e94ffd72069e84dbc94cae19ff
                      • Instruction Fuzzy Hash: 1651D5B2A00216ABFB255F55DC81FBB36A9DFC4754F15012BFD0497251EB38DC1186A8
                      Function 0222DE47 Relevance: 7.7, APIs: 5, Instructions: 185COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d6d23cd4dd6e2fa0143c66012945725be57b8f486d799fb0b8f6dfb3b5511e53
                      • Instruction ID: 936802e6dc126903fefdc5a8af27d27a5dc378200e48cce8b08c7d90c4653ffe
                      • Opcode Fuzzy Hash: d6d23cd4dd6e2fa0143c66012945725be57b8f486d799fb0b8f6dfb3b5511e53
                      • Instruction Fuzzy Hash: 5861C3B0D14319ABDB20DFA4CD89B99F7B4FF04310F0042AAE90CA7255EB71AA45CF56
                      Function 0040DEDE Relevance: 7.6, APIs: 5, Instructions: 142networkCOMMON
                      Download Yara Rule
                      APIs
                      • __Mtx_unlock.LIBCPMT ref: 0040DF4D
                      • recv.WS2_32(?,?,00001F40,00000000), ref: 0040DF86
                      • recv.WS2_32(?,?,00001F40,00000000), ref: 0040DFB4
                      • closesocket.WS2_32(?), ref: 0040E028
                      • __Mtx_unlock.LIBCPMT ref: 0040E05D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Mtx_unlockrecv$closesocket
                      • String ID:
                      • API String ID: 1157980791-0
                      • Opcode ID: b3ca68a6cb2e0dd676154645a2f8576170dabd98dca11c7a3b3798b3f7b83ddb
                      • Instruction ID: ff851d167357bcc52532b6b7cc28a367e5acf8f97903fc6b0511556a698fdea0
                      • Opcode Fuzzy Hash: b3ca68a6cb2e0dd676154645a2f8576170dabd98dca11c7a3b3798b3f7b83ddb
                      • Instruction Fuzzy Hash: DF51D371D04201EFD7209F51CC89A96B7B5FF04304F1481BFE80AA72A1EB75AD54CB59
                      Function 0225721B Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMON
                      Download Yara Rule
                      APIs
                      • GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0225714D), ref: 0225723D
                      • GetFileInformationByHandle.KERNEL32(?,?), ref: 02257297
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0225714D,?,000000FF,00000000,00000000), ref: 02257325
                      • __dosmaperr.LIBCMT ref: 0225732C
                      • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 02257369
                        • Part of subcall function 02257591: __dosmaperr.LIBCMT ref: 022575C6
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
                      • String ID:
                      • API String ID: 1206951868-0
                      • Opcode ID: 19e1070b04fb49a2dd5738f37f72da11fb3a5a43ccc6689087d144dd6161f976
                      • Instruction ID: 143348a70ce93a01fb2f178f6e05a989db61e7cea6c3073702d9886ff7244dca
                      • Opcode Fuzzy Hash: 19e1070b04fb49a2dd5738f37f72da11fb3a5a43ccc6689087d144dd6161f976
                      • Instruction Fuzzy Hash: 544138759A0755ABDB249FE5E8449AFFBFAEF88310B008529EC56D7224E730D940CB21
                      Function 0222BC57 Relevance: 7.6, APIs: 5, Instructions: 130comCOMMON
                      Download Yara Rule
                      APIs
                      • CoInitialize.OLE32(00000000), ref: 0222BCBE
                      • CoCreateInstance.COMBASE(00458F80,00000000,00000001,00458F90,?), ref: 0222BCDA
                      • CoUninitialize.COMBASE ref: 0222BCE8
                      • CoUninitialize.COMBASE ref: 0222BDA7
                      • CoUninitialize.COMBASE ref: 0222BDBB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Uninitialize$CreateInitializeInstance
                      • String ID:
                      • API String ID: 1968832861-0
                      • Opcode ID: 3e1efb8a3acf5b83f8398f094812db7d9444b93ce0f50575ee480a284648f072
                      • Instruction ID: d3c5cbfc771ce364efade1b8d534244fbee9154dc2db9315807476df5f50b691
                      • Opcode Fuzzy Hash: 3e1efb8a3acf5b83f8398f094812db7d9444b93ce0f50575ee480a284648f072
                      • Instruction Fuzzy Hash: 7A41A171A20219AFDB04CFA4CC89BEE7779EF48719F108158F805E7295DB75E944CB90
                      Function 0224DD97 Relevance: 7.6, APIs: 5, Instructions: 123COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0224DDCB
                        • Part of subcall function 02249196: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 022491B7
                      • Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0224DE2A
                      • Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0224DE50
                      • Concurrency::details::SchedulerBase::ReleaseInternalContext.LIBCONCRT ref: 0224DE70
                      • Concurrency::location::_Assign.LIBCMT ref: 0224DEBD
                        • Part of subcall function 02251599: Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 022515DE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Context$Base::Concurrency::details::$Internal$Event$AssignBlockingConcurrency::location::_FindNestingPrepareReleaseSchedulerStealerThrowTraceWork
                      • String ID:
                      • API String ID: 1879022333-0
                      • Opcode ID: 3f867edf2e3fea7535e6fe073452b703bba04c29d155da01a3a84350d07a286a
                      • Instruction ID: bc029b428d892b4365712b9dfa87715bdef64f6ed520c1a92cbb47bc5f2c9f80
                      • Opcode Fuzzy Hash: 3f867edf2e3fea7535e6fe073452b703bba04c29d155da01a3a84350d07a286a
                      • Instruction Fuzzy Hash: 47410574720311ABDF1EABA4C884BBDBB76AF45B14F044099E8069B389CF70AD45CBD1
                      Function 0042DB30 Relevance: 7.6, APIs: 5, Instructions: 123COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042DB64
                        • Part of subcall function 00428F2F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00428F50
                      • Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0042DBC3
                      • Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0042DBE9
                      • Concurrency::details::SchedulerBase::ReleaseInternalContext.LIBCONCRT ref: 0042DC09
                      • Concurrency::location::_Assign.LIBCMT ref: 0042DC56
                        • Part of subcall function 00431332: Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 00431377
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Context$Base::Concurrency::details::$Internal$Event$AssignBlockingConcurrency::location::_FindNestingPrepareReleaseSchedulerStealerThrowTraceWork
                      • String ID:
                      • API String ID: 1879022333-0
                      • Opcode ID: 3f867edf2e3fea7535e6fe073452b703bba04c29d155da01a3a84350d07a286a
                      • Instruction ID: de4f072aaf1dca0b17399bd929b16a9a875841cf6160958f8114d71bd43867b1
                      • Opcode Fuzzy Hash: 3f867edf2e3fea7535e6fe073452b703bba04c29d155da01a3a84350d07a286a
                      • Instruction Fuzzy Hash: 84412774B04220ABCF199B25D895BAEBB75AF45310F40409FE5065B3C2CB78AD45C7D9
                      Function 0223EF4D Relevance: 7.6, APIs: 5, Instructions: 101COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 0223EF54
                      • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 0223EF7E
                        • Part of subcall function 0223F644: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 0223F661
                      • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 0223EFFB
                      • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0223F02D
                      • __freea.LIBCMT ref: 0223F053
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3_Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter__freea
                      • String ID:
                      • API String ID: 2497068736-0
                      • Opcode ID: a6c94f2b07b76275c46f7f4adf28e57aec3c88f13b0cf4508af0eed2d0fdcfcc
                      • Instruction ID: eedf5619926dfb529fce04193d37a3230c18556be21c530f4d161daced55ed62
                      • Opcode Fuzzy Hash: a6c94f2b07b76275c46f7f4adf28e57aec3c88f13b0cf4508af0eed2d0fdcfcc
                      • Instruction Fuzzy Hash: E23190F1E202068BCF16DFE8C540AADB7B6AF48314F15406AE405E7358DB74AD06CB95
                      Function 022475CB Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 02247617
                      • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 02247659
                      • Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 02247675
                      • Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 02247680
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 022476A7
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementstd::invalid_argument::invalid_argument
                      • String ID:
                      • API String ID: 3897347962-0
                      • Opcode ID: c12b9fb7ade3771b82fb90936bc3b93d705f62869cacdabd48ca9c13149a27d9
                      • Instruction ID: c298fbad14c5c190754d001be12410b476239ca4270b03bf8db017e4a8b695c7
                      • Opcode Fuzzy Hash: c12b9fb7ade3771b82fb90936bc3b93d705f62869cacdabd48ca9c13149a27d9
                      • Instruction Fuzzy Hash: 61217174A10309AFCB08EFE9C494AADB7B6BF09344F1040A9D911AB365DF30AE44CF94
                      Function 0040DDCF Relevance: 7.6, APIs: 5, Instructions: 80networkCOMMON
                      Download Yara Rule
                      APIs
                      • getaddrinfo.WS2_32(?,00000000,?,?), ref: 0040DE2C
                      • FreeAddrInfoW.WS2_32(?), ref: 0040DE4D
                      • socket.WS2_32(00000002,00000001,00000000), ref: 0040DE75
                      • connect.WS2_32(00000000,?,00000010), ref: 0040DE87
                      • closesocket.WS2_32(00000000), ref: 0040DEA1
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddrFreeInfoclosesocketconnectgetaddrinfosocket
                      • String ID:
                      • API String ID: 242599585-0
                      • Opcode ID: d3982aedac2a5c94766331ef093bc1566eeb3870826ac122965e00373034951a
                      • Instruction ID: 23abe507401a6561ed447c90683016714f9a9af45c9242d02c2306d312d96357
                      • Opcode Fuzzy Hash: d3982aedac2a5c94766331ef093bc1566eeb3870826ac122965e00373034951a
                      • Instruction Fuzzy Hash: 9E218875E053149BDB249BA1DC89FEE7368DF18301F0000BBF909A62C1D7789D948B5A
                      Function 00429C95 Relevance: 7.6, APIs: 5, Instructions: 79COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_catch.LIBCMT ref: 00429C9C
                      • Concurrency::SchedulerPolicy::_ValidPolicyValue.LIBCONCRT ref: 00429CE8
                      • std::bad_exception::bad_exception.LIBCMT ref: 00429CFE
                      • Concurrency::SchedulerPolicy::_ResolvePolicyValues.LIBCONCRT ref: 00429D40
                      • std::bad_exception::bad_exception.LIBCMT ref: 00429D6A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::PolicyPolicy::_Schedulerstd::bad_exception::bad_exception$H_prolog3_catchResolveValidValueValues
                      • String ID:
                      • API String ID: 921398678-0
                      • Opcode ID: a17e9912f2dd60cabb5880328a5218807bfb4b16fff09030fc9fe1e3d2418584
                      • Instruction ID: e4f0000fdf8db68e5cd6af660122ebbf79e84cae44bb9f1680ea774d3ebdc29a
                      • Opcode Fuzzy Hash: a17e9912f2dd60cabb5880328a5218807bfb4b16fff09030fc9fe1e3d2418584
                      • Instruction Fuzzy Hash: 7F21C471A001249FCB04EF65E4829DEB7B0AF05314FA0406BF401AB2A2DB396D45DB69
                      Function 0225F2A1 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 0225F2B9
                        • Part of subcall function 0225B05C: HeapFree.KERNEL32(00000000,00000000,?,0225F334,?,00000000,?,?,?,0225F35B,?,00000007,?,?,0225F75D,?), ref: 0225B072
                        • Part of subcall function 0225B05C: GetLastError.KERNEL32(?,?,0225F334,?,00000000,?,?,?,0225F35B,?,00000007,?,?,0225F75D,?,?), ref: 0225B084
                      • _free.LIBCMT ref: 0225F2CB
                      • _free.LIBCMT ref: 0225F2DD
                      • _free.LIBCMT ref: 0225F2EF
                      • _free.LIBCMT ref: 0225F301
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 9c86520c17fee5bb977a366526a4cd1d97e426023ecba6e0783088212fd463c3
                      • Instruction ID: 07ea82a7026a2bc499bdbb3968a124b37fb2aa2d012dec415cafd368b8502ce6
                      • Opcode Fuzzy Hash: 9c86520c17fee5bb977a366526a4cd1d97e426023ecba6e0783088212fd463c3
                      • Instruction Fuzzy Hash: 18F04F72925721B78630EBD4E795C1A77DAFE017287648805E81CD7D98DBB0FC808A54
                      Function 0043F03A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 0043F052
                        • Part of subcall function 0043ADF5: HeapFree.KERNEL32(00000000,00000000,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?), ref: 0043AE0B
                        • Part of subcall function 0043ADF5: GetLastError.KERNEL32(?,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?,?), ref: 0043AE1D
                      • _free.LIBCMT ref: 0043F064
                      • _free.LIBCMT ref: 0043F076
                      • _free.LIBCMT ref: 0043F088
                      • _free.LIBCMT ref: 0043F09A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 9c86520c17fee5bb977a366526a4cd1d97e426023ecba6e0783088212fd463c3
                      • Instruction ID: afd9a687733b4b320e977570e7283cbf07406cc3be8dc42b58a2af08add3b970
                      • Opcode Fuzzy Hash: 9c86520c17fee5bb977a366526a4cd1d97e426023ecba6e0783088212fd463c3
                      • Instruction Fuzzy Hash: 7AF06832904604FB8534EB5DE681C0773FBEA48312B54281BF048D7611CBB8FC84465D
                      Function 0225DC85 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID: *?
                      • API String ID: 269201875-2564092906
                      • Opcode ID: 9ef204f46e1e9e6e895b4fd4c09f2a6869b2f7b57ccd26facbf7b5b5b709429c
                      • Instruction ID: 65fcf7d83a2602da6044af3b8b0642d0d6e4ee2b373febe78951fee759f34d72
                      • Opcode Fuzzy Hash: 9ef204f46e1e9e6e895b4fd4c09f2a6869b2f7b57ccd26facbf7b5b5b709429c
                      • Instruction Fuzzy Hash: 93610C76D1022A9FDB14DFE8C8805EDFBB5EF49310B1481A9E815E7344D775AE41CB90
                      Function 0043DA1E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID: *?
                      • API String ID: 269201875-2564092906
                      • Opcode ID: 9ef204f46e1e9e6e895b4fd4c09f2a6869b2f7b57ccd26facbf7b5b5b709429c
                      • Instruction ID: 8444feb9c58af159b24f360d524a1af6424cb6e40e41c758a4baa9ba100f3a22
                      • Opcode Fuzzy Hash: 9ef204f46e1e9e6e895b4fd4c09f2a6869b2f7b57ccd26facbf7b5b5b709429c
                      • Instruction Fuzzy Hash: 1E618DB1E002199FCB14DFA9D8815EEFBF5EF4C310F25916AE845E7300E639AE418B94
                      Function 004426F2 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 171timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00456758), ref: 0044275C
                      • _free.LIBCMT ref: 0044274A
                        • Part of subcall function 0043ADF5: HeapFree.KERNEL32(00000000,00000000,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?), ref: 0043AE0B
                        • Part of subcall function 0043ADF5: GetLastError.KERNEL32(?,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?,?), ref: 0043AE1D
                      • _free.LIBCMT ref: 00442916
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapInformationLastTimeZone
                      • String ID: XgE
                      • API String ID: 2155170405-2984570469
                      • Opcode ID: 408f858600a1f53604d9e13eb6c4a6de5f766e6ad14c8f26f7ae90bdf88e241d
                      • Instruction ID: 8084bd392b0667b16f992d69d3ac30f533f8d402883a3cc5e9c46bc507ca970f
                      • Opcode Fuzzy Hash: 408f858600a1f53604d9e13eb6c4a6de5f766e6ad14c8f26f7ae90bdf88e241d
                      • Instruction Fuzzy Hash: 3B5117B1900215ABFB10EF65CE819AEB7B8EF44314F51026BF510E3291EBF89E418B59
                      Function 02259280 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: C:\Users\user\Desktop\A1E1u0Rnel.exe$'x
                      • API String ID: 0-3581812481
                      • Opcode ID: 7990cc60f13bbf5db04e74938bd2c0700eb67712c1365d603b23e261442dbb4b
                      • Instruction ID: f705097832d2f6aea055fe3065590b7bd5579504c01538c319a6c7be198f02b5
                      • Opcode Fuzzy Hash: 7990cc60f13bbf5db04e74938bd2c0700eb67712c1365d603b23e261442dbb4b
                      • Instruction Fuzzy Hash: 11416771A20325FBCB25DBD9DC809AEBBB9EB85310F548066ED04D7254D7B09A80CB95
                      Function 00439019 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: C:\Users\user\Desktop\A1E1u0Rnel.exe$'x
                      • API String ID: 0-3581812481
                      • Opcode ID: 7990cc60f13bbf5db04e74938bd2c0700eb67712c1365d603b23e261442dbb4b
                      • Instruction ID: 5a6a14289eafe60ce2143b443f35f28c3b9330844cb9aa4b0d6a2bcf37f19cd6
                      • Opcode Fuzzy Hash: 7990cc60f13bbf5db04e74938bd2c0700eb67712c1365d603b23e261442dbb4b
                      • Instruction Fuzzy Hash: B841A571A00219AFDB159F9ACC859AFBBF8EB8D310F10106BE404A7351E7F48E41CB59
                      Function 02254AA7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                      Download Yara Rule
                      APIs
                      • ___except_validate_context_record.LIBVCRUNTIME ref: 02254AE6
                      • __IsNonwritableInCurrentImage.LIBCMT ref: 02254B9A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: CurrentImageNonwritable___except_validate_context_record
                      • String ID: S9C$csm
                      • API String ID: 3480331319-582408667
                      • Opcode ID: a4331c987b1b53513cbe21c672c92ef55e4810aa54a37fe5f5d469cf9e84ef45
                      • Instruction ID: 0dcbb8434b2538f4909efdde1d54da458d4844f141f3af27e9cc4e7865b466b7
                      • Opcode Fuzzy Hash: a4331c987b1b53513cbe21c672c92ef55e4810aa54a37fe5f5d469cf9e84ef45
                      • Instruction Fuzzy Hash: FD410638E20625ABCF10EFA8C884BADBBB5AF44318F04C155EC149B399D775DA85CF91
                      Function 022558C2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlEncodePointer.NTDLL(00000000), ref: 022558E7
                      • CatchIt.LIBVCRUNTIME ref: 022559CD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: CatchEncodePointer
                      • String ID: MOC$RCC
                      • API String ID: 1435073870-2084237596
                      • Opcode ID: e76bbd798ac2a2531b018cbcd065df587f22d77e50faeab241abe2fb58f9e970
                      • Instruction ID: 09f481560f5bda8c786149b96ab55d15e73b70171d26168ee7942031d8b14f78
                      • Opcode Fuzzy Hash: e76bbd798ac2a2531b018cbcd065df587f22d77e50faeab241abe2fb58f9e970
                      • Instruction Fuzzy Hash: 6941797191021AAFCF25DF94CD80AEEBBB6BF48314F548099FD0467229D339A960CF91
                      Function 0043565B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlEncodePointer.NTDLL(00000000), ref: 00435680
                      • CatchIt.LIBVCRUNTIME ref: 00435766
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: CatchEncodePointer
                      • String ID: MOC$RCC
                      • API String ID: 1435073870-2084237596
                      • Opcode ID: e76bbd798ac2a2531b018cbcd065df587f22d77e50faeab241abe2fb58f9e970
                      • Instruction ID: 5e74a0003837bbbf1c0f5d1cc79d9a8e9fb2d82c4166bdd95ad30412f998441c
                      • Opcode Fuzzy Hash: e76bbd798ac2a2531b018cbcd065df587f22d77e50faeab241abe2fb58f9e970
                      • Instruction Fuzzy Hash: 4A418871900609EFCF15CF98DC82AEEBBB5BF4C304F18909AF90867221D339A950DB58
                      Function 0043E4B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0043E259: GetOEMCP.KERNEL32(00000000,0043E4CB,?,?,avC,00437661,?), ref: 0043E284
                      • _free.LIBCMT ref: 0043E528
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID: @"F$avC
                      • API String ID: 269201875-3024483575
                      • Opcode ID: 9908dd6ab1a80c5fc09db8b12665e78ab5e05ea3aa24e2a155a3ad1beaefeb8c
                      • Instruction ID: c2258c4a8f5ad0cbd888ce205a5b2d9973e5ee0a434949fbdbaf9cd53865a0ee
                      • Opcode Fuzzy Hash: 9908dd6ab1a80c5fc09db8b12665e78ab5e05ea3aa24e2a155a3ad1beaefeb8c
                      • Instruction Fuzzy Hash: 5131BE71800249AFDB01DFAAD841B9F7BF5EF48318F1010AAF8109B2A2EB79DD50CB55
                      Function 02262AB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 02262B27
                      • _free.LIBCMT ref: 02262B7D
                        • Part of subcall function 02262959: _free.LIBCMT ref: 022629B1
                        • Part of subcall function 02262959: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00456758), ref: 022629C3
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$InformationTimeZone
                      • String ID: XgE
                      • API String ID: 597776487-2984570469
                      • Opcode ID: f87cbb37d26a9294995cc9def7b394ab45dcd78de0b256dadcc3d82326988738
                      • Instruction ID: dcd4e90b96a11678add00aa30dc9dbaf53ea965a4864086a4ffc4c9c02af9d55
                      • Opcode Fuzzy Hash: f87cbb37d26a9294995cc9def7b394ab45dcd78de0b256dadcc3d82326988738
                      • Instruction Fuzzy Hash: A421F57382032AA7D7316EB48C48FFA776DDB84364F100395DD94A7098EBB049C58A95
                      Function 02240EC3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 02240F31
                      • Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 02240F3E
                      • Concurrency::details::ResourceManager::ResourceManager.LIBCONCRT ref: 02240F91
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Resource$AcquireConcurrency::details::Concurrency::details::_H_prolog3Lock::_ManagerManager::Reentrant
                      • String ID: p[F
                      • API String ID: 220083066-1832964472
                      • Opcode ID: 6216d83329a3209df67438af02903c6e9b09d36f54debea953983a2b7a8ea068
                      • Instruction ID: ed54c45fab388c9a3ddf75ed2951587f0a1f4cdcc5368847bfdbe2f9006e6990
                      • Opcode Fuzzy Hash: 6216d83329a3209df67438af02903c6e9b09d36f54debea953983a2b7a8ea068
                      • Instruction Fuzzy Hash: CC01B5A1A383018EDB1DEFF8651035D7AA1AB08740F50057EE505EB289DFB48F808F99
                      Function 0042A0EE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0042A102
                      • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0042A126
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042A139
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Resource$Concurrency::details::Execution$CurrentManager::Proxy::RemoveSchedulerThreadstd::invalid_argument::invalid_argument
                      • String ID: pScheduler
                      • API String ID: 246774199-923244539
                      • Opcode ID: 682a3eefa47bedf4d22a1faa156ea6bcc2a49e045c4e2ce76e6417afd79e9783
                      • Instruction ID: 10cbf4c553f32a99b29d21dedcc7eb1d51cf5285ac80ee2cb09dfeade9188058
                      • Opcode Fuzzy Hash: 682a3eefa47bedf4d22a1faa156ea6bcc2a49e045c4e2ce76e6417afd79e9783
                      • Instruction Fuzzy Hash: 56F02B35700224A38720FA55FC428AEF3789F80729BA0812FEC0517182DB7CAA19C69E
                      Function 02240081 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29registryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RegisterWaitForSingleObject.KERNEL32(?,%C,?,02250C8C,000000FF,0000000C), ref: 02240098
                      • GetLastError.KERNEL32(?,02250C8C,?,00430925,?,?,?,?,?,?,02245F15,?), ref: 022400A7
                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 022400BD
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastObjectRegisterSingleWait
                      • String ID: %C
                      • API String ID: 2296417588-4291884666
                      • Opcode ID: fbcf708f24b496e530a1d5d1bc838a4ad30d765a2443b3a5aa298535997dd61c
                      • Instruction ID: dd799201d7ed77f7ec743fd2f97c52f7c34613a2a246a34fbc81d3389197a8e4
                      • Opcode Fuzzy Hash: fbcf708f24b496e530a1d5d1bc838a4ad30d765a2443b3a5aa298535997dd61c
                      • Instruction Fuzzy Hash: 10F0A03551020AFBCF04EFE5DD44EAE377DAB00705F200525B624E60E2EB35E6049B65
                      Function 0041FE1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29registryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RegisterWaitForSingleObject.KERNEL32(?,?,00000001,%C,000000FF,0000000C), ref: 0041FE31
                      • GetLastError.KERNEL32(?,00430A25,?,00430925,?,?,?,?,?,?,00425CAE,?), ref: 0041FE40
                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041FE56
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastObjectRegisterSingleWait
                      • String ID: %C
                      • API String ID: 2296417588-3573392825
                      • Opcode ID: fbcf708f24b496e530a1d5d1bc838a4ad30d765a2443b3a5aa298535997dd61c
                      • Instruction ID: 9d603aad05ffa4e056fd93621e3d7a672a7e3166deae781ad298c0678da8b19d
                      • Opcode Fuzzy Hash: fbcf708f24b496e530a1d5d1bc838a4ad30d765a2443b3a5aa298535997dd61c
                      • Instruction Fuzzy Hash: BFF0A73550020AB7CF00EFA1DC45EEF7B6C6B00705F100525B614E11E2DA38E6449768
                      Function 0223D400 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON
                      Download Yara Rule
                      APIs
                      • RtlLeaveCriticalSection.NTDLL(00465750), ref: 0223D42D
                      • WaitForSingleObjectEx.KERNEL32(00468680,00000000,?,0223D39D,00000064,?,0045007C,?,02227854,00468680), ref: 0223D43E
                      • RtlEnterCriticalSection.NTDLL(00465750), ref: 0223D445
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeaveObjectSingleWait
                      • String ID: PWF
                      • API String ID: 501323975-4189640852
                      • Opcode ID: 797b37c2cabad88e9ba561759b38bac6fac545db67df0b7ba0c67b1f35825c1a
                      • Instruction ID: 5fde41056272db49c89ecd9dc4055091cbaeaed4a581648779de05df522e9d85
                      • Opcode Fuzzy Hash: 797b37c2cabad88e9ba561759b38bac6fac545db67df0b7ba0c67b1f35825c1a
                      • Instruction Fuzzy Hash: 8EE01235651B24F7C7021B90EC09B9E3F68EB45763F044031FA0566161DBA56C40CBDF
                      Function 02227F97 Relevance: 6.4, APIs: 4, Instructions: 422libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetVersionExW.KERNEL32(0000011C,00462014), ref: 02228011
                      • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02228072
                      • GetProcAddress.KERNEL32(00000000), ref: 02228079
                      • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0222813E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressHandleInfoModuleProcSystemVersion
                      • String ID:
                      • API String ID: 1456109104-0
                      • Opcode ID: f86739a690633f7d14615720dab4f5b7d6e0e144a36365c4640fb5ca6efcc30f
                      • Instruction ID: d8ca3e348ca06f7b73b140ece22457c461769340d7b0a606a8234e9ee0761f09
                      • Opcode Fuzzy Hash: f86739a690633f7d14615720dab4f5b7d6e0e144a36365c4640fb5ca6efcc30f
                      • Instruction Fuzzy Hash: FBE116B0E10264BBDB14AFA8CD4679C7B62AB42710F94429CD405673C9EB768E588FD3
                      Function 0225CE46 Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _strrchr
                      • String ID:
                      • API String ID: 3213747228-0
                      • Opcode ID: d1e2580fea8bb5659ef3a0ec9f2bd8d3f247a712cc4476731abb6eb94a7ef4ee
                      • Instruction ID: 6dcceeb9db9327bc1899a1d4e668a9ffb8be43336948c324afa7b236289c58da
                      • Opcode Fuzzy Hash: d1e2580fea8bb5659ef3a0ec9f2bd8d3f247a712cc4476731abb6eb94a7ef4ee
                      • Instruction Fuzzy Hash: 84B138329203A69FDB11CFA8C880BBEBBF6EF45340F14C16ADC559B249D7359942CB61
                      Function 022552B5 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: AdjustPointer
                      • String ID:
                      • API String ID: 1740715915-0
                      • Opcode ID: ee1216290e05d5aa883e1d856bebe084c5c42d67d7e9ed6b593ecc55b417bb7c
                      • Instruction ID: 1f3c26491e496284823a940b7edc4ef447b3406b6e9c9ee50b23a56a954f0b10
                      • Opcode Fuzzy Hash: ee1216290e05d5aa883e1d856bebe084c5c42d67d7e9ed6b593ecc55b417bb7c
                      • Instruction Fuzzy Hash: 3D51E672620722EFDB258FD0D840B7977A5EF00315F94C52DEC0A5B298E7B1E8A0CB50
                      Function 0043504E Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: AdjustPointer
                      • String ID:
                      • API String ID: 1740715915-0
                      • Opcode ID: 24256a6a0eee4dc051d6a34bfd34133c294509d047b55e93e8e20eb2f16a28ea
                      • Instruction ID: de7e3e00fb04a34b96eeb7253be455e546d1f1f5c91bb76df3f696651397a324
                      • Opcode Fuzzy Hash: 24256a6a0eee4dc051d6a34bfd34133c294509d047b55e93e8e20eb2f16a28ea
                      • Instruction Fuzzy Hash: 5851E171A01A06AFEF289F55D841BBB73B4EF18304F14516FE80197291E739ED41CB99
                      Function 022285E7 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetVersionExW.KERNEL32(0000011C,?,00462014), ref: 02228660
                      • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 022286C7
                      • GetProcAddress.KERNEL32(00000000), ref: 022286CE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressHandleModuleProcVersion
                      • String ID:
                      • API String ID: 3310240892-0
                      • Opcode ID: a9352ec7e219f5b0e6875a96d9916c0a74e731d0ff9642be5bb7f7817e9f41d6
                      • Instruction ID: f2cc0e991105e7f6e158fe6e842ead3d210666aeb5f88d57ff7632e6d27aa30f
                      • Opcode Fuzzy Hash: a9352ec7e219f5b0e6875a96d9916c0a74e731d0ff9642be5bb7f7817e9f41d6
                      • Instruction Fuzzy Hash: DD512A74D20324ABDB14DFA4CD887DDB775EB45310F5042A8E804A72D5EB36DA84CFA2
                      Function 00408380 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetVersionExW.KERNEL32(0000011C,?,82CD4C3C), ref: 004083F9
                      • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408460
                      • GetProcAddress.KERNEL32(00000000), ref: 00408467
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressHandleModuleProcVersion
                      • String ID:
                      • API String ID: 3310240892-0
                      • Opcode ID: c5af24d2983aef2b3c383eb558275b6883f436ff97da18ae2b794e3607aa909b
                      • Instruction ID: 938ad35630e66277154cddf74743d86f98c067e6d70a9bb90e20810804f89ef8
                      • Opcode Fuzzy Hash: c5af24d2983aef2b3c383eb558275b6883f436ff97da18ae2b794e3607aa909b
                      • Instruction Fuzzy Hash: E9510870D00214ABDB14EF68DE497DEBB74EB46314F5042BEE445A72C1EF389AC48B99
                      Function 02254E7C Relevance: 6.1, APIs: 4, Instructions: 141COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: EqualOffsetTypeids
                      • String ID:
                      • API String ID: 1707706676-0
                      • Opcode ID: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
                      • Instruction ID: ac53abe70e9c11188e44a5f7190137d6a69e229745063f643619217753c0fe5d
                      • Opcode Fuzzy Hash: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
                      • Instruction Fuzzy Hash: 55518F3592422A9FCF11DFA9C480AEEFBF5EF05314F15845AEC51A7354DB32AA84CB50
                      Function 00434C15 Relevance: 6.1, APIs: 4, Instructions: 141COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: EqualOffsetTypeids
                      • String ID:
                      • API String ID: 1707706676-0
                      • Opcode ID: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
                      • Instruction ID: cef6b095d55e150eee694991f596d606281b118854b35fc2e5d75d5fbf24ef20
                      • Opcode Fuzzy Hash: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
                      • Instruction Fuzzy Hash: C851BC35A042099FDF10CFA8C4806EEBBF4EF89354F14649BE850A7361D33ABA05CB54
                      Function 02266235 Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 02266305
                      • _free.LIBCMT ref: 0226632E
                      • SetEndOfFile.KERNEL32(00000000,02261C71,00000000,0225AEF9,?,?,?,?,?,?,?,02261C71,0225AEF9,00000000), ref: 02266360
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,02261C71,0225AEF9,00000000,?,?,?,?,00000000), ref: 0226637C
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFileLast
                      • String ID:
                      • API String ID: 1547350101-0
                      • Opcode ID: 6fb0f9e19d4acd712ab8c7b746a97e06f48a18ddc77e8d7a73dfb4aa9b2b61d0
                      • Instruction ID: b7a0916baa10a37f25e6d71ce1eb361c3c415c9daa462779b9ef5b058fd956ee
                      • Opcode Fuzzy Hash: 6fb0f9e19d4acd712ab8c7b746a97e06f48a18ddc77e8d7a73dfb4aa9b2b61d0
                      • Instruction Fuzzy Hash: A841E833920356ABDB116BF8CC4CBBE776FAF45724F184514EC24AB198E778C8948B60
                      Function 02223127 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Mtx_unlock$Cnd_broadcastCurrentThread
                      • String ID:
                      • API String ID: 3264154886-0
                      • Opcode ID: d95c55a17dc6c0951bf91651ac23ff9b82cafa9506b18cb5ad1f8234279d2599
                      • Instruction ID: e8d8defd8074025906f8f6cb855744fa2aa143b14e97b752c37ece0943bfec59
                      • Opcode Fuzzy Hash: d95c55a17dc6c0951bf91651ac23ff9b82cafa9506b18cb5ad1f8234279d2599
                      • Instruction Fuzzy Hash: 244104B1910325ABDB21DFA4C94476AB7E8FF04324F00466ED815D7754EB7AEA08CF81
                      Function 00402EC0 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __Mtx_unlock.LIBCPMT ref: 00402F5F
                      • GetCurrentThreadId.KERNEL32 ref: 00402F7E
                      • __Mtx_unlock.LIBCPMT ref: 00402FCC
                      • __Cnd_broadcast.LIBCPMT ref: 00402FE3
                        • Part of subcall function 0041C6AC: mtx_do_lock.LIBCPMT ref: 0041C6B4
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Mtx_unlock$Cnd_broadcastCurrentThreadmtx_do_lock
                      • String ID:
                      • API String ID: 3471820992-0
                      • Opcode ID: f0f8b121aba1122f24a75a8c83bd5bf134d72cfcefe3452c2b67ebb99ce96ba3
                      • Instruction ID: 48187f3e1bc168490bb81d7fc303c9f02b2004bad0fbdb5a3eb1e4516cac7e92
                      • Opcode Fuzzy Hash: f0f8b121aba1122f24a75a8c83bd5bf134d72cfcefe3452c2b67ebb99ce96ba3
                      • Instruction Fuzzy Hash: 2141CFB0A016159BDB20DF65C98579BB7E8FF14364F00453EE816E7380EB79EA04CB85
                      Function 00445FCE Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 0044609E
                      • _free.LIBCMT ref: 004460C7
                      • SetEndOfFile.KERNEL32(00000000,00441A0A,00000000,0043AC92,?,?,?,?,?,?,?,00441A0A,0043AC92,00000000), ref: 004460F9
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,00441A0A,0043AC92,00000000,?,?,?,?,00000000), ref: 00446115
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFileLast
                      • String ID:
                      • API String ID: 1547350101-0
                      • Opcode ID: 6fb0f9e19d4acd712ab8c7b746a97e06f48a18ddc77e8d7a73dfb4aa9b2b61d0
                      • Instruction ID: f61cd90cd7361cc84673696b1269d2078ce9a605f9326b768ff18fa508e212cc
                      • Opcode Fuzzy Hash: 6fb0f9e19d4acd712ab8c7b746a97e06f48a18ddc77e8d7a73dfb4aa9b2b61d0
                      • Instruction Fuzzy Hash: 6041F872900601ABFB25ABA9CD02B9E37B5EF4A364F15011BF914E7292D63CD841472A
                      Function 02251D90 Relevance: 6.1, APIs: 4, Instructions: 104threadCOMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 02251DA9
                        • Part of subcall function 02252078: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,02251AF1), ref: 02252088
                      • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 02251DBE
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 02251DCD
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 02251E91
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::std::invalid_argument::invalid_argument$ExecutionFreeIdleObjectProcessorProxy::ResetRoot::SingleSuspendThreadVirtualWait
                      • String ID:
                      • API String ID: 1312548968-0
                      • Opcode ID: 84332b62cc3de3cfa4170185330e29230a9dc1dcd046b531a1b7116e20220df0
                      • Instruction ID: c4419c345c62983e7ba1ce0ad8b7f10b1fd4a950f090a4f90e76cb8f9aa9ce0d
                      • Opcode Fuzzy Hash: 84332b62cc3de3cfa4170185330e29230a9dc1dcd046b531a1b7116e20220df0
                      • Instruction Fuzzy Hash: EA310735A20325ABCF05EFA4C880B6D7375BF44310F208569ED15A7289DB70EA15CA90
                      Function 02242F63 Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 02242F76
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: BuffersConcurrency::details::InitializeManager::Resource
                      • String ID:
                      • API String ID: 3433162309-0
                      • Opcode ID: 22ca41de25d3fddfd321250d59b84d7d3dba6f78c4a0763dc9e7bbb86f5d08b7
                      • Instruction ID: b6cce551f1550e7442db6de925fb52f7f153ca8ee344774c1650f684d09714c0
                      • Opcode Fuzzy Hash: 22ca41de25d3fddfd321250d59b84d7d3dba6f78c4a0763dc9e7bbb86f5d08b7
                      • Instruction Fuzzy Hash: 22318D75E10309EFCF18DF94C4C0BAE7BB9AF44310F1415AADD01AB24ADB71A944CB90
                      Function 00422CFC Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00422D0F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: BuffersConcurrency::details::InitializeManager::Resource
                      • String ID:
                      • API String ID: 3433162309-0
                      • Opcode ID: 22ca41de25d3fddfd321250d59b84d7d3dba6f78c4a0763dc9e7bbb86f5d08b7
                      • Instruction ID: d418521b68a385beeb000fecb389156560c70f9a2eedc7cbe4bb4063ba4b2acd
                      • Opcode Fuzzy Hash: 22ca41de25d3fddfd321250d59b84d7d3dba6f78c4a0763dc9e7bbb86f5d08b7
                      • Instruction Fuzzy Hash: 56318835A00319EFCF10DF94DA80BAE7BB9BF44304F5000AAD901AB346D7B4A905CBA5
                      Function 0225DBB6 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 02256C33: _free.LIBCMT ref: 02256C41
                        • Part of subcall function 0225EB8D: WideCharToMultiByte.KERNEL32(02228A07,00000000,0045FB20,00000000,02228A07,02228A07,022608B7,?,0045FB20,?,00000000,?,02260626,0000FDE9,00000000,?), ref: 0225EC2F
                      • GetLastError.KERNEL32 ref: 0225DC1E
                      • __dosmaperr.LIBCMT ref: 0225DC25
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0225DC64
                      • __dosmaperr.LIBCMT ref: 0225DC6B
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                      • String ID:
                      • API String ID: 167067550-0
                      • Opcode ID: e192af22dab1e85764783ba134b35ca1a0735bfe77ce3258f04da4e50815c0b3
                      • Instruction ID: 0a62c04161a3401992d6b7fd76fb26f379150f75867e2c186ea75496ef7525b1
                      • Opcode Fuzzy Hash: e192af22dab1e85764783ba134b35ca1a0735bfe77ce3258f04da4e50815c0b3
                      • Instruction Fuzzy Hash: 8121B671664736AFDB109FE58C80E6BB7AEEF04376700C518EC2997154D771EC409BA0
                      Function 0043D94F Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004369CC: _free.LIBCMT ref: 004369DA
                        • Part of subcall function 0043E926: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00444DC0,?,00000000,00000000), ref: 0043E9C8
                      • GetLastError.KERNEL32 ref: 0043D9B7
                      • __dosmaperr.LIBCMT ref: 0043D9BE
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0043D9FD
                      • __dosmaperr.LIBCMT ref: 0043DA04
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                      • String ID:
                      • API String ID: 167067550-0
                      • Opcode ID: e64aadb6d22fe51e849137b99b89815b7d15ae6c09361cf92410591095803afc
                      • Instruction ID: ee20851a037b4c6b58bdbb56dc4c6e04abe5cdf536cd6285cafdd1b842c948ea
                      • Opcode Fuzzy Hash: e64aadb6d22fe51e849137b99b89815b7d15ae6c09361cf92410591095803afc
                      • Instruction Fuzzy Hash: DB21FBF1A04605BFDB206F66AC80E2777ACEF0C368F10511AF86997251D738EC418799
                      Function 02251A91 Relevance: 6.1, APIs: 4, Instructions: 85threadCOMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 02251AEC
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 02251B0B
                      • Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 02251B52
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$ExecutionFreeIdleProcessorProxy::Root::SpinSuspendThreadUntilVirtualstd::invalid_argument::invalid_argument
                      • String ID:
                      • API String ID: 1284976207-0
                      • Opcode ID: e9b064e3ffac3daba16c5b096d74077ea667223e78b02618e4975b94426a83e1
                      • Instruction ID: 95176259a621ec9ad369a5ecb745d8a06d836f65687c24418a3181528dc9e4e2
                      • Opcode Fuzzy Hash: e9b064e3ffac3daba16c5b096d74077ea667223e78b02618e4975b94426a83e1
                      • Instruction Fuzzy Hash: 52214C357207329BCB05ABA8C494B7C73A5BF80324F00411AE819872D5EF74A851CA94
                      Function 02250CFF Relevance: 6.1, APIs: 4, Instructions: 80threadCOMMON
                      Download Yara Rule
                      APIs
                      • SetEvent.KERNEL32(?,00000000,?), ref: 02250D50
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 02250D38
                        • Part of subcall function 02249196: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 022491B7
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 02250DB3
                      • SwitchToThread.KERNEL32(00000005,00000004,00000000,?,?,?,?,?,?,?,0045F4C0), ref: 02250DB8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Context$Event$Base::Concurrency::details::$Trace$SwitchThreadThrow
                      • String ID:
                      • API String ID: 2734100425-0
                      • Opcode ID: 2e8a3a5ddc2bebb452bc5efae35c7b376e30f6768224933571346adf22c5373c
                      • Instruction ID: 748ea0aadc51345b0d00d897c2a373b1a8d617f8bd58cd7311d5ae4d76ca9c68
                      • Opcode Fuzzy Hash: 2e8a3a5ddc2bebb452bc5efae35c7b376e30f6768224933571346adf22c5373c
                      • Instruction Fuzzy Hash: 4621D779620224AFCB14E798CC44E6EB7B9EF48760B044556FA15A32A1DB70BD01CAA5
                      Function 00430A98 Relevance: 6.1, APIs: 4, Instructions: 80threadCOMMON
                      Download Yara Rule
                      APIs
                      • SetEvent.KERNEL32(?,00000000,?), ref: 00430AE9
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00430AD1
                        • Part of subcall function 00428F2F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00428F50
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00430B4C
                      • SwitchToThread.KERNEL32(00000005,00000004,00000000,?,?,?,?,?,?,?,0045F4C0), ref: 00430B51
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Context$Event$Base::Concurrency::details::$Trace$SwitchThreadThrow
                      • String ID:
                      • API String ID: 2734100425-0
                      • Opcode ID: 2e8a3a5ddc2bebb452bc5efae35c7b376e30f6768224933571346adf22c5373c
                      • Instruction ID: eb585ae1b4d53eae47272984182226d4372f2576b54a2ee7974d2067b554b9fa
                      • Opcode Fuzzy Hash: 2e8a3a5ddc2bebb452bc5efae35c7b376e30f6768224933571346adf22c5373c
                      • Instruction Fuzzy Hash: 54210475700224AFCB10EB59DC45D7EB7A8EF48324F15015BFA16A3292CB74AD018AA9
                      Function 0225B3E4 Relevance: 6.1, APIs: 4, Instructions: 77COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b882474e2421becce6f7ac3255c006c5444dc2a1b8804bcc2ed4a91c923f1653
                      • Instruction ID: 71933afbfd2ce694d6a6f2b45ef2ac32a23ec7653eb2dfd9b869147193af76d0
                      • Opcode Fuzzy Hash: b882474e2421becce6f7ac3255c006c5444dc2a1b8804bcc2ed4a91c923f1653
                      • Instruction Fuzzy Hash: 4D210531E61335BBCB318BE49C55B2A3768AF157A8F108220FC05A72ADD770ED00C6E4
                      Function 02245109 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulingNode::AddVirtualProcessor.LIBCONCRT ref: 02245168
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0224518B
                      • __EH_prolog3.LIBCMT ref: 022451A6
                      • Concurrency::details::CacheLocalScheduleGroupSegment::CacheLocalScheduleGroupSegment.LIBCONCRT ref: 022451CD
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: CacheConcurrency::details::GroupLocalSchedule$H_prolog3Node::ProcessorSchedulingSegmentSegment::Virtualstd::invalid_argument::invalid_argument
                      • String ID:
                      • API String ID: 2642201467-0
                      • Opcode ID: 8c7b1ccd00f45581bab929026422e21ff28f01d8dc45cb75e357af66afe4e75e
                      • Instruction ID: 2a7726171d90a44764a38616106d794e87c26f8af4d3401c60bd0283b7587aee
                      • Opcode Fuzzy Hash: 8c7b1ccd00f45581bab929026422e21ff28f01d8dc45cb75e357af66afe4e75e
                      • Instruction Fuzzy Hash: DB21BD35610205AFCB18EF98C880AAD73B6FF48310F50406AE90A9B6A4DF71AA11CF54
                      Function 02251599 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0225162D
                      • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 022515DE
                        • Part of subcall function 02248582: SafeRWList.LIBCONCRT ref: 02248593
                      • SafeRWList.LIBCONCRT ref: 02251623
                      • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 02251643
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Base::Concurrency::details::ContextListSafeStealer$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                      • String ID:
                      • API String ID: 336577199-0
                      • Opcode ID: 633f29ab29772fce27dba393e8379a29e8a0d8340c800c4eeedaee01f30ccdc5
                      • Instruction ID: ca2e6121f56ae828865f365e885bd5cdea7877a41dc280b2dc78d8ec3aaaa9ad
                      • Opcode Fuzzy Hash: 633f29ab29772fce27dba393e8379a29e8a0d8340c800c4eeedaee01f30ccdc5
                      • Instruction Fuzzy Hash: 6921C57162020A9FC704DF64C8C0FA5FBEABF84318F14D2A6D80A4B545DB75E595CBC0
                      Function 00431332 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 004313C6
                      • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 00431377
                        • Part of subcall function 0042831B: SafeRWList.LIBCONCRT ref: 0042832C
                      • SafeRWList.LIBCONCRT ref: 004313BC
                      • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 004313DC
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Base::Concurrency::details::ContextListSafeStealer$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                      • String ID:
                      • API String ID: 336577199-0
                      • Opcode ID: 633f29ab29772fce27dba393e8379a29e8a0d8340c800c4eeedaee01f30ccdc5
                      • Instruction ID: d9e605bbb79d098c531deca9cf4cd80c541eae854b845806876d4496965d449b
                      • Opcode Fuzzy Hash: 633f29ab29772fce27dba393e8379a29e8a0d8340c800c4eeedaee01f30ccdc5
                      • Instruction Fuzzy Hash: 7521F53160020ADFC704CF24C881FA5F7E8FB48718F54E2ABD8054B552DB39E98ACB94
                      Function 0225621E Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 65fe2d25819fbcf81a19c36cb243a6994e9bb55f4a4ff3c1705520088a00f9a9
                      • Instruction ID: 16d35e42bfc44685cb33fd35f9944a206deae6bfd9688b7e2780e80723561dda
                      • Opcode Fuzzy Hash: 65fe2d25819fbcf81a19c36cb243a6994e9bb55f4a4ff3c1705520088a00f9a9
                      • Instruction Fuzzy Hash: 5C11D335A21736ABDB228BE49C84B3A375C9F017A0B508621EC01E7295D7F0ED00C6E0
                      Function 0223F554 Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0223F576
                        • Part of subcall function 0223F732: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 022456ED
                      • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0223F597
                        • Part of subcall function 02240419: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 02240435
                      • Concurrency::details::GetSharedTimerQueue.LIBCONCRT ref: 0223F5B3
                      • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 0223F5BA
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Timer$Scheduler$Base::LibraryLoadQueue$AsyncConcurrency::details::platform::__ContextCreateCurrentDefaultReferenceRegisterShared
                      • String ID:
                      • API String ID: 1684785560-0
                      • Opcode ID: 04357caceeb09c65516863605c6f7112208db5e15fbad483dcb42361f4682929
                      • Instruction ID: 8713708691a66cfd4cfca78993ef127a2c435844edfc4c14e1b42a3693453d84
                      • Opcode Fuzzy Hash: 04357caceeb09c65516863605c6f7112208db5e15fbad483dcb42361f4682929
                      • Instruction Fuzzy Hash: B40104F28103057BD7226FE99C80C9BBBA9DF10344B10453AF95592585D7B096458AA1
                      Function 0041F2ED Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041F30F
                        • Part of subcall function 0041F4CB: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 00425486
                      • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0041F330
                        • Part of subcall function 004201B2: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004201CE
                      • Concurrency::details::GetSharedTimerQueue.LIBCONCRT ref: 0041F34C
                      • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 0041F353
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Timer$Scheduler$Base::LibraryLoadQueue$AsyncConcurrency::details::platform::__ContextCreateCurrentDefaultReferenceRegisterShared
                      • String ID:
                      • API String ID: 1684785560-0
                      • Opcode ID: 04357caceeb09c65516863605c6f7112208db5e15fbad483dcb42361f4682929
                      • Instruction ID: fbdee06be22d7eb5cf524bde3a8873450c2cdba4fa94e97b4615b2f8ae6f40be
                      • Opcode Fuzzy Hash: 04357caceeb09c65516863605c6f7112208db5e15fbad483dcb42361f4682929
                      • Instruction Fuzzy Hash: 9C012B71500309BBD720AF66CC859DBFBA8EF10358B10453FFC1492152D778E98A87A9
                      Function 02253628 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 02253642
                      • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 02253656
                      • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 0225366E
                      • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 02253686
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                      • String ID:
                      • API String ID: 78362717-0
                      • Opcode ID: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                      • Instruction ID: 6811bd829ac1b493d245f4adaba882a85b5c67156c2e7e27a5cd905bd541b90a
                      • Opcode Fuzzy Hash: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                      • Instruction Fuzzy Hash: FE01DB32620224A7CF16EED58840AAF77EA9F44390F009099EC11A7389DA70ED118EE4
                      Function 004333C1 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 004333DB
                      • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 004333EF
                      • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00433407
                      • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0043341F
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                      • String ID:
                      • API String ID: 78362717-0
                      • Opcode ID: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                      • Instruction ID: 148698cb8657f3ab7a0d111eac04cd811a00bb0e29ba6abd34784ed5a644fba4
                      • Opcode Fuzzy Hash: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                      • Instruction Fuzzy Hash: 74012632700524A7CF16EF658841AAFB7A99F58314F00001BFC12EB382DA74EE1193A5
                      Function 0225BAA2 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      • GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0225BC07,00000000,?,02262212,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0225BAB8
                      • GetLastError.KERNEL32(?,02262212,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0225BC07,00000000,00000104,?), ref: 0225BAC2
                      • __dosmaperr.LIBCMT ref: 0225BAC9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorFullLastNamePath__dosmaperr
                      • String ID:
                      • API String ID: 2398240785-0
                      • Opcode ID: 573f122ae82f08db5f9a13de85ef365be3234010d0279eca2789f216f3b9dc80
                      • Instruction ID: 2afa68299f715f5d5b0cb494ec247435ea3dc667066a2b4a3aa3f5a4a1f51cf3
                      • Opcode Fuzzy Hash: 573f122ae82f08db5f9a13de85ef365be3234010d0279eca2789f216f3b9dc80
                      • Instruction Fuzzy Hash: 39F06231610626BB8B211FE2DC08966FF6AFF44365700C520FD29C7418D775E811CBD0
                      Function 0225BB0B Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      • GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0225BC07,00000000,?,0226219D,00000000,00000000,0225BC07,?,?,00000000,00000000,00000001), ref: 0225BB21
                      • GetLastError.KERNEL32(?,0226219D,00000000,00000000,0225BC07,?,?,00000000,00000000,00000001,00000000,00000000,?,0225BC07,00000000,00000104), ref: 0225BB2B
                      • __dosmaperr.LIBCMT ref: 0225BB32
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorFullLastNamePath__dosmaperr
                      • String ID:
                      • API String ID: 2398240785-0
                      • Opcode ID: 8d52b872a16da2ecde656976662c890ef9145f26e1d0b0297742ad47c23117d8
                      • Instruction ID: 7c2403c57ba782cf399dd46f240362c379f78768f9a56ba95e3689979eee7d2c
                      • Opcode Fuzzy Hash: 8d52b872a16da2ecde656976662c890ef9145f26e1d0b0297742ad47c23117d8
                      • Instruction Fuzzy Hash: 8DF0FB32610A26BB8A215FE2DC0895AFF6AFF443A5700C525ED2986428DB72E851DBD4
                      Function 0043B83B Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      • GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0043B9A0,00000000,?,00441FAB,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0043B851
                      • GetLastError.KERNEL32(?,00441FAB,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0043B9A0,00000000,00000104,?), ref: 0043B85B
                      • __dosmaperr.LIBCMT ref: 0043B862
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorFullLastNamePath__dosmaperr
                      • String ID:
                      • API String ID: 2398240785-0
                      • Opcode ID: 573f122ae82f08db5f9a13de85ef365be3234010d0279eca2789f216f3b9dc80
                      • Instruction ID: 4d38e234b28d8319e4134ca970a631ac6953b460d6f58f575e06abf1e175f512
                      • Opcode Fuzzy Hash: 573f122ae82f08db5f9a13de85ef365be3234010d0279eca2789f216f3b9dc80
                      • Instruction Fuzzy Hash: 51F06D36600615BBCB246FA6DC08E4BBF6DFF483A1B009126F61DC6521D735E811CBD8
                      Function 0043B8A4 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      • GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0043B9A0,00000000,?,00441F36,00000000,00000000,0043B9A0,?,?,00000000,00000000,00000001), ref: 0043B8BA
                      • GetLastError.KERNEL32(?,00441F36,00000000,00000000,0043B9A0,?,?,00000000,00000000,00000001,00000000,00000000,?,0043B9A0,00000000,00000104), ref: 0043B8C4
                      • __dosmaperr.LIBCMT ref: 0043B8CB
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorFullLastNamePath__dosmaperr
                      • String ID:
                      • API String ID: 2398240785-0
                      • Opcode ID: 8d52b872a16da2ecde656976662c890ef9145f26e1d0b0297742ad47c23117d8
                      • Instruction ID: fe454a788940d8d1b6a18dc845ad3b04fffb8540f5c3b85414d994226db15d49
                      • Opcode Fuzzy Hash: 8d52b872a16da2ecde656976662c890ef9145f26e1d0b0297742ad47c23117d8
                      • Instruction Fuzzy Hash: 26F06D72600619BB8B216BA6DC08B57BF69FF483A0B009526FA19C6521D739E861C7D8
                      Function 0224526C Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 022401CD: TlsGetValue.KERNEL32(?,?,0223F74E,0223F57B,?,?), ref: 022401D3
                      • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 02245296
                        • Part of subcall function 0224E575: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0224E59C
                        • Part of subcall function 0224E575: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0224E5B5
                        • Part of subcall function 0224E575: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0224E62B
                        • Part of subcall function 0224E575: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 0224E633
                      • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 022452A4
                      • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 022452AE
                      • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 022452B8
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceValueVirtualWork
                      • String ID:
                      • API String ID: 2616382602-0
                      • Opcode ID: 70a698541e2e15fa6626dca2384dcb953701250920abc52d754e3547d00c3c09
                      • Instruction ID: 40d0b6f01e7f52e25e99da2ea9273f20da25af0832dfaccf3129562203959f60
                      • Opcode Fuzzy Hash: 70a698541e2e15fa6626dca2384dcb953701250920abc52d754e3547d00c3c09
                      • Instruction Fuzzy Hash: 2DF0F631B20B2567CB2DF7E58C10A6DB767AFA0B50F40412AE92153298DF749A158FC2
                      Function 00425005 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041FF66: TlsGetValue.KERNEL32(?,?,0041F4E7,0041F314,?,?), ref: 0041FF6C
                      • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0042502F
                        • Part of subcall function 0042E30E: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0042E335
                        • Part of subcall function 0042E30E: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0042E34E
                        • Part of subcall function 0042E30E: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0042E3C4
                        • Part of subcall function 0042E30E: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 0042E3CC
                      • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 0042503D
                      • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00425047
                      • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 00425051
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceValueVirtualWork
                      • String ID:
                      • API String ID: 2616382602-0
                      • Opcode ID: 70a698541e2e15fa6626dca2384dcb953701250920abc52d754e3547d00c3c09
                      • Instruction ID: 591bd9b18c1ea594323a38232f6cf7a467bdae74b08f21c6b28571b33805ae9f
                      • Opcode Fuzzy Hash: 70a698541e2e15fa6626dca2384dcb953701250920abc52d754e3547d00c3c09
                      • Instruction Fuzzy Hash: 2DF0F63170053927CA25B727E81286EF6659F91B58B80002FF91057252EF7C9E498BCE
                      Function 0223C86B Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 0223FB78
                      • Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 0223FBAB
                      • Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 0223FBB7
                      • Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 0223FBC0
                        • Part of subcall function 0223F554: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0223F576
                        • Part of subcall function 0223F554: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0223F597
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Concurrency::critical_section::_Timer$Acquire_lockAsyncBase::ContextCurrentDerefH_prolog3LibraryLoadLockNodeNode::QueueRegisterSchedulerSwitch_to_active
                      • String ID:
                      • API String ID: 2559503089-0
                      • Opcode ID: 6202bdfdb5770ea946800c78cd8ea731ca40aa09cdf17d07ebd0c2e6249b1ab2
                      • Instruction ID: ec7c287f5183ab2b573f66f600c9cb3e1c686125ba97bf69596baacac6956c28
                      • Opcode Fuzzy Hash: 6202bdfdb5770ea946800c78cd8ea731ca40aa09cdf17d07ebd0c2e6249b1ab2
                      • Instruction Fuzzy Hash: EEF0B4F1E703096A9F16BEF56A609FD32974F84324B04416999169B788CF748D049AA4
                      Function 02266D36 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • WriteConsoleW.KERNEL32(02228A07,0000000F,0045FB20,00000000,02228A07,?,02265421,02228A07,00000001,02228A07,02228A07,?,022602FC,00000000,?,02228A07), ref: 02266D4D
                      • GetLastError.KERNEL32(?,02265421,02228A07,00000001,02228A07,02228A07,?,022602FC,00000000,?,02228A07,00000000,02228A07,?,02260850,02228A07), ref: 02266D59
                        • Part of subcall function 02266D1F: CloseHandle.KERNEL32(00462970,02266D69,?,02265421,02228A07,00000001,02228A07,02228A07,?,022602FC,00000000,?,02228A07,00000000,02228A07), ref: 02266D2F
                      • ___initconout.LIBCMT ref: 02266D69
                        • Part of subcall function 02266CE1: CreateFileW.KERNEL32(00457658,40000000,00000003,00000000,00000003,00000000,00000000,02266D10,0226540E,02228A07,?,022602FC,00000000,?,02228A07,00000000), ref: 02266CF4
                      • WriteConsoleW.KERNEL32(02228A07,0000000F,0045FB20,00000000,?,02265421,02228A07,00000001,02228A07,02228A07,?,022602FC,00000000,?,02228A07,00000000), ref: 02266D7E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                      • String ID:
                      • API String ID: 2744216297-0
                      • Opcode ID: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
                      • Instruction ID: 933561293c3dc082c6f0ec90eef06392d1107e3e592e10608ee8e9f469d94228
                      • Opcode Fuzzy Hash: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
                      • Instruction Fuzzy Hash: CAF01C37111255BBCF621FE6EC0CAA97F2AFB497B1F104021FA1C85130D672C860DB95
                      Function 00446ACF Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • WriteConsoleW.KERNEL32(004087A0,0000000F,0045FB20,00000000,004087A0,?,004451BA,004087A0,00000001,004087A0,004087A0,?,00440095,00000000,?,004087A0), ref: 00446AE6
                      • GetLastError.KERNEL32(?,004451BA,004087A0,00000001,004087A0,004087A0,?,00440095,00000000,?,004087A0,00000000,004087A0,?,004405E9,004087A0), ref: 00446AF2
                        • Part of subcall function 00446AB8: CloseHandle.KERNEL32(FFFFFFFE,00446B02,?,004451BA,004087A0,00000001,004087A0,004087A0,?,00440095,00000000,?,004087A0,00000000,004087A0), ref: 00446AC8
                      • ___initconout.LIBCMT ref: 00446B02
                        • Part of subcall function 00446A7A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00446AA9,004451A7,004087A0,?,00440095,00000000,?,004087A0,00000000), ref: 00446A8D
                      • WriteConsoleW.KERNEL32(004087A0,0000000F,0045FB20,00000000,?,004451BA,004087A0,00000001,004087A0,004087A0,?,00440095,00000000,?,004087A0,00000000), ref: 00446B17
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                      • String ID:
                      • API String ID: 2744216297-0
                      • Opcode ID: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
                      • Instruction ID: 2847bb895f9299352194151eea3b2518d9960724f28a171724648c66562c6119
                      • Opcode Fuzzy Hash: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
                      • Instruction Fuzzy Hash: 1DF03736101664BBDF621FA5DC089DA3F65FB457A2F014022FE1C95131D672DC20DB9A
                      Function 02227A17 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 468sleepCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep
                      • String ID: runas
                      • API String ID: 3472027048-4000483414
                      • Opcode ID: b12352c27eb35c7801b30b77c84677b55ae88f5f3268c2bda28ff34a47bf5de4
                      • Instruction ID: 34022107b861bd820349d3ad1bd51ce70bf53868cb5cc15ff8f67f8abea2acea
                      • Opcode Fuzzy Hash: b12352c27eb35c7801b30b77c84677b55ae88f5f3268c2bda28ff34a47bf5de4
                      • Instruction Fuzzy Hash: 86E16D71A24254ABDB09EFB8CD85B9DFB77EF41304F50864CE4005B3C9DB769A448B92
                      Function 0043E6C4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0043E259: GetOEMCP.KERNEL32(00000000,0043E4CB,?,?,avC,00437661,?), ref: 0043E284
                      • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,avC,0043E512,?,00000000,?,?,?,?,?,?,00437661), ref: 0043E722
                      • GetCPInfo.KERNEL32(00000000,0043E512,?,avC,0043E512,?,00000000,?,?,?,?,?,?,00437661,?), ref: 0043E764
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: CodeInfoPageValid
                      • String ID: avC
                      • API String ID: 546120528-551859807
                      • Opcode ID: 40678aea89edd431b2c9a3e3bda96fb4224bb9d3af1647208ffe2423ccba4704
                      • Instruction ID: 7136e37640ab4f9cfa26bf5a46befe49b79dc652285453c6057786630530e70e
                      • Opcode Fuzzy Hash: 40678aea89edd431b2c9a3e3bda96fb4224bb9d3af1647208ffe2423ccba4704
                      • Instruction Fuzzy Hash: C6512370E012059EEB249F73C8806ABBBF5EF88304F14646FD096973D2E7789546CB99
                      Function 0044532F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ReadFile.KERNEL32(?,?,00000002,?,00000000,?,00000000,?), ref: 0044540D
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileRead
                      • String ID: )ZD$)ZD
                      • API String ID: 2738559852-3993371512
                      • Opcode ID: 0eb56316cf27b920e1eb67f398ea9860885408d35e2d831988382829233ef988
                      • Instruction ID: fc353a334f2b284155b366ba4413ab3dfc7edfe09a6423858d2821c62ff71e0d
                      • Opcode Fuzzy Hash: 0eb56316cf27b920e1eb67f398ea9860885408d35e2d831988382829233ef988
                      • Instruction Fuzzy Hash: 4651E731A04619EBDF20CF58C881BEDB7B0FF05314F20856AD855AB392E3785981CB99
                      Function 0225E717 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0225E4C0: GetOEMCP.KERNEL32(00000000,0225E732,?,?,022578C8,022578C8,?), ref: 0225E4EB
                      • _free.LIBCMT ref: 0225E78F
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID: @"F
                      • API String ID: 269201875-3084318295
                      • Opcode ID: 9908dd6ab1a80c5fc09db8b12665e78ab5e05ea3aa24e2a155a3ad1beaefeb8c
                      • Instruction ID: f7f04bd69fc83f4ca9a60f23749cd8778a4eeba4366fd25ce43b9b0885857716
                      • Opcode Fuzzy Hash: 9908dd6ab1a80c5fc09db8b12665e78ab5e05ea3aa24e2a155a3ad1beaefeb8c
                      • Instruction Fuzzy Hash: 0831907191421AAFDB11DFA8C880BEA7BE5EF44324F168469ED149B2A4EB719A40CF50
                      Function 0041B5D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __alloca_probe_16.LIBCMT ref: 0041B65E
                      • RaiseException.KERNEL32(?,?,?,?), ref: 0041B683
                        • Part of subcall function 00433B04: RaiseException.KERNEL32(E06D7363,00000001,00000003,0045E3B0,?,?,?,0045E3B0), ref: 00433B64
                        • Part of subcall function 00438BEC: IsProcessorFeaturePresent.KERNEL32(00000017,0043A72D,?,?,0043694A,?,?,?,?,00437661,?), ref: 00438C08
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
                      • String ID: csm
                      • API String ID: 1924019822-1018135373
                      • Opcode ID: ad5d9faefd0c1ab4e9a02e3e4909efcbe63737fe706ed9a567fc9c955821b515
                      • Instruction ID: 9f88b0b7aede3b21d37810e77ce6789f3a807ab352a7de9bd37fa5025d97b667
                      • Opcode Fuzzy Hash: ad5d9faefd0c1ab4e9a02e3e4909efcbe63737fe706ed9a567fc9c955821b515
                      • Instruction Fuzzy Hash: A721AF31D01218AFCF24DF96C945AEFB7B8EF24714F14441AE845AB251CB38AD85CBCA
                      Function 00431704 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 00431764
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004317AF
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::FreeIdleProcessorRoot::SpinUntilVirtualstd::invalid_argument::invalid_argument
                      • String ID: pContext
                      • API String ID: 3390424672-2046700901
                      • Opcode ID: 022a27bc18fa5d8226aa9ea097ec315d7e10c5cb17fb68df421d1453c8f8c9ce
                      • Instruction ID: 942ad2940211714a74bcc9dfb36523be2d48a1416fc9e5f4f6d4d921a905eb8f
                      • Opcode Fuzzy Hash: 022a27bc18fa5d8226aa9ea097ec315d7e10c5cb17fb68df421d1453c8f8c9ce
                      • Instruction Fuzzy Hash: 2F113639A002149BCB05FF58C88596D77A5AF8C365F18406BEC0297362DB3CED05CBD8
                      Function 0041CFF1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0041D21A
                      • ___raise_securityfailure.LIBCMT ref: 0041D301
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: FeaturePresentProcessor___raise_securityfailure
                      • String ID: pWF
                      • API String ID: 3761405300-3254099572
                      • Opcode ID: 8d6445971c7e0862906b7c68462026e959eab2d4c9270191dfb96f7b545bb8f5
                      • Instruction ID: 8fd7279893b741caf15dcd92eb45e819b2951614e4b3fd08056ab3288de795f0
                      • Opcode Fuzzy Hash: 8d6445971c7e0862906b7c68462026e959eab2d4c9270191dfb96f7b545bb8f5
                      • Instruction Fuzzy Hash: D121BDB5600A04DAE714EF26F945A583BE4FB48304F54553AEA049BAB1F3F498A1CF0E
                      Function 0225A995 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID: x!F
                      • API String ID: 269201875-3062043068
                      • Opcode ID: db21be25886df150d1c6f332858b9cadf02cf268a657b562b65237ce8408447b
                      • Instruction ID: ec610dbbefb84f075eb3f1b67f978eb2d2bfc74aaea4dabaa352a15b90690914
                      • Opcode Fuzzy Hash: db21be25886df150d1c6f332858b9cadf02cf268a657b562b65237ce8408447b
                      • Instruction Fuzzy Hash: 6501FC3153AB327AD63132F46E02ABE12966F03B34B15C321FD10A51ECEAB68C114596
                      Function 0043A72E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID: x!F
                      • API String ID: 269201875-3062043068
                      • Opcode ID: db21be25886df150d1c6f332858b9cadf02cf268a657b562b65237ce8408447b
                      • Instruction ID: a9be1d7356db9bde33694ffb89096973f5cd6b257b37c16ae0656b7abf5e94eb
                      • Opcode Fuzzy Hash: db21be25886df150d1c6f332858b9cadf02cf268a657b562b65237ce8408447b
                      • Instruction Fuzzy Hash: 0F01D831985A203AD52532355C82B6B12299B0D72CF20322BFBA0653E2FB8DCC3201DF
                      Function 00420C5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 00420CD7
                      • Concurrency::details::ResourceManager::ResourceManager.LIBCONCRT ref: 00420D2A
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Resource$AcquireConcurrency::details::Concurrency::details::_Lock::_ManagerManager::Reentrant
                      • String ID: p[F
                      • API String ID: 3303180142-1832964472
                      • Opcode ID: be93dd124044e3a26704792a574e288825ec5497b2495a662014ec0407777033
                      • Instruction ID: 460490d00550286d74d196cd5a9549fc7c942c0fed1932104b3464a6bc3d5762
                      • Opcode Fuzzy Hash: be93dd124044e3a26704792a574e288825ec5497b2495a662014ec0407777033
                      • Instruction Fuzzy Hash: 510180B0F156249EDB10ABBA755135DA6E06B08318FA0406FE405EB283DA7C5E41876E
                      Function 0043E259 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                      Download Yara Rule
                      APIs
                      • GetOEMCP.KERNEL32(00000000,0043E4CB,?,?,avC,00437661,?), ref: 0043E284
                      • GetACP.KERNEL32(00000000,0043E4CB,?,?,avC,00437661,?), ref: 0043E29B
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: avC
                      • API String ID: 0-551859807
                      • Opcode ID: 45530060523da157e537cdb1f7866b3f2572323f108b7a3cdd4d943330284399
                      • Instruction ID: 791638059a19eb7d03b8e6799ac96854013f7a9a4db5e4c168316c4cba85a157
                      • Opcode Fuzzy Hash: 45530060523da157e537cdb1f7866b3f2572323f108b7a3cdd4d943330284399
                      • Instruction Fuzzy Hash: 15F0F630801202CBE704DFA6E8097AE37B4AB45339F1103D5E439962E2D7B4A841C78A
                      Function 0223D378 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      • RtlEnterCriticalSection.NTDLL(00465750), ref: 0223D383
                      • RtlLeaveCriticalSection.NTDLL(00465750), ref: 0223D3C0
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave
                      • String ID: PWF
                      • API String ID: 3168844106-4189640852
                      • Opcode ID: aa3b7ebb98d861874e14c42a3fd8d5994544321a17c487eeef023a4b97522d77
                      • Instruction ID: 736041a6f5687d6089fcbe0ac7c130fdfbd84e5d54091f6217ac33d425315959
                      • Opcode Fuzzy Hash: aa3b7ebb98d861874e14c42a3fd8d5994544321a17c487eeef023a4b97522d77
                      • Instruction Fuzzy Hash: E1F02034210601DFC326AF94DC44B25B7B4EB41736F20023EEA558B2E0DB712C42CE1A
                      Function 0041D111 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      • RtlEnterCriticalSection.NTDLL(00465750), ref: 0041D11C
                      • RtlLeaveCriticalSection.NTDLL(00465750), ref: 0041D159
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave
                      • String ID: PWF
                      • API String ID: 3168844106-4189640852
                      • Opcode ID: aa3b7ebb98d861874e14c42a3fd8d5994544321a17c487eeef023a4b97522d77
                      • Instruction ID: 988e6a820899fd4ceb20f62ffb6a68805dae8dfe7a3415f919f541f0d2922133
                      • Opcode Fuzzy Hash: aa3b7ebb98d861874e14c42a3fd8d5994544321a17c487eeef023a4b97522d77
                      • Instruction Fuzzy Hash: 16F0E275900601EFC3149F14EC44AA677A5EB45736F20022EEA55473D0D7391C82CA1A
                      Function 0042B92C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28threadCOMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0042B94E
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042B961
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::FreeIdleProxyProxy::ReturnThreadstd::invalid_argument::invalid_argument
                      • String ID: pContext
                      • API String ID: 548886458-2046700901
                      • Opcode ID: cb3ebfd47da852ef65d275a916c0fe48e2a73adc5c276bf3244062de85799675
                      • Instruction ID: 6d6ffe11be8a4b1ace8c2f2c8a58b350c0e533cc07d7fbfc7cd1cba97992ca6a
                      • Opcode Fuzzy Hash: cb3ebfd47da852ef65d275a916c0fe48e2a73adc5c276bf3244062de85799675
                      • Instruction Fuzzy Hash: 95E02B39B0020467CB04F7A5D845D9DBB789E84715710401BE911A3352EB78AA44C6D8
                      Function 022425B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 0224255C
                      • Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 02242572
                        • Part of subcall function 02242A99: Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 02242AA8
                        • Part of subcall function 02242A99: Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 02242ABC
                        • Part of subcall function 02242A99: Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 02242ADD
                        • Part of subcall function 02242A99: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02242B46
                        • Part of subcall function 02242A99: Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 02242CB4
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1801738572.0000000002220000.00000040.00001000.00020000.00000000.sdmp, Offset: 02220000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_2220000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::Manager::Resource$Information$AffinityTopology$AcquireApplyCaptureCleanupConcurrency::details::_H_prolog3Lock::_ProcessReentrantRestrictionsRetrieveSystemVersion
                      • String ID: p[F
                      • API String ID: 3302332639-1832964472
                      • Opcode ID: 84bf9b1e625644d46c927a665ec91d8dc20bfdb3b0587f4fa2234934793136a5
                      • Instruction ID: c288e65c6b8e5bc90de1d2e136721145b65189ca6e59a13d509795efebf48a2f
                      • Opcode Fuzzy Hash: 84bf9b1e625644d46c927a665ec91d8dc20bfdb3b0587f4fa2234934793136a5
                      • Instruction Fuzzy Hash: 2FE012B0720701D6DB18EFE6E92076933A5AB08B40F40052AE504DE254EFB5E5008F19
                      Function 004234CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                      Download Yara Rule
                      APIs
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004234FC
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1800884040.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000000.00000002.1800884040.0000000000462000.00000040.00000001.01000000.00000003.sdmpDownload File
                      • Associated: 00000000.00000002.1800884040.0000000000469000.00000040.00000001.01000000.00000003.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_400000_A1E1u0Rnel.jbxd
                      Yara matches
                      Similarity
                      • API ID: std::invalid_argument::invalid_argument
                      • String ID: pScheduler$version
                      • API String ID: 2141394445-3154422776
                      • Opcode ID: 25f4eee51d5eef7acfdb44f59e56ba93899965d293b766ae16e0c4b89fe0dab4
                      • Instruction ID: 3122fea0a665ef1032727265859f97669ea40e48c80579a70b610642a631ca87
                      • Opcode Fuzzy Hash: 25f4eee51d5eef7acfdb44f59e56ba93899965d293b766ae16e0c4b89fe0dab4
                      • Instruction Fuzzy Hash: 28E04F34A40208B6CB26FE56E84BBC977749B1474BF94C157BC11111929BFCA78CCA89

                      Execution Graph

                      Execution Coverage:0.5%
                      Dynamic/Decrypted Code Coverage:26.9%
                      Signature Coverage:0%
                      Total number of Nodes:104
                      Total number of Limit Nodes:5
                      execution_graph 56690 20d003c 56691 20d0049 56690->56691 56705 20d0e0f SetErrorMode SetErrorMode 56691->56705 56696 20d0265 56697 20d02ce VirtualProtect 56696->56697 56699 20d030b 56697->56699 56698 20d0439 VirtualFree 56703 20d05f4 LoadLibraryA 56698->56703 56704 20d04be 56698->56704 56699->56698 56700 20d04e3 LoadLibraryA 56700->56704 56702 20d08c7 56703->56702 56704->56700 56704->56703 56706 20d0223 56705->56706 56707 20d0d90 56706->56707 56708 20d0dad 56707->56708 56709 20d0dbb GetPEB 56708->56709 56710 20d0238 VirtualAlloc 56708->56710 56709->56710 56710->56696 56711 41d762 56712 41d76e __FrameHandler3::FrameUnwindToState 56711->56712 56737 41d488 56712->56737 56714 41d775 56715 41d8ce 56714->56715 56725 41d79f ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 56714->56725 56763 41dba5 4 API calls 2 library calls 56715->56763 56717 41d8d5 56759 436629 56717->56759 56721 41d8e3 56722 41d7be 56723 41d83f 56745 4395bc 56723->56745 56725->56722 56725->56723 56762 436603 37 API calls 2 library calls 56725->56762 56727 41d845 56749 416d30 56727->56749 56738 41d491 56737->56738 56765 41dd91 IsProcessorFeaturePresent 56738->56765 56740 41d49d 56766 4347c4 10 API calls 2 library calls 56740->56766 56742 41d4a2 56743 41d4a6 56742->56743 56767 4347e3 7 API calls 2 library calls 56742->56767 56743->56714 56746 4395c5 56745->56746 56747 4395ca 56745->56747 56768 439320 49 API calls 56746->56768 56747->56727 56750 416d3b 56749->56750 56769 40ce40 51 API calls Concurrency::details::_CancellationTokenState::_RegisterCallback 56750->56769 56770 4364c7 56759->56770 56762->56723 56763->56717 56764 4365ed 23 API calls __FrameHandler3::FrameUnwindToState 56764->56721 56765->56740 56766->56742 56767->56743 56768->56747 56771 4364e7 56770->56771 56772 4364d5 56770->56772 56782 43636e 56771->56782 56798 41dcc7 GetModuleHandleW 56772->56798 56775 4364da 56775->56771 56799 43656d GetModuleHandleExW 56775->56799 56777 41d8db 56777->56764 56781 43652a 56783 43637a __FrameHandler3::FrameUnwindToState 56782->56783 56805 438dc8 RtlEnterCriticalSection 56783->56805 56785 436384 56806 4363da 56785->56806 56787 436391 56810 4363af 56787->56810 56790 43652b 56815 43a302 GetPEB 56790->56815 56793 43655a 56796 43656d __FrameHandler3::FrameUnwindToState 3 API calls 56793->56796 56794 43653a GetPEB 56794->56793 56795 43654a GetCurrentProcess TerminateProcess 56794->56795 56795->56793 56797 436562 ExitProcess 56796->56797 56798->56775 56800 4365af 56799->56800 56801 43658c GetProcAddress 56799->56801 56803 4365b5 FreeLibrary 56800->56803 56804 4364e6 56800->56804 56802 4365a1 56801->56802 56802->56800 56803->56804 56804->56771 56805->56785 56807 4363e6 __FrameHandler3::FrameUnwindToState 56806->56807 56809 436447 __FrameHandler3::FrameUnwindToState 56807->56809 56813 4398a4 14 API calls __FrameHandler3::FrameUnwindToState 56807->56813 56809->56787 56814 438e10 RtlLeaveCriticalSection 56810->56814 56812 43639d 56812->56777 56812->56790 56813->56809 56814->56812 56816 43a31c 56815->56816 56818 436535 56815->56818 56819 43b2c7 56816->56819 56818->56793 56818->56794 56822 43b244 56819->56822 56823 43b272 56822->56823 56828 43b26e 56822->56828 56823->56828 56829 43b17d 56823->56829 56826 43b28c GetProcAddress 56827 43b29c _unexpected 56826->56827 56826->56828 56827->56828 56828->56818 56834 43b18e ___vcrt_FlsFree 56829->56834 56830 43b1ac LoadLibraryExW 56831 43b1c7 GetLastError 56830->56831 56830->56834 56831->56834 56832 43b222 FreeLibrary 56832->56834 56833 43b239 56833->56826 56833->56828 56834->56830 56834->56832 56834->56833 56835 43b1fa LoadLibraryExW 56834->56835 56835->56834 56836 63d876 56837 63d885 56836->56837 56840 63e016 56837->56840 56843 63e031 56840->56843 56841 63e03a CreateToolhelp32Snapshot 56842 63e056 Module32First 56841->56842 56841->56843 56844 63e065 56842->56844 56845 63d88e 56842->56845 56843->56841 56843->56842 56847 63dcd5 56844->56847 56848 63dd00 56847->56848 56849 63dd11 VirtualAlloc 56848->56849 56850 63dd49 56848->56850 56849->56850 56850->56850

                      Executed Functions

                      Function 00409A00 Relevance: 30.4, APIs: 16, Strings: 1, Instructions: 668COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00408B30: GetTempPathA.KERNEL32(00000104,?,6B1A456B,?,00000000), ref: 00408B77
                      • GetFileAttributesA.KERNEL32(00000000), ref: 00409A73
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: AttributesFilePathTemp
                      • String ID: T2F
                      • API String ID: 3199926297-3862687658
                      • Opcode ID: 84fbc6621e579e57008791c477808e32c3563abeb327e72a22d70cef3c3b911a
                      • Instruction ID: f8d341d7b221fbf4855467c9c2f70b5ca956d984b14cba194293e40f11c0d304
                      • Opcode Fuzzy Hash: 84fbc6621e579e57008791c477808e32c3563abeb327e72a22d70cef3c3b911a
                      • Instruction Fuzzy Hash: D942E770D00244DBEF14EBB8C6497DE7BB2AF06314F24466AD411773C2D77D5A848BAA
                      Function 0043652B Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 460 43652b-436538 call 43a302 463 43655a-436566 call 43656d ExitProcess 460->463 464 43653a-436548 GetPEB 460->464 464->463 465 43654a-436554 GetCurrentProcess TerminateProcess 464->465 465->463
                      APIs
                      • GetCurrentProcess.KERNEL32(?,?,0043652A,?,?,?,?,?,00437661), ref: 0043654D
                      • TerminateProcess.KERNEL32(00000000,?,0043652A,?,?,?,?,?,00437661), ref: 00436554
                      • ExitProcess.KERNEL32 ref: 00436566
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$CurrentExitTerminate
                      • String ID:
                      • API String ID: 1703294689-0
                      • Opcode ID: 04b207d0b889d00e4800d5972e07640bc64685a596502c952aa2fb778607a5b5
                      • Instruction ID: 8ba592f2701f3bed1e9346099357e5860ce392234eb0f7d34856f934df6fdfbc
                      • Opcode Fuzzy Hash: 04b207d0b889d00e4800d5972e07640bc64685a596502c952aa2fb778607a5b5
                      • Instruction Fuzzy Hash: D7E0EC35000649BFCF116F59ED0D9493B69FB48746F059435FA0A86232CB7ADD92CF89
                      Function 020D003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 352 20d003c-20d0047 353 20d004c-20d0263 call 20d0a3f call 20d0e0f call 20d0d90 VirtualAlloc 352->353 354 20d0049 352->354 369 20d028b-20d0292 353->369 370 20d0265-20d0289 call 20d0a69 353->370 354->353 372 20d02a1-20d02b0 369->372 374 20d02ce-20d03c2 VirtualProtect call 20d0cce call 20d0ce7 370->374 372->374 375 20d02b2-20d02cc 372->375 381 20d03d1-20d03e0 374->381 375->372 382 20d0439-20d04b8 VirtualFree 381->382 383 20d03e2-20d0437 call 20d0ce7 381->383 385 20d04be-20d04cd 382->385 386 20d05f4-20d05fe 382->386 383->381 388 20d04d3-20d04dd 385->388 389 20d077f-20d0789 386->389 390 20d0604-20d060d 386->390 388->386 394 20d04e3-20d0505 LoadLibraryA 388->394 392 20d078b-20d07a3 389->392 393 20d07a6-20d07b0 389->393 390->389 395 20d0613-20d0637 390->395 392->393 396 20d086e-20d08be LoadLibraryA 393->396 397 20d07b6-20d07cb 393->397 398 20d0517-20d0520 394->398 399 20d0507-20d0515 394->399 400 20d063e-20d0648 395->400 404 20d08c7-20d08f9 396->404 401 20d07d2-20d07d5 397->401 402 20d0526-20d0547 398->402 399->402 400->389 403 20d064e-20d065a 400->403 405 20d0824-20d0833 401->405 406 20d07d7-20d07e0 401->406 407 20d054d-20d0550 402->407 403->389 408 20d0660-20d066a 403->408 409 20d08fb-20d0901 404->409 410 20d0902-20d091d 404->410 416 20d0839-20d083c 405->416 411 20d07e4-20d0822 406->411 412 20d07e2 406->412 413 20d0556-20d056b 407->413 414 20d05e0-20d05ef 407->414 415 20d067a-20d0689 408->415 409->410 411->401 412->405 417 20d056d 413->417 418 20d056f-20d057a 413->418 414->388 419 20d068f-20d06b2 415->419 420 20d0750-20d077a 415->420 416->396 421 20d083e-20d0847 416->421 417->414 423 20d057c-20d0599 418->423 424 20d059b-20d05bb 418->424 425 20d06ef-20d06fc 419->425 426 20d06b4-20d06ed 419->426 420->400 427 20d0849 421->427 428 20d084b-20d086c 421->428 435 20d05bd-20d05db 423->435 424->435 429 20d06fe-20d0748 425->429 430 20d074b 425->430 426->425 427->396 428->416 429->430 430->415 435->407
                      APIs
                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 020D024D
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocVirtual
                      • String ID: cess$kernel32.dll
                      • API String ID: 4275171209-1230238691
                      • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                      • Instruction ID: dca78506bd68bbaebe83f703c92878055dae886c6e97be66cdc185833bc2fdca
                      • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                      • Instruction Fuzzy Hash: 62525A74A01229DFDB64CF58C984BACBBB1BF09314F1480D9E94DAB351DB30AA95DF14
                      Function 0043B17D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 436 43b17d-43b189 437 43b230-43b233 436->437 438 43b239 437->438 439 43b18e-43b19f 437->439 442 43b23b-43b23f 438->442 440 43b1a1-43b1a4 439->440 441 43b1ac-43b1c5 LoadLibraryExW 439->441 443 43b1aa 440->443 444 43b22d 440->444 445 43b217-43b220 441->445 446 43b1c7-43b1d0 GetLastError 441->446 448 43b229-43b22b 443->448 444->437 447 43b222-43b223 FreeLibrary 445->447 445->448 449 43b1d2-43b1e4 call 43a2c8 446->449 450 43b207 446->450 447->448 448->444 452 43b240-43b242 448->452 449->450 456 43b1e6-43b1f8 call 43a2c8 449->456 451 43b209-43b20b 450->451 451->445 454 43b20d-43b215 451->454 452->442 454->444 456->450 459 43b1fa-43b205 LoadLibraryExW 456->459 459->451
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: G"@$api-ms-$ext-ms-
                      • API String ID: 0-3963426706
                      • Opcode ID: b882474e2421becce6f7ac3255c006c5444dc2a1b8804bcc2ed4a91c923f1653
                      • Instruction ID: bce6c0f499f03009e687f81e13829494c96e42a1ade786342b8d5ba6f6eadec1
                      • Opcode Fuzzy Hash: b882474e2421becce6f7ac3255c006c5444dc2a1b8804bcc2ed4a91c923f1653
                      • Instruction Fuzzy Hash: 82210875A41714ABCB214B65AC4CB2F3758DB097A0F2027A3FE55A7391D738ED0086ED
                      Function 0063E016 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 468 63e016-63e02f 469 63e031-63e033 468->469 470 63e035 469->470 471 63e03a-63e046 CreateToolhelp32Snapshot 469->471 470->471 472 63e056-63e063 Module32First 471->472 473 63e048-63e04e 471->473 474 63e065-63e066 call 63dcd5 472->474 475 63e06c-63e074 472->475 473->472 478 63e050-63e054 473->478 479 63e06b 474->479 478->469 478->472 479->475
                      APIs
                      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0063E03E
                      • Module32First.KERNEL32(00000000,00000224), ref: 0063E05E
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788999781.000000000063D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0063D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_63d000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: CreateFirstModule32SnapshotToolhelp32
                      • String ID:
                      • API String ID: 3833638111-0
                      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                      • Instruction ID: 9ab2300ade4147702a5601f59d5ed9b8d8f51846b3bc0dcf966acea57a1e5957
                      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                      • Instruction Fuzzy Hash: B7F0CD32200314ABD7343BB8AC8CBAE76E9AF49324F100128E643911C0CBB1E8458AA1
                      Function 020D0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 481 20d0e0f-20d0e24 SetErrorMode * 2 482 20d0e2b-20d0e2c 481->482 483 20d0e26 481->483 483->482
                      APIs
                      • SetErrorMode.KERNELBASE(00000400,?,?,020D0223,?,?), ref: 020D0E19
                      • SetErrorMode.KERNELBASE(00000000,?,?,020D0223,?,?), ref: 020D0E1E
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorMode
                      • String ID:
                      • API String ID: 2340568224-0
                      • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                      • Instruction ID: 6694f36606793361b509c331fc2bc32e2ccd64f7af50ad39e78bfb29505a1a99
                      • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                      • Instruction Fuzzy Hash: 87D0123114522877D7412AA4DC09BCD7B5CDF05B66F008011FB0DD9080C770954046E9
                      Function 0043B244 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 484 43b244-43b26c 485 43b272-43b274 484->485 486 43b26e-43b270 484->486 488 43b276-43b278 485->488 489 43b27a-43b281 call 43b17d 485->489 487 43b2c3-43b2c6 486->487 488->487 491 43b286-43b28a 489->491 492 43b2a9-43b2c0 491->492 493 43b28c-43b29a GetProcAddress 491->493 495 43b2c2 492->495 493->492 494 43b29c-43b2a7 call 4363bb 493->494 494->495 495->487
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 311fcbad5a498476ba4258b7768733b558a54d480fd29b7d435a1f88038dd687
                      • Instruction ID: 4c620e143bcf96f25956d88b1cbf9dacd5dc84731e444759e69defc360d9fbde
                      • Opcode Fuzzy Hash: 311fcbad5a498476ba4258b7768733b558a54d480fd29b7d435a1f88038dd687
                      • Instruction Fuzzy Hash: C801D637700511AF9B168E6AEC49F5B3396EB89370B245262FB00DB164EB74D80196DA
                      Function 0063DCD5 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 498 63dcd5-63dd0f call 63dfe8 501 63dd11-63dd44 VirtualAlloc call 63dd62 498->501 502 63dd5d 498->502 504 63dd49-63dd5b 501->504 502->502 504->502
                      APIs
                      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0063DD26
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788999781.000000000063D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0063D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_63d000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                      • Instruction ID: 8707c5fbb2a2588ec3644ad6708cbd5ffb35c579032fb5a863a7977a4e03ff0e
                      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                      • Instruction Fuzzy Hash: D4112B79A00208EFDB01DF98C985E98BBF5AF08350F058094F9489B362D375EA50DB90

                      Non-executed Functions

                      Function 004070A0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 121memoryprocessthreadCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004070CD
                      • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0040712B
                      • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00407144
                      • GetThreadContext.KERNEL32(?,00000000), ref: 00407159
                      • ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 00407179
                      • VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 004071BB
                      • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 004071D8
                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00407291
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ProcessVirtual$AllocMemory$ContextCreateFileFreeModuleNameReadThreadWrite
                      • String ID: $VUUU$invalid stoi argument
                      • API String ID: 3796053839-3954507777
                      • Opcode ID: 27f6c6112b243df7e53398a743d978e592acbef08456db8e92c72c1a99b34ae4
                      • Instruction ID: 38b2a2fa096ae382cc622da32822fc99d79a3e7951b2d8ee4b07a12606b8df86
                      • Opcode Fuzzy Hash: 27f6c6112b243df7e53398a743d978e592acbef08456db8e92c72c1a99b34ae4
                      • Instruction Fuzzy Hash: 59418D74644301BFE7609F50DC06FAA7BE8BF88B05F000529FA84E62D1D7B4E944CB9A
                      Function 020D7157 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 174processmemorythreadCOMMON
                      Download Yara Rule
                      APIs
                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 020D7334
                      • CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 020D7392
                      • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 020D73AB
                      • GetThreadContext.KERNEL32(?,00000000), ref: 020D73C0
                      • ReadProcessMemory.KERNEL32(?,00458DF8,?,00000004,00000000), ref: 020D73E0
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Process$AllocContextCreateFileMemoryModuleNameReadThreadVirtual
                      • String ID: VUUU
                      • API String ID: 338953623-2040033107
                      • Opcode ID: 8d52878efc5f8f8a1e952e44b6c95f7c24c53631ccf418eeef8ebfb25720e601
                      • Instruction ID: 0ee7fd10736db503c248e2900b1d2c7b7ae2cb62dd64fec34465bdcaf14ff59f
                      • Opcode Fuzzy Hash: 8d52878efc5f8f8a1e952e44b6c95f7c24c53631ccf418eeef8ebfb25720e601
                      • Instruction Fuzzy Hash: 6051D371644340AFD7119B64DC45F9ABBE9FF84B05F404529FA44EA2E0EBB0E904CF9A
                      Function 020F107A Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 020F117D
                      • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 020F11C9
                        • Part of subcall function 020F28C4: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 020F29B7
                      • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 020F1235
                      • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 020F1251
                      • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 020F12A5
                      • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 020F12D2
                      • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 020F1328
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
                      • String ID: (
                      • API String ID: 2943730970-3887548279
                      • Opcode ID: 97f5cfb5054145a50c69719e5e21d6391f3292fc1eddb95c28002738003bc8bd
                      • Instruction ID: 92a9a012a23db7b044d8e432b9d058911f89234b9e52b9c23649fce3b099ab30
                      • Opcode Fuzzy Hash: 97f5cfb5054145a50c69719e5e21d6391f3292fc1eddb95c28002738003bc8bd
                      • Instruction Fuzzy Hash: 3EB19CB0A40615EFCB99CF68D980A7EF7F5FF48704F144169D909ABA80D370B981DBA4
                      Function 020F1869 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 020F2F63: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 020F2F76
                      • Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 020F187B
                        • Part of subcall function 020F3076: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 020F30A0
                      • Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 020F19AD
                      • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 020F1A0D
                      • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 020F1A19
                      • Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 020F1A54
                      • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 020F1A75
                      • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 020F1A81
                      • Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 020F1A8A
                      • Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 020F1AA2
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::Manager::Resource$Allocation$CoresDynamic$AdjustCoreDataDistributePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalHandleIdleIncreaseInitializeLoadedProcessResetScheduler
                      • String ID:
                      • API String ID: 3189225155-0
                      • Opcode ID: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
                      • Instruction ID: da29910828e6cd5e2e102bfae9f8cf8cb8a12b9bfb8d0ac6bd2a42a925d79e25
                      • Opcode Fuzzy Hash: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
                      • Instruction Fuzzy Hash: 8F814771E44325EFCB59CFA8C580AADF7F2BF48304B1546ADD949ABB01C730A942DB90
                      Function 00421602 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00422CFC: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00422D0F
                      • Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 00421614
                        • Part of subcall function 00422E0F: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 00422E39
                      • Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 00421746
                      • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 004217A6
                      • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 004217B2
                      • Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 004217ED
                      • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 0042180E
                      • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 0042181A
                      • Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 00421823
                      • Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 0042183B
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::Manager::Resource$Allocation$CoresDynamic$AdjustCoreDataDistributePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalHandleIdleIncreaseInitializeLoadedProcessResetScheduler
                      • String ID:
                      • API String ID: 3189225155-0
                      • Opcode ID: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
                      • Instruction ID: 90d9306956e5cc9bb6704af0189ae29657119f80b0b7e1970bf61bc55afc2ad7
                      • Opcode Fuzzy Hash: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
                      • Instruction Fuzzy Hash: FA818C71F00225AFCB18DFA9D580A6EB7F1FF98304B6542AED405A7711CB74AD42CB88
                      Function 020FEEAF Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 020FEEE8
                        • Part of subcall function 020F9196: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 020F91B7
                      • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 020FEF4E
                      • Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 020FEF66
                      • Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 020FEF73
                        • Part of subcall function 020FEA16: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 020FEA3E
                        • Part of subcall function 020FEA16: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 020FEAD6
                        • Part of subcall function 020FEA16: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 020FEAE0
                        • Part of subcall function 020FEA16: Concurrency::location::_Assign.LIBCMT ref: 020FEB14
                        • Part of subcall function 020FEA16: Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 020FEB1C
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveAssignBindCommitConcurrency::location::_GroupPointsReclaimResolveRunnableSafeScheduleSegmentThrowTokenTraceTrigger
                      • String ID:
                      • API String ID: 2363638799-0
                      • Opcode ID: 61a48eb18c36016cf9376c863cf090d5461b458c764e45c256d8a2d92b022f72
                      • Instruction ID: e1e610b7529e5e3df30713b55e54cb95055dd3df790bf733af0b1374c659c42a
                      • Opcode Fuzzy Hash: 61a48eb18c36016cf9376c863cf090d5461b458c764e45c256d8a2d92b022f72
                      • Instruction Fuzzy Hash: 6D51A135A40305ABCF55EF50C888BADB776AF44314F0540A8EE026BBE5CB70AE45DBA1
                      Function 0042EC48 Relevance: 9.1, APIs: 6, Instructions: 139COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042EC81
                        • Part of subcall function 00428F2F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00428F50
                      • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 0042ECE7
                      • Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 0042ECFF
                      • Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 0042ED0C
                        • Part of subcall function 0042E7AF: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0042E7D7
                        • Part of subcall function 0042E7AF: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0042E86F
                        • Part of subcall function 0042E7AF: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0042E879
                        • Part of subcall function 0042E7AF: Concurrency::location::_Assign.LIBCMT ref: 0042E8AD
                        • Part of subcall function 0042E7AF: Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0042E8B5
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveAssignBindCommitConcurrency::location::_GroupPointsReclaimResolveRunnableSafeScheduleSegmentThrowTokenTraceTrigger
                      • String ID:
                      • API String ID: 2363638799-0
                      • Opcode ID: 61a48eb18c36016cf9376c863cf090d5461b458c764e45c256d8a2d92b022f72
                      • Instruction ID: 5e7ff754d2b343dc4c16742e0cc3e1cb9d27b644ec3e5e3051372794b2f11420
                      • Opcode Fuzzy Hash: 61a48eb18c36016cf9376c863cf090d5461b458c764e45c256d8a2d92b022f72
                      • Instruction Fuzzy Hash: 8051E335B10225EBCF14DF52D885BAEB771AF44314F5540AAE9027B392CB78AE02CB95
                      Function 0041C768 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 602 41c768-41ca21 GetModuleHandleW GetProcAddress * 40
                      APIs
                      • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0041C76E
                      • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0041C77C
                      • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0041C78D
                      • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0041C79E
                      • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0041C7AF
                      • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0041C7C0
                      • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0041C7D1
                      • GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0041C7E2
                      • GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 0041C7F3
                      • GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0041C804
                      • GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0041C815
                      • GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0041C826
                      • GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0041C837
                      • GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0041C848
                      • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0041C859
                      • GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0041C86A
                      • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0041C87B
                      • GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0041C88C
                      • GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 0041C89D
                      • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 0041C8AE
                      • GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 0041C8BF
                      • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0041C8D0
                      • GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 0041C8E1
                      • GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 0041C8F2
                      • GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 0041C903
                      • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0041C914
                      • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0041C925
                      • GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 0041C936
                      • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0041C947
                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0041C958
                      • GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 0041C969
                      • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0041C97A
                      • GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 0041C98B
                      • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0041C99C
                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 0041C9AD
                      • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 0041C9BE
                      • GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 0041C9CF
                      • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 0041C9E0
                      • GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 0041C9F1
                      • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 0041CA02
                      • GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 0041CA13
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$HandleModule
                      • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                      • API String ID: 667068680-295688737
                      • Opcode ID: 7095254045faed2553d93f0c9490efac9b80fc04d73eb81a88eda45e0edda8b1
                      • Instruction ID: b27cf2173bd35c32a824bf4ef6feeb97883ccbcf9f0634586d8c00e0a98c48d7
                      • Opcode Fuzzy Hash: 7095254045faed2553d93f0c9490efac9b80fc04d73eb81a88eda45e0edda8b1
                      • Instruction Fuzzy Hash: A5612A75952710EBD7016FB4BC4DF893AB8EA09B93B608537F905D21B2E6F88104CB6D
                      Function 0041F028 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 229COMMONLIBRARYCODE
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 603 41f028-41f039 call 41d942 606 41f2b3-41f2c0 call 41c0e9 603->606 607 41f03f-41f056 603->607 616 41f2c5 606->616 610 41f075-41f079 607->610 611 41f058-41f064 607->611 614 41f07b-41f07f 610->614 615 41f08a-41f08c 610->615 611->606 617 41f06a-41f06b call 41ee5f 611->617 614->606 618 41f085-41f088 614->618 619 41f096 615->619 620 41f08e-41f090 615->620 621 41f2c8-41f2ce call 433b04 616->621 617->610 618->614 618->615 622 41f098-41f0be call 41e1b9 619->622 620->619 624 41f092-41f094 620->624 629 41f1c4-41f1cd 622->629 630 41f0c4-41f0ca 622->630 624->622 632 41f1d3-41f1df 629->632 633 41f28c 629->633 631 41f0cd-41f0f1 call 41f3dd 630->631 643 41f0f3-41f0fe 631->643 644 41f12f-41f141 call 41e89f 631->644 632->633 636 41f1e5-41f1e7 632->636 634 41f28f-41f294 633->634 637 41f2a3-41f2b2 call 41e305 call 41d91c 634->637 638 41f296-41f2a1 634->638 640 41f209-41f20b 636->640 641 41f1e9-41f1f8 636->641 638->637 647 41f287-41f28a 640->647 648 41f20d-41f214 640->648 645 41f280-41f285 call 420366 641->645 646 41f1fe-41f204 641->646 651 41f100-41f107 call 41e647 643->651 652 41f169-41f172 call 41e647 643->652 661 41f143-41f161 call 41f40f 644->661 645->634 646->634 647->645 648->647 653 41f216-41f221 call 422340 648->653 669 41f123-41f127 651->669 670 41f109-41f120 call 41e89f 651->670 667 41f174 652->667 668 41f178-41f17e 652->668 671 41f223-41f239 call 4201b2 653->671 672 41f24a-41f269 call 41e561 call 41fbaa 653->672 661->631 682 41f167 661->682 667->668 675 41f180-41f18f 668->675 676 41f1ae-41f1b5 call 41f40f 668->676 669->661 678 41f129-41f12d 669->678 670->669 686 41f23b-41f248 call 41ac11 671->686 687 41f27d 671->687 672->687 696 41f26b-41f27b call 41ac11 672->696 684 41f191-41f1a6 call 41e647 675->684 688 41f1ba-41f1be 676->688 678->661 682->688 694 41f1a8-41f1ab 684->694 686->616 687->645 688->629 688->633 694->676 696->621
                      APIs
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041F2BB
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: std::invalid_argument::invalid_argument
                      • String ID: pEvents
                      • API String ID: 2141394445-2498624650
                      • Opcode ID: 6fac62366cbd6f5e6cb8ab906c87716b022ac4ce341200765e397ba53b1eaef3
                      • Instruction ID: 66998cc49b15140c198e060e127dcf308e046c772bddf22695f73d3154dbb627
                      • Opcode Fuzzy Hash: 6fac62366cbd6f5e6cb8ab906c87716b022ac4ce341200765e397ba53b1eaef3
                      • Instruction Fuzzy Hash: 0D819F35D00218DBCF14DFA5C981BEEB7B1AF54314F14406AE801A7282D77DAD8ACB59
                      Function 0210F5C6 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 113COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___free_lconv_mon.LIBCMT ref: 0210F60A
                        • Part of subcall function 0210F1A3: _free.LIBCMT ref: 0210F1C0
                        • Part of subcall function 0210F1A3: _free.LIBCMT ref: 0210F1D2
                        • Part of subcall function 0210F1A3: _free.LIBCMT ref: 0210F1E4
                        • Part of subcall function 0210F1A3: _free.LIBCMT ref: 0210F1F6
                        • Part of subcall function 0210F1A3: _free.LIBCMT ref: 0210F208
                        • Part of subcall function 0210F1A3: _free.LIBCMT ref: 0210F21A
                        • Part of subcall function 0210F1A3: _free.LIBCMT ref: 0210F22C
                        • Part of subcall function 0210F1A3: _free.LIBCMT ref: 0210F23E
                        • Part of subcall function 0210F1A3: _free.LIBCMT ref: 0210F250
                        • Part of subcall function 0210F1A3: _free.LIBCMT ref: 0210F262
                        • Part of subcall function 0210F1A3: _free.LIBCMT ref: 0210F274
                        • Part of subcall function 0210F1A3: _free.LIBCMT ref: 0210F286
                        • Part of subcall function 0210F1A3: _free.LIBCMT ref: 0210F298
                      • _free.LIBCMT ref: 0210F5FF
                        • Part of subcall function 0210B05C: HeapFree.KERNEL32(00000000,00000000,?,0210F334,?,00000000,?,?,?,0210F35B,?,00000007,?,?,0210F75D,?), ref: 0210B072
                        • Part of subcall function 0210B05C: GetLastError.KERNEL32(?,?,0210F334,?,00000000,?,?,?,0210F35B,?,00000007,?,?,0210F75D,?,?), ref: 0210B084
                      • _free.LIBCMT ref: 0210F621
                      • _free.LIBCMT ref: 0210F636
                      • _free.LIBCMT ref: 0210F641
                      • _free.LIBCMT ref: 0210F663
                      • _free.LIBCMT ref: 0210F676
                      • _free.LIBCMT ref: 0210F684
                      • _free.LIBCMT ref: 0210F68F
                      • _free.LIBCMT ref: 0210F6C7
                      • _free.LIBCMT ref: 0210F6CE
                      • _free.LIBCMT ref: 0210F6EB
                      • _free.LIBCMT ref: 0210F703
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                      • String ID: 8"F$`'F
                      • API String ID: 161543041-3117062166
                      • Opcode ID: 922a2dd1448a5ec672de729c29137a8fc27b2943f4b4aaf69956ccaefb2f6592
                      • Instruction ID: 148b0750b5e10556c3f5b4584dff8a353032c3c05b7815e39b628c79c49416c5
                      • Opcode Fuzzy Hash: 922a2dd1448a5ec672de729c29137a8fc27b2943f4b4aaf69956ccaefb2f6592
                      • Instruction Fuzzy Hash: 51315A31684301DFEB31AAB8D886B5B77EAFF00358F144419E069D79E0DFB1A982CB50
                      Function 0043F35F Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 113COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ___free_lconv_mon.LIBCMT ref: 0043F3A3
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EF59
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EF6B
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EF7D
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EF8F
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFA1
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFB3
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFC5
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFD7
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFE9
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043EFFB
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043F00D
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043F01F
                        • Part of subcall function 0043EF3C: _free.LIBCMT ref: 0043F031
                      • _free.LIBCMT ref: 0043F398
                        • Part of subcall function 0043ADF5: HeapFree.KERNEL32(00000000,00000000,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?), ref: 0043AE0B
                        • Part of subcall function 0043ADF5: GetLastError.KERNEL32(?,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?,?), ref: 0043AE1D
                      • _free.LIBCMT ref: 0043F3BA
                      • _free.LIBCMT ref: 0043F3CF
                      • _free.LIBCMT ref: 0043F3DA
                      • _free.LIBCMT ref: 0043F3FC
                      • _free.LIBCMT ref: 0043F40F
                      • _free.LIBCMT ref: 0043F41D
                      • _free.LIBCMT ref: 0043F428
                      • _free.LIBCMT ref: 0043F460
                      • _free.LIBCMT ref: 0043F467
                      • _free.LIBCMT ref: 0043F484
                      • _free.LIBCMT ref: 0043F49C
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                      • String ID: 8"F$`'F
                      • API String ID: 161543041-3117062166
                      • Opcode ID: 922a2dd1448a5ec672de729c29137a8fc27b2943f4b4aaf69956ccaefb2f6592
                      • Instruction ID: 543839021cf0bf63342fab8d7291383f9c2b30be018e8c543b9015e977d3828c
                      • Opcode Fuzzy Hash: 922a2dd1448a5ec672de729c29137a8fc27b2943f4b4aaf69956ccaefb2f6592
                      • Instruction Fuzzy Hash: 0C31A232A00201DFEB206A3AD845B5B73E6EF18315F10642FE485D7691DF78EC94CB19
                      Function 020EF28F Relevance: 24.2, APIs: 16, Instructions: 229COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 020EF296
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 020EF522
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: H_prolog3std::invalid_argument::invalid_argument
                      • String ID:
                      • API String ID: 1590901807-0
                      • Opcode ID: 6fac62366cbd6f5e6cb8ab906c87716b022ac4ce341200765e397ba53b1eaef3
                      • Instruction ID: bfce2d2d45f89619ffa26588eda86749469fc3f0fd19c4a3fd1de44b0f5e3e2f
                      • Opcode Fuzzy Hash: 6fac62366cbd6f5e6cb8ab906c87716b022ac4ce341200765e397ba53b1eaef3
                      • Instruction Fuzzy Hash: 8E819F72E0031A9FCF26DFA8C988BEEB7B5BF44314F244119D406A7681D734A985EB51
                      Function 00405C10 Relevance: 23.2, APIs: 8, Strings: 5, Instructions: 426COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
                      • API String ID: 0-3963862150
                      • Opcode ID: 7b30f4bb64713f8e8560b0a060365d672a22d772f42773569fe59456b17a37f7
                      • Instruction ID: 448877648adff1088d2a9d486534a169f5918e2e35df4f0b5b8ee8aeb0257759
                      • Opcode Fuzzy Hash: 7b30f4bb64713f8e8560b0a060365d672a22d772f42773569fe59456b17a37f7
                      • Instruction Fuzzy Hash: 5DF1C170900248ABEB24DF54CD85BDEBBB9EB45304F5041AAF509A72C1DB789A84CF99
                      Function 0041D029 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 51libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • InitializeCriticalSectionAndSpinCount.KERNEL32(00465750,00000FA0,?,?,0041D007), ref: 0041D035
                      • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,0041D007), ref: 0041D040
                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0041D007), ref: 0041D051
                      • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0041D063
                      • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0041D071
                      • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0041D007), ref: 0041D094
                      • ___scrt_fastfail.LIBCMT ref: 0041D0A5
                      • RtlDeleteCriticalSection.NTDLL(00465750), ref: 0041D0B0
                      • CloseHandle.KERNEL32(00000000,?,?,0041D007), ref: 0041D0C0
                      Strings
                      • WakeAllConditionVariable, xrefs: 0041D069
                      • SleepConditionVariableCS, xrefs: 0041D05D
                      • kernel32.dll, xrefs: 0041D04C
                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 0041D03B
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
                      • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                      • API String ID: 3578986977-3242537097
                      • Opcode ID: 5773b3b592dab99726245edcd6fa20dcc163fa756fd668b0a9920edcf870acc0
                      • Instruction ID: da8957fb05adf3e2478d3987b837cced664d2ae1275a3d1fb98c7f3dc6632c06
                      • Opcode Fuzzy Hash: 5773b3b592dab99726245edcd6fa20dcc163fa756fd668b0a9920edcf870acc0
                      • Instruction Fuzzy Hash: 1501B575E40B11ABDB211B75AC08F9B3A98DB45B57F140132FC05D22A1EAB9CC41CA6E
                      Function 02102938 Relevance: 22.7, APIs: 15, Instructions: 231COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 0210294A
                        • Part of subcall function 02102748: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0210276B
                      • Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 0210296B
                      • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 02102978
                      • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 021029C6
                      • Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 02102A4D
                      • Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 02102A60
                      • Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 02102AAD
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocal_NextObjectPeriodicRunnablesScanSlot
                      • String ID:
                      • API String ID: 2530155754-0
                      • Opcode ID: c59a2110c268144207470cacd74e4257a298ce88abd0f6ffd6155045285da657
                      • Instruction ID: 6544ca2ba9680c8a84fc615bc9882d63230960e5be75d2422f9f9ceb272e89fb
                      • Opcode Fuzzy Hash: c59a2110c268144207470cacd74e4257a298ce88abd0f6ffd6155045285da657
                      • Instruction Fuzzy Hash: C581C230980249AFDF26DFA4C9D8BFE7B76AF45308F044098EC512B2D1C7B68955DB62
                      Function 004326D1 Relevance: 22.7, APIs: 15, Instructions: 231COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 004326E3
                        • Part of subcall function 004324E1: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00432504
                      • Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 00432704
                      • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 00432711
                      • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 0043275F
                      • Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 004327E6
                      • Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 004327F9
                      • Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 00432846
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocal_NextObjectPeriodicRunnablesScanSlot
                      • String ID:
                      • API String ID: 2530155754-0
                      • Opcode ID: c59a2110c268144207470cacd74e4257a298ce88abd0f6ffd6155045285da657
                      • Instruction ID: fb03d83531a47042b93fe6564ff1c061b34d3f88821af197b1cf19dfef14ec32
                      • Opcode Fuzzy Hash: c59a2110c268144207470cacd74e4257a298ce88abd0f6ffd6155045285da657
                      • Instruction Fuzzy Hash: 6B81C270900249ABDF169F54CA41BBF7BB1AF0D308F04509AEC4127352C7BA8D16DB65
                      Function 020F4745 Relevance: 22.7, APIs: 15, Instructions: 189timeregistryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 020F474C
                      • ListArray.LIBCONCRT ref: 020F479F
                        • Part of subcall function 020F4580: RtlInitializeSListHead.NTDLL(?), ref: 020F464C
                        • Part of subcall function 020F4580: RtlInitializeSListHead.NTDLL(?), ref: 020F4656
                      • ListArray.LIBCONCRT ref: 020F47D3
                      • Hash.LIBCMT ref: 020F483C
                      • Hash.LIBCMT ref: 020F484C
                      • RtlInitializeSListHead.NTDLL(?), ref: 020F48E1
                      • RtlInitializeSListHead.NTDLL(?), ref: 020F48EE
                      • RtlInitializeSListHead.NTDLL(?), ref: 020F48FB
                      • RtlInitializeSListHead.NTDLL(?), ref: 020F4908
                        • Part of subcall function 020F9EA8: std::bad_exception::bad_exception.LIBCMT ref: 020F9ECA
                      • RegisterWaitForSingleObject.KERNEL32(?,00000000,00427A15,?,000000FF,00000000), ref: 020F4990
                      • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 020F49B2
                      • GetLastError.KERNEL32(020F56F2,?,?,00000000,?,?), ref: 020F49C4
                      • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 020F49E1
                        • Part of subcall function 020EFE11: CreateTimerQueueTimer.KERNEL32(?,?,00000000,?,?,020F56F2,00000008,?,020F49E6,?,00000000,00427A06,?,7FFFFFFF,7FFFFFFF,00000000), ref: 020EFE29
                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 020F4A0B
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: List$HeadInitialize$Timer$ArrayCreateHashQueueRegister$AsyncConcurrency::details::Concurrency::details::platform::__Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorH_prolog3LastLibraryLoadObjectSingleWaitstd::bad_exception::bad_exception
                      • String ID:
                      • API String ID: 1224710184-0
                      • Opcode ID: cff4f1584c67b4dd39a057eedf59500e630592c2a8e2e850217cf0530dd3835e
                      • Instruction ID: 176682174e8b751953d2cdd9b579472167b626e9a65c74253a9f4525319b398d
                      • Opcode Fuzzy Hash: cff4f1584c67b4dd39a057eedf59500e630592c2a8e2e850217cf0530dd3835e
                      • Instruction Fuzzy Hash: 4C816EB0A51B16AFD748DF74C844BDAFBA9BF08700F00421AE629D7680DBB5A164DFD1
                      Function 004244DE Relevance: 21.2, APIs: 14, Instructions: 189timeregistryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ListArray.LIBCONCRT ref: 00424538
                        • Part of subcall function 00424319: RtlInitializeSListHead.NTDLL(?), ref: 004243E5
                        • Part of subcall function 00424319: RtlInitializeSListHead.NTDLL(?), ref: 004243EF
                      • ListArray.LIBCONCRT ref: 0042456C
                      • Hash.LIBCMT ref: 004245D5
                      • Hash.LIBCMT ref: 004245E5
                      • RtlInitializeSListHead.NTDLL(?), ref: 0042467A
                      • RtlInitializeSListHead.NTDLL(?), ref: 00424687
                      • RtlInitializeSListHead.NTDLL(?), ref: 00424694
                      • RtlInitializeSListHead.NTDLL(?), ref: 004246A1
                        • Part of subcall function 00429C41: std::bad_exception::bad_exception.LIBCMT ref: 00429C63
                      • RegisterWaitForSingleObject.KERNEL32(?,00000000,00427A15,?,000000FF,00000000), ref: 00424729
                      • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0042474B
                      • GetLastError.KERNEL32(0042548B,?,?,00000000,?,?), ref: 0042475D
                      • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 0042477A
                        • Part of subcall function 0041FBAA: CreateTimerQueueTimer.KERNEL32(?,?,00000000,?,?,0042548B,00000008,?,0042477F,?,00000000,00427A06,?,7FFFFFFF,7FFFFFFF,00000000), ref: 0041FBC2
                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004247A4
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: List$HeadInitialize$Timer$ArrayCreateHashQueueRegister$AsyncConcurrency::details::Concurrency::details::platform::__Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastLibraryLoadObjectSingleWaitstd::bad_exception::bad_exception
                      • String ID:
                      • API String ID: 2750799244-0
                      • Opcode ID: cff4f1584c67b4dd39a057eedf59500e630592c2a8e2e850217cf0530dd3835e
                      • Instruction ID: 8edcf0d5cb27459604d76cf7b2957bb715be8d06604c13dd231c773c6d0fd610
                      • Opcode Fuzzy Hash: cff4f1584c67b4dd39a057eedf59500e630592c2a8e2e850217cf0530dd3835e
                      • Instruction Fuzzy Hash: 37816EB0B10B22AAD708DF75D845BD9FBA8BF49704F50021FF42897281CBB8A564CBD5
                      Function 020F2A99 Relevance: 19.7, APIs: 13, Instructions: 223COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 020F2AA8
                        • Part of subcall function 020F3D93: GetVersionExW.KERNEL32(?), ref: 020F3DB7
                        • Part of subcall function 020F3D93: Concurrency::details::WinRT::Initialize.LIBCONCRT ref: 020F3E56
                      • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 020F2ABC
                      • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 020F2ADD
                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 020F2B46
                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 020F2B7A
                        • Part of subcall function 020F0A54: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 020F0A74
                      • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 020F2BFA
                        • Part of subcall function 020F25C3: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 020F25D7
                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 020F2C42
                        • Part of subcall function 020F0A29: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 020F0A45
                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 020F2C56
                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 020F2C67
                      • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 020F2CB4
                      • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 020F2CD9
                      • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 020F2CE5
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Manager::Resource$Affinity$Apply$Restrictions$Information$Topology$CaptureProcessRestriction::Version$CleanupConcurrency::details::platform::__FindGroupInitializeLimitsLogicalProcessorRetrieveSystem
                      • String ID:
                      • API String ID: 4140532746-0
                      • Opcode ID: 9abd196dbe3760ed533f204942a39c663444424dc11bb6fb8cf1de85ffcec6e8
                      • Instruction ID: 859c5c871f59220d8a3702ec0e65dfb80f784e79247e00f26026fd7c714c859c
                      • Opcode Fuzzy Hash: 9abd196dbe3760ed533f204942a39c663444424dc11bb6fb8cf1de85ffcec6e8
                      • Instruction Fuzzy Hash: B381F071A807169FCB98DFA8D8906BDB7F2FB48304B24403DDE41E7A40E770A940EB95
                      Function 00422832 Relevance: 19.7, APIs: 13, Instructions: 223COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 00422841
                        • Part of subcall function 00423B2C: GetVersionExW.KERNEL32(?), ref: 00423B50
                        • Part of subcall function 00423B2C: Concurrency::details::WinRT::Initialize.LIBCONCRT ref: 00423BEF
                      • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00422855
                      • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00422876
                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004228DF
                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00422913
                        • Part of subcall function 004207ED: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 0042080D
                      • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00422993
                        • Part of subcall function 0042235C: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 00422370
                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 004229DB
                        • Part of subcall function 004207C2: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004207DE
                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 004229EF
                      • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00422A00
                      • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00422A4D
                      • Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00422A72
                      • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00422A7E
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Manager::Resource$Affinity$Apply$Restrictions$Information$Topology$CaptureProcessRestriction::Version$CleanupConcurrency::details::platform::__FindGroupInitializeLimitsLogicalProcessorRetrieveSystem
                      • String ID:
                      • API String ID: 4140532746-0
                      • Opcode ID: 9abd196dbe3760ed533f204942a39c663444424dc11bb6fb8cf1de85ffcec6e8
                      • Instruction ID: e80cf76bb90d4b83ff5cf9a0939ff877604985d568bc9a9fcea241cccaa3ebda
                      • Opcode Fuzzy Hash: 9abd196dbe3760ed533f204942a39c663444424dc11bb6fb8cf1de85ffcec6e8
                      • Instruction Fuzzy Hash: 0481BF71B00526ABCB18DF69FA9057EB7F1BB48704B94403ED441A3741EBB8A981CB9D
                      Function 0041FA71 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 60libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,00423BE6), ref: 0041FA7F
                      • GetProcAddress.KERNEL32(00000000,SetThreadGroupAffinity), ref: 0041FA8D
                      • GetProcAddress.KERNEL32(00000000,GetThreadGroupAffinity), ref: 0041FA9B
                      • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumberEx), ref: 0041FAC9
                      • GetLastError.KERNEL32(?,?,?,00423BE6), ref: 0041FAE4
                      • GetLastError.KERNEL32(?,?,?,00423BE6), ref: 0041FAF0
                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041FB06
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorHandleModule
                      • String ID: GetCurrentProcessorNumberEx$GetThreadGroupAffinity$SetThreadGroupAffinity$kernel32.dll
                      • API String ID: 1654681794-465693683
                      • Opcode ID: 7fe6c5ece6de4c50eb3fb3b842b885c674e1d20cdf18a0be90147e923e9c19f3
                      • Instruction ID: d2013d26350a1230dd44c523f95b164804869e8c7fe68790ab887d0678fdf32d
                      • Opcode Fuzzy Hash: 7fe6c5ece6de4c50eb3fb3b842b885c674e1d20cdf18a0be90147e923e9c19f3
                      • Instruction Fuzzy Hash: 800165396003116F97107BB5BC4ABAB7AACAD04756724053BF805D2293EAACD449866D
                      Function 0210550C Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsInExceptionSpec.LIBVCRUNTIME ref: 02105607
                      • type_info::operator==.LIBVCRUNTIME ref: 0210562E
                      • ___TypeMatch.LIBVCRUNTIME ref: 0210573A
                      • CatchIt.LIBVCRUNTIME ref: 0210578F
                      • IsInExceptionSpec.LIBVCRUNTIME ref: 02105815
                      • _UnwindNestedFrames.LIBCMT ref: 0210589C
                      • CallUnexpected.LIBVCRUNTIME ref: 021058B7
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                      • String ID: csm$csm$csm
                      • API String ID: 4234981820-393685449
                      • Opcode ID: ad1611b132c96cd88c093627677e3344dfa0a654fa7a6ed2c70fbeb10c1165a9
                      • Instruction ID: 303208e6c62310c5ea890d2b709c23ee3911ff9fb269eee676c9d8c968346c04
                      • Opcode Fuzzy Hash: ad1611b132c96cd88c093627677e3344dfa0a654fa7a6ed2c70fbeb10c1165a9
                      • Instruction Fuzzy Hash: 15C16E71880209EFCF29DF95C8C0AAEBBB7BF04314F94456AE8156B281D7B1D951CF91
                      Function 004352A5 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 308COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • IsInExceptionSpec.LIBVCRUNTIME ref: 004353A0
                      • type_info::operator==.LIBVCRUNTIME ref: 004353C7
                      • ___TypeMatch.LIBVCRUNTIME ref: 004354D3
                      • CatchIt.LIBVCRUNTIME ref: 00435528
                      • IsInExceptionSpec.LIBVCRUNTIME ref: 004355AE
                      • _UnwindNestedFrames.LIBCMT ref: 00435635
                      • CallUnexpected.LIBVCRUNTIME ref: 00435650
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionSpec$CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                      • String ID: csm$csm$csm
                      • API String ID: 4234981820-393685449
                      • Opcode ID: ad1611b132c96cd88c093627677e3344dfa0a654fa7a6ed2c70fbeb10c1165a9
                      • Instruction ID: 7946f23dea792be26d4820a62e4550dff79cbb7357508b3bf55c7f92dc133849
                      • Opcode Fuzzy Hash: ad1611b132c96cd88c093627677e3344dfa0a654fa7a6ed2c70fbeb10c1165a9
                      • Instruction Fuzzy Hash: C3C1AA71800609EFCF19DF95C881AAEBBB5BF1C315F04615BE8156B206C338EA51CF99
                      Function 00441ABC Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 00441775: CreateFileW.KERNEL32(00000000,00000000,?,00441B65,?,?,00000000,?,00441B65,00000000,0000000C), ref: 00441792
                      • GetLastError.KERNEL32 ref: 00441BD0
                      • __dosmaperr.LIBCMT ref: 00441BD7
                      • GetFileType.KERNEL32(00000000), ref: 00441BE3
                      • GetLastError.KERNEL32 ref: 00441BED
                      • __dosmaperr.LIBCMT ref: 00441BF6
                      • CloseHandle.KERNEL32(00000000), ref: 00441C16
                      • CloseHandle.KERNEL32(0043AC92), ref: 00441D63
                      • GetLastError.KERNEL32 ref: 00441D95
                      • __dosmaperr.LIBCMT ref: 00441D9C
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                      • String ID: H
                      • API String ID: 4237864984-2852464175
                      • Opcode ID: 7e17bc01896d330f6a953f9dbc221eb630c8e931c060a5af7141eb9f4136a765
                      • Instruction ID: 908140145710097c147751781d0df85f7731599b948b663735adbecd062618f5
                      • Opcode Fuzzy Hash: 7e17bc01896d330f6a953f9dbc221eb630c8e931c060a5af7141eb9f4136a765
                      • Instruction Fuzzy Hash: 20A13972A041489FDF19DF68DC91BAE3BB1EB0A324F14015EE811EB3E1D7389942CB59
                      Function 02102BD7 Relevance: 16.7, APIs: 11, Instructions: 222COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 02102BE9
                        • Part of subcall function 02102748: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0210276B
                      • Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 02102C0A
                      • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 02102C17
                      • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 02102C65
                      • Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 02102D0D
                      • Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 02102D3F
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
                      • String ID:
                      • API String ID: 1256429809-0
                      • Opcode ID: df65faca3598a56f4a1189fa951469fdc42dcddc43790275eedfd99cb695ca9a
                      • Instruction ID: 67906a1700b1ca98aeaea1f221520aaf64d42ceb1603309a11adc1b4d13397c3
                      • Opcode Fuzzy Hash: df65faca3598a56f4a1189fa951469fdc42dcddc43790275eedfd99cb695ca9a
                      • Instruction Fuzzy Hash: 8F719A70940209AFDF16DF94C9D8BBEBBB6AF49304F044099EC116B291C7B2DD16DB61
                      Function 00432970 Relevance: 16.7, APIs: 11, Instructions: 222COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 00432982
                        • Part of subcall function 004324E1: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00432504
                      • Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 004329A3
                      • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 004329B0
                      • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 004329FE
                      • Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 00432AA6
                      • Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 00432AD8
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
                      • String ID:
                      • API String ID: 1256429809-0
                      • Opcode ID: df65faca3598a56f4a1189fa951469fdc42dcddc43790275eedfd99cb695ca9a
                      • Instruction ID: 2c3f4ac1ddb9b2e884700b4006eb7aadb935b7841f65a9e333380771e6a1d96e
                      • Opcode Fuzzy Hash: df65faca3598a56f4a1189fa951469fdc42dcddc43790275eedfd99cb695ca9a
                      • Instruction Fuzzy Hash: 8271BC70A00249AFDF15DF54CA80BBFBBB1AF49308F04509AEC416B352C7B9AD16DB65
                      Function 020FEC90 Relevance: 16.6, APIs: 11, Instructions: 148windowCOMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 020FECE0
                        • Part of subcall function 020F9196: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 020F91B7
                      • Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 020FECF9
                      • Concurrency::location::_Assign.LIBCMT ref: 020FED0F
                      • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedSet.LIBCONCRT ref: 020FED7C
                      • Concurrency::details::SchedulerBase::ClearQuickCacheSlot.LIBCMT ref: 020FED84
                      • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 020FEDAB
                      • Concurrency::details::VirtualProcessor::EnsureAllTasksVisible.LIBCONCRT ref: 020FEDB7
                      • Concurrency::details::SchedulerBase::VirtualProcessorIdle.LIBCONCRT ref: 020FEDEF
                      • Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 020FEE0E
                      • Concurrency::details::SchedulerBase::VirtualProcessorIdle.LIBCONCRT ref: 020FEE1C
                      • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedClear.LIBCONCRT ref: 020FEE43
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Base::$ContextVirtual$Processor::QuickScheduler$ClearCountedEventIdleInterlockedProcessorReferenceSet::$AssignAvailableBlockedCacheConcurrency::location::_DeactivateEnsureInternalMakeSlotSpinTasksThrowTraceUntilVisible
                      • String ID:
                      • API String ID: 3608406545-0
                      • Opcode ID: a39cb41113445c8b37c8e93bd00c54bcce78915a73e61bcd78f9524f0075e564
                      • Instruction ID: d01d3183aa1d6fb1107dc40f93a416e76932d297121d3ea29d371250f0ae52d9
                      • Opcode Fuzzy Hash: a39cb41113445c8b37c8e93bd00c54bcce78915a73e61bcd78f9524f0075e564
                      • Instruction Fuzzy Hash: FB51B1357403049FDB85EF24C485BED77A6BF49310F1940A9EE069BA96CB70A801DFA2
                      Function 020F6C41 Relevance: 15.1, APIs: 10, Instructions: 144COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 020F6C86
                      • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 020F6CB8
                      • List.LIBCONCRT ref: 020F6CF3
                      • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 020F6D04
                      • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 020F6D20
                      • List.LIBCONCRT ref: 020F6D5B
                      • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 020F6D6C
                      • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 020F6D87
                      • List.LIBCONCRT ref: 020F6DC2
                      • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 020F6DCF
                        • Part of subcall function 020F6146: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 020F615E
                        • Part of subcall function 020F6146: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 020F6170
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                      • String ID:
                      • API String ID: 3403738998-0
                      • Opcode ID: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
                      • Instruction ID: 19916c16a40e897f7e3af18e87bc12c178a603044f9d9c99c44f1284b7eec4f7
                      • Opcode Fuzzy Hash: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
                      • Instruction Fuzzy Hash: 8D514F71A40309AFDB84DF65C894BEDB7B9FF08304F444069DA15ABA81DB31AE44DF90
                      Function 004269DA Relevance: 15.1, APIs: 10, Instructions: 144COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00426A1F
                      • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00426A51
                      • List.LIBCONCRT ref: 00426A8C
                      • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00426A9D
                      • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00426AB9
                      • List.LIBCONCRT ref: 00426AF4
                      • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00426B05
                      • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426B20
                      • List.LIBCONCRT ref: 00426B5B
                      • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426B68
                        • Part of subcall function 00425EDF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00425EF7
                        • Part of subcall function 00425EDF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00425F09
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                      • String ID:
                      • API String ID: 3403738998-0
                      • Opcode ID: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
                      • Instruction ID: 579499c82c18d5a5ade90e723c63f8c40f3c28f02b2f1580fedc01109288aa91
                      • Opcode Fuzzy Hash: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
                      • Instruction Fuzzy Hash: 9C516170B00229ABDB04DF65D495BEEB7A8FF08304F45406EE915EB381DB78AE45CB94
                      Function 0210A7C0 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 0210A7D6
                        • Part of subcall function 0210B05C: HeapFree.KERNEL32(00000000,00000000,?,0210F334,?,00000000,?,?,?,0210F35B,?,00000007,?,?,0210F75D,?), ref: 0210B072
                        • Part of subcall function 0210B05C: GetLastError.KERNEL32(?,?,0210F334,?,00000000,?,?,?,0210F35B,?,00000007,?,?,0210F75D,?,?), ref: 0210B084
                      • _free.LIBCMT ref: 0210A7E2
                      • _free.LIBCMT ref: 0210A7ED
                      • _free.LIBCMT ref: 0210A7F8
                      • _free.LIBCMT ref: 0210A803
                      • _free.LIBCMT ref: 0210A80E
                      • _free.LIBCMT ref: 0210A819
                      • _free.LIBCMT ref: 0210A824
                      • _free.LIBCMT ref: 0210A82F
                      • _free.LIBCMT ref: 0210A83D
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 1702a0a1dc840abddd1c64ba95121113f610cdca08529299edb68c6a0e13c010
                      • Instruction ID: 942a01d6b34c49c184c02a4c19cbd09668d33d295bf84785112f379a2c1692b2
                      • Opcode Fuzzy Hash: 1702a0a1dc840abddd1c64ba95121113f610cdca08529299edb68c6a0e13c010
                      • Instruction Fuzzy Hash: B221A776944208EFDB11EF94C880DDE7BB9FF08344F008166A6299B565DB72EB448F80
                      Function 0043A559 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 0043A56F
                        • Part of subcall function 0043ADF5: HeapFree.KERNEL32(00000000,00000000,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?), ref: 0043AE0B
                        • Part of subcall function 0043ADF5: GetLastError.KERNEL32(?,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?,?), ref: 0043AE1D
                      • _free.LIBCMT ref: 0043A57B
                      • _free.LIBCMT ref: 0043A586
                      • _free.LIBCMT ref: 0043A591
                      • _free.LIBCMT ref: 0043A59C
                      • _free.LIBCMT ref: 0043A5A7
                      • _free.LIBCMT ref: 0043A5B2
                      • _free.LIBCMT ref: 0043A5BD
                      • _free.LIBCMT ref: 0043A5C8
                      • _free.LIBCMT ref: 0043A5D6
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 1702a0a1dc840abddd1c64ba95121113f610cdca08529299edb68c6a0e13c010
                      • Instruction ID: d5756e4be776d265c631e914caca5967b4e144ec79bf9f4ded6797d03f0bc009
                      • Opcode Fuzzy Hash: 1702a0a1dc840abddd1c64ba95121113f610cdca08529299edb68c6a0e13c010
                      • Instruction Fuzzy Hash: C021E776940108FFCB01EFA9C881CDE7BBABF08345F0051AAF5459B521EB35EA94CB85
                      Function 00445A82 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlDecodePointer.NTDLL(?), ref: 00445A9B
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: DecodePointer
                      • String ID: acos$asin$exp$log$log10$pow$sqrt
                      • API String ID: 3527080286-3064271455
                      • Opcode ID: 7e11b681a690fd98a2b640cdef5f2481af1cc968e8b139b6733d987c9b93043a
                      • Instruction ID: 8f21642526c0a384525b0a78e457c39df1912065d7a9ddf966662cad22d26739
                      • Opcode Fuzzy Hash: 7e11b681a690fd98a2b640cdef5f2481af1cc968e8b139b6733d987c9b93043a
                      • Instruction Fuzzy Hash: EE517E74904E4ADBEF109F58E88C5AE7F74FB05310F148157D880AA356CB789A2ACF1D
                      Function 00427364 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 80threadCOMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 004273B0
                      • SwitchToThread.KERNEL32(?), ref: 004273D3
                      • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 004273F2
                      • Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 0042740E
                      • Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 00427419
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00427440
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementSwitchThreadstd::invalid_argument::invalid_argument
                      • String ID: count$ppVirtualProcessorRoots
                      • API String ID: 3791123369-3650809737
                      • Opcode ID: c12b9fb7ade3771b82fb90936bc3b93d705f62869cacdabd48ca9c13149a27d9
                      • Instruction ID: 910b0151320ec7fd7557316ad521234f334c06ab70371bbe18cdfb5d61862d5e
                      • Opcode Fuzzy Hash: c12b9fb7ade3771b82fb90936bc3b93d705f62869cacdabd48ca9c13149a27d9
                      • Instruction Fuzzy Hash: A8219334B00229EFCB10EF55D485AAEBBB5BF09344F54406AEC0197351CB38AE05CB98
                      Function 02115939 Relevance: 13.8, APIs: 9, Instructions: 301COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f581972419559139547d94a09d48a4cf01951f6f19e23db2bc11059fe6a6d649
                      • Instruction ID: 9958113e09f1b1452c86ebf69a4482de007578f3ae3b8e815f0c2eaffd4b43db
                      • Opcode Fuzzy Hash: f581972419559139547d94a09d48a4cf01951f6f19e23db2bc11059fe6a6d649
                      • Instruction Fuzzy Hash: DCC1F2B0E84209AFDB15CF98D880BADBBB7AF89310F414079E415AB3D1E7B09941CF65
                      Function 004456D2 Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f581972419559139547d94a09d48a4cf01951f6f19e23db2bc11059fe6a6d649
                      • Instruction ID: ee9b374b754267b3a96934832a8bfcd590faa4b6eb17edeb4b1fb680e658e9fc
                      • Opcode Fuzzy Hash: f581972419559139547d94a09d48a4cf01951f6f19e23db2bc11059fe6a6d649
                      • Instruction Fuzzy Hash: A3C114B0A04649EFEF15DF99C880BAEBBB1AF49314F00416BE441A7393D7789901CF69
                      Function 0042EA29 Relevance: 13.6, APIs: 9, Instructions: 148windowCOMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042EA79
                        • Part of subcall function 00428F2F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00428F50
                      • Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 0042EA92
                      • Concurrency::location::_Assign.LIBCMT ref: 0042EAA8
                      • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedSet.LIBCONCRT ref: 0042EB15
                      • Concurrency::details::SchedulerBase::ClearQuickCacheSlot.LIBCMT ref: 0042EB1D
                      • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0042EB44
                      • Concurrency::details::VirtualProcessor::EnsureAllTasksVisible.LIBCONCRT ref: 0042EB50
                      • Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0042EBA7
                      • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedClear.LIBCONCRT ref: 0042EBDC
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Context$Base::$Processor::QuickVirtual$ClearCountedEventInterlockedReferenceSet::$AssignAvailableBlockedCacheConcurrency::location::_DeactivateEnsureInternalMakeSchedulerSlotSpinTasksThrowTraceUntilVisible
                      • String ID:
                      • API String ID: 1448206229-0
                      • Opcode ID: a39cb41113445c8b37c8e93bd00c54bcce78915a73e61bcd78f9524f0075e564
                      • Instruction ID: b79df771f0ce3d1fcd239dae8b84d8a96fbc808fd590aacba6511f1f6f03bb9e
                      • Opcode Fuzzy Hash: a39cb41113445c8b37c8e93bd00c54bcce78915a73e61bcd78f9524f0075e564
                      • Instruction Fuzzy Hash: 995183347002249FDB04EF55D485BAE7765FF49315F9840AAED069B383CB78AC01CB6A
                      Function 020EC6B9 Relevance: 13.6, APIs: 9, Instructions: 138threadCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: CurrentThread$_xtime_get$Xtime_diff_to_millis2
                      • String ID:
                      • API String ID: 3943753294-0
                      • Opcode ID: 614b4e817c589673b728cf08dcfac44524a47e1cde47449f47a12751e0a585f6
                      • Instruction ID: bddab55a8710375410de06f2cbf838f682289051ae478299c78a77db7f636456
                      • Opcode Fuzzy Hash: 614b4e817c589673b728cf08dcfac44524a47e1cde47449f47a12751e0a585f6
                      • Instruction Fuzzy Hash: 47517834900305CFEF65DF24CA869AD77E5EF08315B2040AAE8579B661CB32E8C1DFA5
                      Function 020F7B48 Relevance: 13.6, APIs: 9, Instructions: 106timeCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 020F7B6A
                        • Part of subcall function 020F5F1F: __EH_prolog3_catch.LIBCMT ref: 020F5F26
                        • Part of subcall function 020F5F1F: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 020F5F5F
                      • Concurrency::details::SchedulerBase::NotifyThrottledContext.LIBCONCRT ref: 020F7B78
                        • Part of subcall function 020F6B84: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 020F6BA9
                        • Part of subcall function 020F6B84: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 020F6BCC
                      • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 020F7B91
                      • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 020F7B9D
                        • Part of subcall function 020F5F1F: RtlInterlockedPopEntrySList.NTDLL(?), ref: 020F5FA8
                        • Part of subcall function 020F5F1F: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 020F5FD7
                        • Part of subcall function 020F5F1F: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 020F5FE5
                      • Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 020F7BE9
                      • Concurrency::location::_Assign.LIBCMT ref: 020F7C0A
                      • Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 020F7C12
                      • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 020F7C24
                      • Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 020F7C54
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Base::$Scheduler$Context$Throttling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_EntryExerciseFoundH_prolog3_catchInterlockedListNextNotifyProcessor::RingSchedulingSpinStartupThrottledTicket::TimerUntilWith
                      • String ID:
                      • API String ID: 2678502038-0
                      • Opcode ID: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
                      • Instruction ID: fca061f0ae1a275b6d541a6c6ff694821db387f340e55b9dedb4d352788f61fa
                      • Opcode Fuzzy Hash: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
                      • Instruction Fuzzy Hash: 88314930B803459BDFD6AB7844817FDF7F65F41304F0800A9CA55D7A51D7255849EBE2
                      Function 004278E1 Relevance: 13.6, APIs: 9, Instructions: 106timeCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00427903
                        • Part of subcall function 00425CB8: __EH_prolog3_catch.LIBCMT ref: 00425CBF
                        • Part of subcall function 00425CB8: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00425CF8
                      • Concurrency::details::SchedulerBase::NotifyThrottledContext.LIBCONCRT ref: 00427911
                        • Part of subcall function 0042691D: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 00426942
                        • Part of subcall function 0042691D: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 00426965
                      • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 0042792A
                      • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00427936
                        • Part of subcall function 00425CB8: RtlInterlockedPopEntrySList.NTDLL(?), ref: 00425D41
                        • Part of subcall function 00425CB8: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 00425D70
                        • Part of subcall function 00425CB8: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 00425D7E
                      • Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 00427982
                      • Concurrency::location::_Assign.LIBCMT ref: 004279A3
                      • Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 004279AB
                      • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 004279BD
                      • Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 004279ED
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Base::$Scheduler$Context$Throttling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_EntryExerciseFoundH_prolog3_catchInterlockedListNextNotifyProcessor::RingSchedulingSpinStartupThrottledTicket::TimerUntilWith
                      • String ID:
                      • API String ID: 2678502038-0
                      • Opcode ID: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
                      • Instruction ID: be26d28973ab40e19276e1e39a9ed43843e9869f42fe47dc141d3d43563d5587
                      • Opcode Fuzzy Hash: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
                      • Instruction Fuzzy Hash: 9F314670B083715AEF16AA7854927FF77B59F01304F4401ABD485D7342DA2C4D8AC3D9
                      Function 02100BEC Relevance: 13.6, APIs: 9, Instructions: 69threadCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 02100C02
                      • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,020F5F15,?), ref: 02100C14
                      • GetCurrentThread.KERNEL32 ref: 02100C1C
                      • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,020F5F15,?), ref: 02100C24
                      • DuplicateHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000002,?,?,?,?,?,?,020F5F15,?), ref: 02100C3D
                      • Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 02100C5E
                        • Part of subcall function 020F0478: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 020F0492
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,020F5F15,?), ref: 02100C70
                      • GetLastError.KERNEL32(?,?,?,?,?,020F5F15,?), ref: 02100C9B
                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02100CB1
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThread$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateHandleReferenceRegisterWait
                      • String ID:
                      • API String ID: 1293880212-0
                      • Opcode ID: ca3b420515bcbb23f0314330c0ebaf985fd69accfaa50322e501786fcfee08c6
                      • Instruction ID: 6b9a9a76f14ca40840e0cae71ae8d0a0032d3607f809aa2c82e790c0991ed65d
                      • Opcode Fuzzy Hash: ca3b420515bcbb23f0314330c0ebaf985fd69accfaa50322e501786fcfee08c6
                      • Instruction Fuzzy Hash: 6E11E779580305AFD710AB749E8DF9A3BA8AF09701F080075F946DA192EBB4C4048B75
                      Function 00430985 Relevance: 13.6, APIs: 9, Instructions: 69threadCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetCurrentThreadId.KERNEL32 ref: 0043099B
                      • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00425CAE,?), ref: 004309AD
                      • GetCurrentThread.KERNEL32 ref: 004309B5
                      • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00425CAE,?), ref: 004309BD
                      • DuplicateHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000002,?,?,?,?,?,?,00425CAE,?), ref: 004309D6
                      • Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 004309F7
                        • Part of subcall function 00420211: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 0042022B
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00425CAE,?), ref: 00430A09
                      • GetLastError.KERNEL32(?,?,?,?,?,00425CAE,?), ref: 00430A34
                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00430A4A
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThread$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateHandleReferenceRegisterWait
                      • String ID:
                      • API String ID: 1293880212-0
                      • Opcode ID: ca3b420515bcbb23f0314330c0ebaf985fd69accfaa50322e501786fcfee08c6
                      • Instruction ID: 58a410a88ddb3f2405c1133c244b860286e3bd8ce2c4f5659541a2373579a810
                      • Opcode Fuzzy Hash: ca3b420515bcbb23f0314330c0ebaf985fd69accfaa50322e501786fcfee08c6
                      • Instruction Fuzzy Hash: 07112779600301ABD700AFB1BD5AF9B3BA89F19701F14017AF945D6253EA78D800873A
                      Function 0211277E Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 373timeCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$InformationTimeZone
                      • String ID: XgE$XgE
                      • API String ID: 597776487-1765908331
                      • Opcode ID: 1b696d6c4c17f14bd2cd532e520e2bf73148f9a8717794c16fbf28e545bba7b4
                      • Instruction ID: 5965922fd4ef77e63fac8030979ac70a061e6e9f1bb10892070952cc0cae8d4d
                      • Opcode Fuzzy Hash: 1b696d6c4c17f14bd2cd532e520e2bf73148f9a8717794c16fbf28e545bba7b4
                      • Instruction Fuzzy Hash: 9CC13775A80269AFDB24AF78DC40BAE7BFAEF45314F1401BADC90D7290E7708A41CB55
                      Function 020D5E77 Relevance: 12.4, APIs: 8, Instructions: 426COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d2c1a298e8fecfe48cef90fb9b18945fd86a062cf10d1e3a8c03b853429e7ba7
                      • Instruction ID: 1e58da690d933ec6bec37b4d27894910b914de37fd781b082fe02beab4f7c320
                      • Opcode Fuzzy Hash: d2c1a298e8fecfe48cef90fb9b18945fd86a062cf10d1e3a8c03b853429e7ba7
                      • Instruction Fuzzy Hash: A3F1F17090034CAFEB24DF54CC84BDEBBBAEB44304F5042A9E509A72C1DBB59A84CF95
                      Function 0040B9F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 130comCOMMON
                      Download Yara Rule
                      APIs
                      • CoInitialize.OLE32(00000000), ref: 0040BA57
                      • CoCreateInstance.COMBASE(00458F80,00000000,00000001,00458F90,?), ref: 0040BA73
                      • CoUninitialize.COMBASE ref: 0040BA81
                      • CoUninitialize.COMBASE ref: 0040BB40
                      • CoUninitialize.COMBASE ref: 0040BB54
                      Strings
                      • stoi argument out of range, xrefs: 0040E4EA
                      • invalid stoi argument, xrefs: 0040E4F4
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Uninitialize$CreateInitializeInstance
                      • String ID: invalid stoi argument$stoi argument out of range
                      • API String ID: 1968832861-1606216832
                      • Opcode ID: 42e81b5dadb9432d45009ead610f663de47e4f9e839306fa723411e06c979015
                      • Instruction ID: aa5973b7119725b2c9a958bba5187bd3a29cec50dc0543cd5e4a1e68f5f3e6b5
                      • Opcode Fuzzy Hash: 42e81b5dadb9432d45009ead610f663de47e4f9e839306fa723411e06c979015
                      • Instruction Fuzzy Hash: 82416171B00204AFDB04CF68CC89BAE77B5EB48715F10812AF805E76D5DB78A944CB99
                      Function 00434840 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON
                      Download Yara Rule
                      APIs
                      • _ValidateLocalCookies.LIBCMT ref: 00434877
                      • ___except_validate_context_record.LIBVCRUNTIME ref: 0043487F
                      • _ValidateLocalCookies.LIBCMT ref: 00434908
                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00434933
                      • _ValidateLocalCookies.LIBCMT ref: 00434988
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                      • String ID: S9C$csm
                      • API String ID: 1170836740-582408667
                      • Opcode ID: a4331c987b1b53513cbe21c672c92ef55e4810aa54a37fe5f5d469cf9e84ef45
                      • Instruction ID: 6575625a84691e9b1f9b7e8611f910fc559112cced3487189da3a48804891882
                      • Opcode Fuzzy Hash: a4331c987b1b53513cbe21c672c92ef55e4810aa54a37fe5f5d469cf9e84ef45
                      • Instruction Fuzzy Hash: 7141E874A00208ABCF10DF69C844ADF7BB4BF89318F14815BE8149B392D779EA11CF99
                      Function 0210ECF5 Relevance: 12.2, APIs: 8, Instructions: 203COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$___from_strstr_to_strchr
                      • String ID:
                      • API String ID: 3409252457-0
                      • Opcode ID: b36ae6f94d372ff64b4da89c0af13a455d4f54d85b457d19ac11513aadbc6f32
                      • Instruction ID: 12c3d0272ea5b496797e2f08ecb22efaf1cf1aab2c66c75798ed9d40d9760071
                      • Opcode Fuzzy Hash: b36ae6f94d372ff64b4da89c0af13a455d4f54d85b457d19ac11513aadbc6f32
                      • Instruction Fuzzy Hash: D75128B1988305AFDB34AFB698C0A6E7BA5EF06314F14496EE524972C0EBF1C500CF55
                      Function 0043EA8E Relevance: 12.2, APIs: 8, Instructions: 203COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$___from_strstr_to_strchr
                      • String ID:
                      • API String ID: 3409252457-0
                      • Opcode ID: 7e13cb0b5705e9cade751d436b5392716494f0a3c8e39469c6473571ee0f5945
                      • Instruction ID: f99befb810c5c4866eaf564f7dd7d7d58b29b2c8e151ae40169767ee9d3e76c4
                      • Opcode Fuzzy Hash: 7e13cb0b5705e9cade751d436b5392716494f0a3c8e39469c6473571ee0f5945
                      • Instruction Fuzzy Hash: CC513670D05306AFDB24AFBB9841A6E7BA4DF0D314F00616FE510972C1EA7D9940CB4D
                      Function 00442517 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 373timeCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$InformationTimeZone
                      • String ID: XgE
                      • API String ID: 597776487-2984570469
                      • Opcode ID: 2b6728d1d25a7a4dc5655f9f1937d483343b97d9f8a5c2cfc13cb8f05322008e
                      • Instruction ID: df7d7efe0813b1fc9665f027b9df2e4c66d539f3229410abaef311319f10ac1b
                      • Opcode Fuzzy Hash: 2b6728d1d25a7a4dc5655f9f1937d483343b97d9f8a5c2cfc13cb8f05322008e
                      • Instruction Fuzzy Hash: 4AC14B71900205ABFB10AF69CE517AFBBA9EF45354F9500AFF88097391E7B88E41C758
                      Function 0040DBE0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 185COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: mtx_do_lock
                      • String ID: list too long
                      • API String ID: 1389037287-1124181908
                      • Opcode ID: 49bd66367a3987fd4d0804e4ba397cb7ac0a9a4efa5fe6f8e5f577634f06c109
                      • Instruction ID: 1e29e99ac9c9a3b5c0ba9015333ef2344c8a6a63817eda69dd40f949fabc9989
                      • Opcode Fuzzy Hash: 49bd66367a3987fd4d0804e4ba397cb7ac0a9a4efa5fe6f8e5f577634f06c109
                      • Instruction Fuzzy Hash: 8661A5B0D04718ABDB20DF65CD89B99B7B4FF04704F1041AAE80DA7281EB78A995CF59
                      Function 00431B29 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104threadCOMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00431B42
                        • Part of subcall function 00431E11: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,0043188A), ref: 00431E21
                      • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 00431B57
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00431B66
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00431C2A
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::std::invalid_argument::invalid_argument$ExecutionFreeIdleObjectProcessorProxy::ResetRoot::SingleSuspendThreadVirtualWait
                      • String ID: pContext$switchState
                      • API String ID: 1312548968-2660820399
                      • Opcode ID: 84332b62cc3de3cfa4170185330e29230a9dc1dcd046b531a1b7116e20220df0
                      • Instruction ID: b863e61c3d732dd5109429b6f29941dee9b5abb7f1e972ae7809c7e47913e2a3
                      • Opcode Fuzzy Hash: 84332b62cc3de3cfa4170185330e29230a9dc1dcd046b531a1b7116e20220df0
                      • Instruction Fuzzy Hash: 8331D835A00204ABCF05EF64C881AAEB775FF4C314F20556BED1197362EB79EE05CA98
                      Function 020FEA16 Relevance: 10.6, APIs: 7, Instructions: 102COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 020FEA3E
                        • Part of subcall function 020FE7AB: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 020FE7DE
                        • Part of subcall function 020FE7AB: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 020FE800
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 020FEABB
                      • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 020FEAC7
                      • Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 020FEAD6
                      • Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 020FEAE0
                      • Concurrency::location::_Assign.LIBCMT ref: 020FEB14
                      • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 020FEB1C
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
                      • String ID:
                      • API String ID: 1924466884-0
                      • Opcode ID: 68357d3375aa4ffdda60a85fea681dfadbeefaeb1374d27128ca733c89973d16
                      • Instruction ID: af99d692ba21dc0de78f90fff6a525898493ba50542fb171b0e8acd2baf700e7
                      • Opcode Fuzzy Hash: 68357d3375aa4ffdda60a85fea681dfadbeefaeb1374d27128ca733c89973d16
                      • Instruction Fuzzy Hash: D6414939A003049FCF41EF64C484BADB7B6FF48310F1481A9DE4A9B691DB30A941DF91
                      Function 0042E7AF Relevance: 10.6, APIs: 7, Instructions: 102COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0042E7D7
                        • Part of subcall function 0042E544: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0042E577
                        • Part of subcall function 0042E544: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0042E599
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042E854
                      • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0042E860
                      • Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0042E86F
                      • Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0042E879
                      • Concurrency::location::_Assign.LIBCMT ref: 0042E8AD
                      • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0042E8B5
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
                      • String ID:
                      • API String ID: 1924466884-0
                      • Opcode ID: 68357d3375aa4ffdda60a85fea681dfadbeefaeb1374d27128ca733c89973d16
                      • Instruction ID: 01245f0547eb729828e98329900f8f6e173d559f1909e94d2917f6101dcd408e
                      • Opcode Fuzzy Hash: 68357d3375aa4ffdda60a85fea681dfadbeefaeb1374d27128ca733c89973d16
                      • Instruction Fuzzy Hash: 19415A39A00214EFCF00EF65D484AADB7B5FF48314F5480AAED499B382DB34A941CB95
                      Function 020EF0C6 Relevance: 10.6, APIs: 7, Instructions: 73COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 020EF0CD
                      • _SpinWait.LIBCONCRT ref: 020EF123
                      • Concurrency::details::WaitBlock::WaitBlock.LIBCMT ref: 020EF12F
                      • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 020EF148
                      • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 020EF176
                      • Concurrency::Context::Block.LIBCONCRT ref: 020EF198
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Wait$BlockConcurrency::details::_Lock::_Scoped_lock$Block::Concurrency::Concurrency::details::Context::H_prolog3ReaderReentrantScoped_lock::_Scoped_lock::~_SpinWriter
                      • String ID:
                      • API String ID: 1888882079-0
                      • Opcode ID: 51f1a6270a472bcdd30247f4592d3322b934ddd74063de143c259ec6416e4012
                      • Instruction ID: 3f1f15a842876df94b0cff555c9643e9026f2d47c14cd4174ec352904a86d23f
                      • Opcode Fuzzy Hash: 51f1a6270a472bcdd30247f4592d3322b934ddd74063de143c259ec6416e4012
                      • Instruction Fuzzy Hash: 3D219F7080030ECEDF6AEFA4C8586EEB7F1AF04324F50455AD066A65D0EBB186C4EF91
                      Function 0210F342 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0210F30A: _free.LIBCMT ref: 0210F32F
                      • _free.LIBCMT ref: 0210F390
                        • Part of subcall function 0210B05C: HeapFree.KERNEL32(00000000,00000000,?,0210F334,?,00000000,?,?,?,0210F35B,?,00000007,?,?,0210F75D,?), ref: 0210B072
                        • Part of subcall function 0210B05C: GetLastError.KERNEL32(?,?,0210F334,?,00000000,?,?,?,0210F35B,?,00000007,?,?,0210F75D,?,?), ref: 0210B084
                      • _free.LIBCMT ref: 0210F39B
                      • _free.LIBCMT ref: 0210F3A6
                      • _free.LIBCMT ref: 0210F3FA
                      • _free.LIBCMT ref: 0210F405
                      • _free.LIBCMT ref: 0210F410
                      • _free.LIBCMT ref: 0210F41B
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: f2c9cbcbdea25c70db4e9b8930aae965ae4a61b9cabad425459c8f385a1b4d78
                      • Instruction ID: 801f0500b975ad8d9db5f8c04de34a0e92c5233d6fd9d91d497fbf100b06bf01
                      • Opcode Fuzzy Hash: f2c9cbcbdea25c70db4e9b8930aae965ae4a61b9cabad425459c8f385a1b4d78
                      • Instruction Fuzzy Hash: 8D111272584704EEDA30B770DC96FCB7BAEBF04710F404816B699AA8D1DBADB505CE90
                      Function 0043F0DB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0043F0A3: _free.LIBCMT ref: 0043F0C8
                      • _free.LIBCMT ref: 0043F129
                        • Part of subcall function 0043ADF5: HeapFree.KERNEL32(00000000,00000000,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?), ref: 0043AE0B
                        • Part of subcall function 0043ADF5: GetLastError.KERNEL32(?,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?,?), ref: 0043AE1D
                      • _free.LIBCMT ref: 0043F134
                      • _free.LIBCMT ref: 0043F13F
                      • _free.LIBCMT ref: 0043F193
                      • _free.LIBCMT ref: 0043F19E
                      • _free.LIBCMT ref: 0043F1A9
                      • _free.LIBCMT ref: 0043F1B4
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: f2c9cbcbdea25c70db4e9b8930aae965ae4a61b9cabad425459c8f385a1b4d78
                      • Instruction ID: c3a7340a8ef7a1c42761e22c66233c02557cf0a4384e4ec730fa78aa122713dc
                      • Opcode Fuzzy Hash: f2c9cbcbdea25c70db4e9b8930aae965ae4a61b9cabad425459c8f385a1b4d78
                      • Instruction Fuzzy Hash: BC118131940B04AAD930B7B2CC07FCB77EE9F08719F40183EB699A6053DA2EB5594656
                      Function 020EFCD8 Relevance: 10.6, APIs: 7, Instructions: 60libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNEL32(004512B4,?,00000000,00000000,?,?,?,020F3E4D), ref: 020EFCE6
                      • GetProcAddress.KERNEL32(00000000,0045177C), ref: 020EFCF4
                      • GetProcAddress.KERNEL32(00000000,00451794), ref: 020EFD02
                      • GetProcAddress.KERNEL32(00000000,004517AC), ref: 020EFD30
                      • GetLastError.KERNEL32(?,?,?,020F3E4D), ref: 020EFD4B
                      • GetLastError.KERNEL32(?,?,?,020F3E4D), ref: 020EFD57
                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 020EFD6D
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorHandleModule
                      • String ID:
                      • API String ID: 1654681794-0
                      • Opcode ID: 7fe6c5ece6de4c50eb3fb3b842b885c674e1d20cdf18a0be90147e923e9c19f3
                      • Instruction ID: 77238652a303bf125a4a03deb2719c28fef415c74165de43a23f1d54041cf92e
                      • Opcode Fuzzy Hash: 7fe6c5ece6de4c50eb3fb3b842b885c674e1d20cdf18a0be90147e923e9c19f3
                      • Instruction Fuzzy Hash: E901CC395443015F97917BB56C8CFAB3BEDA904B52B100537F502D1592EB78D4045B79
                      Function 020E7067 Relevance: 9.3, APIs: 6, Instructions: 336COMMON
                      Download Yara Rule
                      APIs
                      • __Mtx_unlock.LIBCPMT ref: 020E7138
                      • std::_Rethrow_future_exception.LIBCPMT ref: 020E7189
                      • std::_Rethrow_future_exception.LIBCPMT ref: 020E7199
                      • __Mtx_unlock.LIBCPMT ref: 020E723C
                      • __Mtx_unlock.LIBCPMT ref: 020E7342
                      • __Mtx_unlock.LIBCPMT ref: 020E737D
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Mtx_unlock$Rethrow_future_exceptionstd::_
                      • String ID:
                      • API String ID: 1997747980-0
                      • Opcode ID: 411bbcd3c98b8483f8dc7711dd14b2669908e861b9d7381f1d8c4d8a9dcadb8d
                      • Instruction ID: 25154146007e40cb86f1eef38b4260faac362a8d6026ad4368b7ce6d3bc25290
                      • Opcode Fuzzy Hash: 411bbcd3c98b8483f8dc7711dd14b2669908e861b9d7381f1d8c4d8a9dcadb8d
                      • Instruction Fuzzy Hash: CCC1CEB19003449FDF26DFB4C944BAEBBF5AF01304F00456EE817976A1EB35A584EB52
                      Function 0210FF27 Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetConsoleCP.KERNEL32(?,020D8A07,00000000), ref: 0210FF6F
                      • __fassign.LIBCMT ref: 0211014E
                      • __fassign.LIBCMT ref: 0211016B
                      • WriteFile.KERNEL32(?,020D8A07,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 021101B3
                      • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 021101F3
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0211029F
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileWrite__fassign$ConsoleErrorLast
                      • String ID:
                      • API String ID: 4031098158-0
                      • Opcode ID: aeaffaf03d6c38a690940c40d1bea6644629eb38ec1b3c0d319535d1d52f1a6c
                      • Instruction ID: 41cfa498c2b302cbec45db1bd94326a95f1b3ea05031026d321968516c1bfaed
                      • Opcode Fuzzy Hash: aeaffaf03d6c38a690940c40d1bea6644629eb38ec1b3c0d319535d1d52f1a6c
                      • Instruction Fuzzy Hash: 18D19B75D402589FCF15CFE8D880AEDBBB5BF49304F28416AE855FB242E731A986CB50
                      Function 020FEB44 Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::location::_Assign.LIBCMT ref: 020FEB85
                      • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 020FEB8D
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 020FEBB7
                      • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 020FEBC0
                      • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 020FEC43
                      • Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 020FEC4B
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
                      • String ID:
                      • API String ID: 3929269971-0
                      • Opcode ID: e357eccba9f9281a6441e24871b6c677031b298cf17b8db731c946c7b8307f67
                      • Instruction ID: e8e2c4f8912f01403c70599a4e68c1cd9ca084355c55224139da223434742802
                      • Opcode Fuzzy Hash: e357eccba9f9281a6441e24871b6c677031b298cf17b8db731c946c7b8307f67
                      • Instruction Fuzzy Hash: 58414039A00719EFCB49DF68C894AADB7B6FF48310F008159E906977A0CB74AE01DF81
                      Function 0042E8DD Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::location::_Assign.LIBCMT ref: 0042E91E
                      • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0042E926
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042E950
                      • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0042E959
                      • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0042E9DC
                      • Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 0042E9E4
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
                      • String ID:
                      • API String ID: 3929269971-0
                      • Opcode ID: e357eccba9f9281a6441e24871b6c677031b298cf17b8db731c946c7b8307f67
                      • Instruction ID: e456b2d5945dcb9d16af89579036fa7bc11e47face3e2a4e749ba7397f49833a
                      • Opcode Fuzzy Hash: e357eccba9f9281a6441e24871b6c677031b298cf17b8db731c946c7b8307f67
                      • Instruction Fuzzy Hash: A7418079B00219EFCB09DF65D454A6DB7B1FF48310F00816AE806A7391CB38AE41CF85
                      Function 020FA28D Relevance: 9.1, APIs: 6, Instructions: 73threadCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 020FA2D0
                        • Part of subcall function 020FB7C7: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 020FB816
                      • GetCurrentThread.KERNEL32 ref: 020FA2DA
                      • Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 020FA2E6
                        • Part of subcall function 020F05EF: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 020F0601
                        • Part of subcall function 020F0A7B: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 020F0A82
                      • Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 020FA329
                        • Part of subcall function 020FB779: SetEvent.KERNEL32(?,?,020FA32E,020FB0C2,00000000,?,00000000,020FB0C2,00000004,020FB76E,?,00000000,?,?,00000000), ref: 020FB7BD
                      • Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 020FA332
                        • Part of subcall function 020FADA8: __EH_prolog3.LIBCMT ref: 020FADAF
                        • Part of subcall function 020FADA8: List.LIBCONCRT ref: 020FADDE
                      • Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 020FA342
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Proxy::Scheduler$AffinityThread$Concurrency::details::platform::__CoreCurrentExecutionGroupHardwareIncrement$Affinity::BorrowedCountEventFixedH_prolog3ListResourceResource::StateSubscriptionToggle
                      • String ID:
                      • API String ID: 2908504212-0
                      • Opcode ID: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
                      • Instruction ID: 9d92d45f4abee8b1eb0881ec4ef371fb02325cc9b7771fcb2accea705d393d18
                      • Opcode Fuzzy Hash: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
                      • Instruction Fuzzy Hash: 7521D931600B109FCB65EF65D9908AAB3FAFF4C7007004A1EEA4697A60CB74F900DFA1
                      Function 0042A026 Relevance: 9.1, APIs: 6, Instructions: 73threadCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 0042A069
                        • Part of subcall function 0042B560: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 0042B5AF
                      • GetCurrentThread.KERNEL32 ref: 0042A073
                      • Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 0042A07F
                        • Part of subcall function 00420388: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 0042039A
                        • Part of subcall function 00420814: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 0042081B
                      • Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 0042A0C2
                        • Part of subcall function 0042B512: SetEvent.KERNEL32(?,?,0042A0C7,0042AE5B,00000000,?,00000000,0042AE5B,00000004,0042B507,?,00000000,?,?,00000000), ref: 0042B556
                      • Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 0042A0CB
                        • Part of subcall function 0042AB41: List.LIBCONCRT ref: 0042AB77
                      • Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 0042A0DB
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Proxy::Scheduler$AffinityThread$Concurrency::details::platform::__CoreCurrentExecutionGroupHardwareIncrement$Affinity::BorrowedCountEventFixedListResourceResource::StateSubscriptionToggle
                      • String ID:
                      • API String ID: 318399070-0
                      • Opcode ID: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
                      • Instruction ID: 786c6bbc9f4db79065070eee32726b74de41850732c6b9a0a53a64165b4dd308
                      • Opcode Fuzzy Hash: e8a399636c21c93f54abecb38cd00bd2a0cdd3abe99d6541657663b6aa6b27b5
                      • Instruction Fuzzy Hash: 5721E031600B249FCB24EF66E9908ABF3F5FF48304740455EE942A7651CB38F805CB9A
                      Function 0043CBDF Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 320COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _strrchr
                      • String ID: vC
                      • API String ID: 3213747228-1921080006
                      • Opcode ID: 59c984e0335d750eb7e229aa4273084cd5aafbd0618d532e588fc2a2f53891da
                      • Instruction ID: 8cae4ceb00b15cc6f8fe4719d8afecb37dc1afbf88934ae700027118ad1b5c75
                      • Opcode Fuzzy Hash: 59c984e0335d750eb7e229aa4273084cd5aafbd0618d532e588fc2a2f53891da
                      • Instruction Fuzzy Hash: DEB1F3329046459FEB15CF28C8C27AEBBA5EF49344F24916BE855FB341D6389D02CB68
                      Function 0210519E Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,02105195,02103D59,020EB7BC,00462014,?,00000000,0044B3E8,000000FF,?,020D2691,?,?), ref: 021051AC
                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 021051BA
                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 021051D3
                      • SetLastError.KERNEL32(00000000,?,02105195,02103D59,020EB7BC,00462014,?,00000000,0044B3E8,000000FF,?,020D2691,?,?), ref: 02105225
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLastValue___vcrt_
                      • String ID:
                      • API String ID: 3852720340-0
                      • Opcode ID: 7eadf9bba742c64d85f45994d498b9432cfa87c48bb13d385963a09ab129d98a
                      • Instruction ID: 6a7eb870306c0c745f0193c69b68439ef3fd75a33c63f0edeaf3e29624ab6ff0
                      • Opcode Fuzzy Hash: 7eadf9bba742c64d85f45994d498b9432cfa87c48bb13d385963a09ab129d98a
                      • Instruction Fuzzy Hash: B301243658CB21BEA62427B57CC4A2B268BFF047787200239F228490E1FFE14800CE88
                      Function 020EFE82 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 020EFE90
                      • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 020EFE96
                      • GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 020EFEC3
                      • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 020EFECD
                      • GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 020EFEDF
                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 020EFEF5
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error
                      • String ID:
                      • API String ID: 2808382621-0
                      • Opcode ID: 0b9f535693bf9840a9ed197670659dc31b2ab51e471b9d9d389deb6254926a20
                      • Instruction ID: 86128c1415240e39d5cb82211b01902f905960742426a337cd21d436a6b3f8d7
                      • Opcode Fuzzy Hash: 0b9f535693bf9840a9ed197670659dc31b2ab51e471b9d9d389deb6254926a20
                      • Instruction Fuzzy Hash: 4C01FC366403066FDB51BB75EC4CBAF37A8EF41712B600425F406E2992EB24E5449B64
                      Function 02112959 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 171timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00456758), ref: 021129C3
                      • _free.LIBCMT ref: 021129B1
                        • Part of subcall function 0210B05C: HeapFree.KERNEL32(00000000,00000000,?,0210F334,?,00000000,?,?,?,0210F35B,?,00000007,?,?,0210F75D,?), ref: 0210B072
                        • Part of subcall function 0210B05C: GetLastError.KERNEL32(?,?,0210F334,?,00000000,?,?,?,0210F35B,?,00000007,?,?,0210F75D,?,?), ref: 0210B084
                      • _free.LIBCMT ref: 02112B7D
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapInformationLastTimeZone
                      • String ID: XgE$XgE
                      • API String ID: 2155170405-1765908331
                      • Opcode ID: c6433087ed30f2a2da2807838542e42bb6de4ad70922db091af99d7f7348fe1d
                      • Instruction ID: 5d9e280cad7d4d16b6d16da878315db02e1d5e53c5289beb6be15b15f094a258
                      • Opcode Fuzzy Hash: c6433087ed30f2a2da2807838542e42bb6de4ad70922db091af99d7f7348fe1d
                      • Instruction Fuzzy Hash: A751E671940229AFDB24EFA8DC809AE77BDEF44354B1502BAD860E72D0F7B09A41CF55
                      Function 0043182A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85threadCOMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00431885
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004318A4
                      • Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 004318EB
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$ExecutionFreeIdleProcessorProxy::Root::SpinSuspendThreadUntilVirtualstd::invalid_argument::invalid_argument
                      • String ID: pContext
                      • API String ID: 1284976207-2046700901
                      • Opcode ID: e9b064e3ffac3daba16c5b096d74077ea667223e78b02618e4975b94426a83e1
                      • Instruction ID: d01a77f2ab9abe46547ca181dc4035302de0eae64105b64324a031690df06c10
                      • Opcode Fuzzy Hash: e9b064e3ffac3daba16c5b096d74077ea667223e78b02618e4975b94426a83e1
                      • Instruction Fuzzy Hash: 3421EA35B006159BCB19B765D895ABD73A5BF98338F04112BE411872E1CB6CAC428A9D
                      Function 0210E24A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                      Download Yara Rule
                      Strings
                      • C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe, xrefs: 0210E24F
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe
                      • API String ID: 0-2143550836
                      • Opcode ID: 83d649548dc4756340e3f4fa4cdfd0894265a7358bbde176a04f29cefd39949e
                      • Instruction ID: 252ffc16384e91d235b51558294e27a133a2217de3becb4997901d59d2425c76
                      • Opcode Fuzzy Hash: 83d649548dc4756340e3f4fa4cdfd0894265a7358bbde176a04f29cefd39949e
                      • Instruction Fuzzy Hash: 6321AA71684109AFDB20AF629DC4E77BB9EEF043647004925F935971D0D7B1EC51CBA0
                      Function 020F9EFC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_catch.LIBCMT ref: 020F9F03
                      • std::bad_exception::bad_exception.LIBCMT ref: 020F9F65
                      • Concurrency::SchedulerPolicy::_ResolvePolicyValues.LIBCONCRT ref: 020F9FA7
                      • std::bad_exception::bad_exception.LIBCMT ref: 020F9FD1
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: std::bad_exception::bad_exception$Concurrency::H_prolog3_catchPolicyPolicy::_ResolveSchedulerValues
                      • String ID: 8[F
                      • API String ID: 3836581985-331943168
                      • Opcode ID: a4d644558bc095dc33be146fbd05eccc5a98fec7c23d9a48cae62212641850da
                      • Instruction ID: a379c1cde0a9f2dfd7c47346adf06f4bc87e71c27d9ecdd300c41c58c52f4276
                      • Opcode Fuzzy Hash: a4d644558bc095dc33be146fbd05eccc5a98fec7c23d9a48cae62212641850da
                      • Instruction Fuzzy Hash: 1821F1319803089FCF85EF64D884BDDB7F5EF04310B11402AE605ABA90DB316D4ADF55
                      Function 0043727C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _wcsrchr
                      • String ID: .bat$.cmd$.com$.exe
                      • API String ID: 1752292252-4019086052
                      • Opcode ID: eebd850b759d80cb09b7359ab37ad9482216c276737184da2b80f0523ace37d9
                      • Instruction ID: 2fe954d65b4b50834951edb994104e0446c73801206968c056bf44c713a15be5
                      • Opcode Fuzzy Hash: eebd850b759d80cb09b7359ab37ad9482216c276737184da2b80f0523ace37d9
                      • Instruction Fuzzy Hash: 8D01086760861635663520199E0276713888BCABB8F25202FFDA4F73C1EF8CDD42A1EC
                      Function 0210A8D8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,?,02106BB1,?,?,?,?,021078C8,?), ref: 0210A8DD
                      • _free.LIBCMT ref: 0210A93A
                      • _free.LIBCMT ref: 0210A970
                      • SetLastError.KERNEL32(00000000,00462170,000000FF,?,?,02106BB1,?,?,?,?,021078C8,?), ref: 0210A97B
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast_free
                      • String ID: x!F
                      • API String ID: 2283115069-3062043068
                      • Opcode ID: 4f2ed3d34f35961fd0f18177c3173820742fc9700b75869c829352158ce47360
                      • Instruction ID: 4edcfccacbe62580ec0de1f7cc0dbf7f7203fee2ba4324f6671f25589f65e983
                      • Opcode Fuzzy Hash: 4f2ed3d34f35961fd0f18177c3173820742fc9700b75869c829352158ce47360
                      • Instruction Fuzzy Hash: 5211A9327C87017ED6212BB55CC4E7B265BAFC17B9B260235F724961E0EFE28C058965
                      Function 0043A671 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,?,0043694A,?,?,?,?,00437661,?), ref: 0043A676
                      • _free.LIBCMT ref: 0043A6D3
                      • _free.LIBCMT ref: 0043A709
                      • SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,0043694A,?,?,?,?,00437661,?), ref: 0043A714
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast_free
                      • String ID: x!F
                      • API String ID: 2283115069-3062043068
                      • Opcode ID: 4f2ed3d34f35961fd0f18177c3173820742fc9700b75869c829352158ce47360
                      • Instruction ID: 8cce909c9ac14f6c448446a217854be9d18c12721b99b88a770a56678c5f8ba9
                      • Opcode Fuzzy Hash: 4f2ed3d34f35961fd0f18177c3173820742fc9700b75869c829352158ce47360
                      • Instruction Fuzzy Hash: 2511AB312447007A961166766C86A2B215AD7D937DF24213FF3A4462D2EEAD8C32515F
                      Function 0210AA2F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,?,02107862,020D24AE), ref: 0210AA34
                      • _free.LIBCMT ref: 0210AA91
                      • _free.LIBCMT ref: 0210AAC7
                      • SetLastError.KERNEL32(00000000,00462170,000000FF,?,02107862,020D24AE), ref: 0210AAD2
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast_free
                      • String ID: x!F
                      • API String ID: 2283115069-3062043068
                      • Opcode ID: 56f9d83506fe0b5766636a44d0cab5e527ac01f444b2ac40f8d129dc50e40d0b
                      • Instruction ID: dddc2233f4304ad6d294316ff9eec23330bf7a5785121413c450b03428e442d6
                      • Opcode Fuzzy Hash: 56f9d83506fe0b5766636a44d0cab5e527ac01f444b2ac40f8d129dc50e40d0b
                      • Instruction Fuzzy Hash: CC11E5362C8701BEDA1166B6ADC0E7B225BAFC2778B250235F324921E0EBE28D058955
                      Function 0043A7C8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetLastError.KERNEL32(?,?,?,004375FB,00402247), ref: 0043A7CD
                      • _free.LIBCMT ref: 0043A82A
                      • _free.LIBCMT ref: 0043A860
                      • SetLastError.KERNEL32(00000000,00000008,000000FF,?,004375FB,00402247), ref: 0043A86B
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast_free
                      • String ID: x!F
                      • API String ID: 2283115069-3062043068
                      • Opcode ID: 56f9d83506fe0b5766636a44d0cab5e527ac01f444b2ac40f8d129dc50e40d0b
                      • Instruction ID: 43a0ef826740dec3b5b6cec3c960c44763b9b2bf66f2e005ed7dcd0d28945869
                      • Opcode Fuzzy Hash: 56f9d83506fe0b5766636a44d0cab5e527ac01f444b2ac40f8d129dc50e40d0b
                      • Instruction Fuzzy Hash: 0A1106312847003A961132765CC5E6B221AEBC977DF24223BF764822D2EFAECC23415F
                      Function 021022FE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
                      Download Yara Rule
                      APIs
                      • StructuredWorkStealingQueue.LIBCMT ref: 0210231E
                      • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0210232F
                      • StructuredWorkStealingQueue.LIBCMT ref: 02102365
                      • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 02102376
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Work$Concurrency::details::ItemItem::QueueStealingStructured
                      • String ID: e
                      • API String ID: 3804418703-4024072794
                      • Opcode ID: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                      • Instruction ID: 21e2d27f544bf3ded385e7e5238b203fa200e9792ed133a0889f2f76c0cbb2a4
                      • Opcode Fuzzy Hash: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                      • Instruction Fuzzy Hash: 33110631140205DBDB19DE68C8C8AAF77A9AF0A314B18C46AEC16DF281CBF1D905CFA0
                      Function 00432097 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
                      Download Yara Rule
                      APIs
                      • StructuredWorkStealingQueue.LIBCMT ref: 004320B7
                      • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 004320C8
                      • StructuredWorkStealingQueue.LIBCMT ref: 004320FE
                      • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0043210F
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Work$Concurrency::details::ItemItem::QueueStealingStructured
                      • String ID: e
                      • API String ID: 3804418703-4024072794
                      • Opcode ID: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                      • Instruction ID: 1ff5ec0336f97ae43b1f0b8f375a3bc5f2b05840f56227257267f5d03aa7fa4d
                      • Opcode Fuzzy Hash: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                      • Instruction Fuzzy Hash: 9411C131200104ABDF45DE69CB8166B73A4AF0A328F14D05BFD068F242DBF9D905CB99
                      Function 020DABC7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55sleepsynchronizationCOMMON
                      Download Yara Rule
                      APIs
                      • Sleep.KERNEL32(00000064), ref: 020DABCA
                      • CreateMutexA.KERNEL32(00000000,00000000,00463254), ref: 020DABE8
                      • GetLastError.KERNEL32 ref: 020DABF0
                      • GetLastError.KERNEL32 ref: 020DAC01
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast$CreateMutexSleep
                      • String ID: T2F
                      • API String ID: 3645482037-3862687658
                      • Opcode ID: 187082659592547e38ccbb39052786932d1335d10d1d45dc72119e21490735fa
                      • Instruction ID: ca0991680755d5dfdedff9f319f266eb187d1bf734e05ed326410791c5a9840d
                      • Opcode Fuzzy Hash: 187082659592547e38ccbb39052786932d1335d10d1d45dc72119e21490735fa
                      • Instruction Fuzzy Hash: E701F431680340EBE7509F68FC08F5A77A5E740B22F100A36F515C31D0DB789944CB69
                      Function 0043656D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00436562,?,?,0043652A,?,?,?), ref: 00436582
                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00436595
                      • FreeLibrary.KERNEL32(00000000,?,?,00436562,?,?,0043652A,?,?,?), ref: 004365B8
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressFreeHandleLibraryModuleProc
                      • String ID: CorExitProcess$mscoree.dll
                      • API String ID: 4061214504-1276376045
                      • Opcode ID: 149a4b1e0247f71675fe1653e9c2ac55fef454062cb741321ed7f61413657623
                      • Instruction ID: dbc2b550f678300173dffafd29bb25114a02185772f501870b49608a3602ef38
                      • Opcode Fuzzy Hash: 149a4b1e0247f71675fe1653e9c2ac55fef454062cb741321ed7f61413657623
                      • Instruction Fuzzy Hash: C4F01235941319FBDB129B50ED0EB9E7A79EB04757F154072F805A22A1CB78CF04DB98
                      Function 0041D199 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                      Download Yara Rule
                      APIs
                      • SleepConditionVariableCS.KERNELBASE(?,0041D136,00000064), ref: 0041D1BC
                      • RtlLeaveCriticalSection.NTDLL(00465750), ref: 0041D1C6
                      • WaitForSingleObjectEx.KERNEL32(00468680,00000000,?,0041D136,00000064,?,771B0F00,?,004075ED,00468680), ref: 0041D1D7
                      • RtlEnterCriticalSection.NTDLL(00465750), ref: 0041D1DE
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                      • String ID: PWF
                      • API String ID: 3269011525-4189640852
                      • Opcode ID: 797b37c2cabad88e9ba561759b38bac6fac545db67df0b7ba0c67b1f35825c1a
                      • Instruction ID: 46656ffccb6e8e596dcc74b2c483e7fba3308dd0c831886d2789c24014a254a2
                      • Opcode Fuzzy Hash: 797b37c2cabad88e9ba561759b38bac6fac545db67df0b7ba0c67b1f35825c1a
                      • Instruction Fuzzy Hash: 75E01235641B24F7CB021B50EC09B8E3F58EB05753F144032FA05661619B659D40DBDF
                      Function 004467A9 Relevance: 7.7, APIs: 5, Instructions: 244COMMON
                      Download Yara Rule
                      APIs
                      • GetCPInfo.KERNEL32(00631058,00631058,?,7FFFFFFF,?,?,00446A65,00631058,00631058,?,00631058,?,?,?,?,00631058), ref: 0044684C
                      • __alloca_probe_16.LIBCMT ref: 00446902
                      • __alloca_probe_16.LIBCMT ref: 00446998
                      • __freea.LIBCMT ref: 00446A03
                      • __freea.LIBCMT ref: 00446A0F
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: __alloca_probe_16__freea$Info
                      • String ID:
                      • API String ID: 2330168043-0
                      • Opcode ID: c93d5030befdd3412ed34437d1360547b5edfd3f1e8b3b9334df1f5af1b906f8
                      • Instruction ID: 261b0646ef3bb21783759df69fc444e01875a83395626589d87ed72ffed4e1ba
                      • Opcode Fuzzy Hash: c93d5030befdd3412ed34437d1360547b5edfd3f1e8b3b9334df1f5af1b906f8
                      • Instruction Fuzzy Hash: 4481C172D006459BEF20AF658881AEF7BB5DF0B354F1A405BE904B7341E739CC458BAA
                      Function 020DDE47 Relevance: 7.7, APIs: 5, Instructions: 185COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d6d23cd4dd6e2fa0143c66012945725be57b8f486d799fb0b8f6dfb3b5511e53
                      • Instruction ID: 3f3f76d32f4281a7a7dfbd87cc28b511efdd8ab10e932140479c9df0781c9fa3
                      • Opcode Fuzzy Hash: d6d23cd4dd6e2fa0143c66012945725be57b8f486d799fb0b8f6dfb3b5511e53
                      • Instruction Fuzzy Hash: DC6195B0D05714AFDB20DF64CD89B99B7F9EF04310F1041AAE90DA7250EB75AA80DF56
                      Function 0210721B Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMON
                      Download Yara Rule
                      APIs
                      • GetFileType.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0210714D), ref: 0210723D
                      • GetFileInformationByHandle.KERNEL32(?,?), ref: 02107297
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0210714D,?,000000FF,00000000,00000000), ref: 02107325
                      • __dosmaperr.LIBCMT ref: 0210732C
                      • PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 02107369
                        • Part of subcall function 02107591: __dosmaperr.LIBCMT ref: 021075C6
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
                      • String ID:
                      • API String ID: 1206951868-0
                      • Opcode ID: 19e1070b04fb49a2dd5738f37f72da11fb3a5a43ccc6689087d144dd6161f976
                      • Instruction ID: 46f042d48e8281e247c6dc260f2f3d1a3867e97eae6d24921a5eb1390c7c18f3
                      • Opcode Fuzzy Hash: 19e1070b04fb49a2dd5738f37f72da11fb3a5a43ccc6689087d144dd6161f976
                      • Instruction Fuzzy Hash: 29413C75980744AFDB24DFA5EC849AFFBF9EF88300B00452DE956D7290E770A942CB61
                      Function 020DBC57 Relevance: 7.6, APIs: 5, Instructions: 130comCOMMON
                      Download Yara Rule
                      APIs
                      • CoInitialize.OLE32(00000000), ref: 020DBCBE
                      • CoCreateInstance.COMBASE(00458F80,00000000,00000001,00458F90,?), ref: 020DBCDA
                      • CoUninitialize.COMBASE ref: 020DBCE8
                      • CoUninitialize.COMBASE ref: 020DBDA7
                      • CoUninitialize.COMBASE ref: 020DBDBB
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Uninitialize$CreateInitializeInstance
                      • String ID:
                      • API String ID: 1968832861-0
                      • Opcode ID: 3e1efb8a3acf5b83f8398f094812db7d9444b93ce0f50575ee480a284648f072
                      • Instruction ID: 995b4542d538945d7cbbdc82233071e85c0b0d85cc2019856810a994d7de0b7c
                      • Opcode Fuzzy Hash: 3e1efb8a3acf5b83f8398f094812db7d9444b93ce0f50575ee480a284648f072
                      • Instruction Fuzzy Hash: 16416D31A01309AFDB04CF68C885BAE7BB9EF48719F508558F806E7691DB75E940CBA4
                      Function 020FDD97 Relevance: 7.6, APIs: 5, Instructions: 123COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 020FDDCB
                        • Part of subcall function 020F9196: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 020F91B7
                      • Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 020FDE2A
                      • Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 020FDE50
                      • Concurrency::details::SchedulerBase::ReleaseInternalContext.LIBCONCRT ref: 020FDE70
                      • Concurrency::location::_Assign.LIBCMT ref: 020FDEBD
                        • Part of subcall function 02101599: Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 021015DE
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Context$Base::Concurrency::details::$Internal$Event$AssignBlockingConcurrency::location::_FindNestingPrepareReleaseSchedulerStealerThrowTraceWork
                      • String ID:
                      • API String ID: 1879022333-0
                      • Opcode ID: 3f867edf2e3fea7535e6fe073452b703bba04c29d155da01a3a84350d07a286a
                      • Instruction ID: 7520596a9edced5967ab76855c9f296eff798be7296d1bb4f9592a427fe48f86
                      • Opcode Fuzzy Hash: 3f867edf2e3fea7535e6fe073452b703bba04c29d155da01a3a84350d07a286a
                      • Instruction Fuzzy Hash: 06412770640300AFCF96EB24C884BFDBBBAEF45710F044099EA069B781DB34A945DB91
                      Function 0042DB30 Relevance: 7.6, APIs: 5, Instructions: 123COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042DB64
                        • Part of subcall function 00428F2F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00428F50
                      • Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0042DBC3
                      • Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0042DBE9
                      • Concurrency::details::SchedulerBase::ReleaseInternalContext.LIBCONCRT ref: 0042DC09
                      • Concurrency::location::_Assign.LIBCMT ref: 0042DC56
                        • Part of subcall function 00431332: Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 00431377
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Context$Base::Concurrency::details::$Internal$Event$AssignBlockingConcurrency::location::_FindNestingPrepareReleaseSchedulerStealerThrowTraceWork
                      • String ID:
                      • API String ID: 1879022333-0
                      • Opcode ID: 3f867edf2e3fea7535e6fe073452b703bba04c29d155da01a3a84350d07a286a
                      • Instruction ID: de4f072aaf1dca0b17399bd929b16a9a875841cf6160958f8114d71bd43867b1
                      • Opcode Fuzzy Hash: 3f867edf2e3fea7535e6fe073452b703bba04c29d155da01a3a84350d07a286a
                      • Instruction Fuzzy Hash: 84412774B04220ABCF199B25D895BAEBB75AF45310F40409FE5065B3C2CB78AD45C7D9
                      Function 020EEF4D Relevance: 7.6, APIs: 5, Instructions: 101COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __EH_prolog3_GS.LIBCMT ref: 020EEF54
                      • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 020EEF7E
                        • Part of subcall function 020EF644: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 020EF661
                      • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 020EEFFB
                      • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 020EF02D
                      • __freea.LIBCMT ref: 020EF053
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3_Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter__freea
                      • String ID:
                      • API String ID: 2497068736-0
                      • Opcode ID: a6c94f2b07b76275c46f7f4adf28e57aec3c88f13b0cf4508af0eed2d0fdcfcc
                      • Instruction ID: 8f651a8f21529cf849427a308abe75f7471797207f0ea91b778e241aa7604eed
                      • Opcode Fuzzy Hash: a6c94f2b07b76275c46f7f4adf28e57aec3c88f13b0cf4508af0eed2d0fdcfcc
                      • Instruction Fuzzy Hash: 4F319071A0030A8FCF15DFA8C844AADB7F6EF48324F24406AE406E7390DB349D82DB95
                      Function 004286C9 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                      Download Yara Rule
                      APIs
                      • _SpinWait.LIBCONCRT ref: 004286EE
                        • Part of subcall function 0041EAD0: _SpinWait.LIBCONCRT ref: 0041EAE8
                      • Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 00428702
                      • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00428734
                      • List.LIBCMT ref: 004287B7
                      • List.LIBCMT ref: 004287C6
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
                      • String ID:
                      • API String ID: 3281396844-0
                      • Opcode ID: b0a24117a62347580a2ad84b9a89b7294bf208186338a952b26754fdafb675af
                      • Instruction ID: 462aa756160b9a796e7fec1675da630e13b8ae80002d108a4576a0d2cee0735b
                      • Opcode Fuzzy Hash: b0a24117a62347580a2ad84b9a89b7294bf208186338a952b26754fdafb675af
                      • Instruction Fuzzy Hash: C9318832A02265DFCB14EFA5E9816DEB7B1BF44308FA4406FD80167242CB79AD05CB99
                      Function 020F75CB Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 020F7617
                      • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 020F7659
                      • Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 020F7675
                      • Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 020F7680
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 020F76A7
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementstd::invalid_argument::invalid_argument
                      • String ID:
                      • API String ID: 3897347962-0
                      • Opcode ID: c12b9fb7ade3771b82fb90936bc3b93d705f62869cacdabd48ca9c13149a27d9
                      • Instruction ID: 7d7e291cb9106d9cf19d35b4f5d4bfd3fe96793d439aa7ce2a9f3f8754e3bb48
                      • Opcode Fuzzy Hash: c12b9fb7ade3771b82fb90936bc3b93d705f62869cacdabd48ca9c13149a27d9
                      • Instruction Fuzzy Hash: 4821B434A40308AFCF45DFA9C884AEDB7B5BF08344F0040A9DA01A7761DB30AE01DF91
                      Function 0210F2A1 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 0210F2B9
                        • Part of subcall function 0210B05C: HeapFree.KERNEL32(00000000,00000000,?,0210F334,?,00000000,?,?,?,0210F35B,?,00000007,?,?,0210F75D,?), ref: 0210B072
                        • Part of subcall function 0210B05C: GetLastError.KERNEL32(?,?,0210F334,?,00000000,?,?,?,0210F35B,?,00000007,?,?,0210F75D,?,?), ref: 0210B084
                      • _free.LIBCMT ref: 0210F2CB
                      • _free.LIBCMT ref: 0210F2DD
                      • _free.LIBCMT ref: 0210F2EF
                      • _free.LIBCMT ref: 0210F301
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 9c86520c17fee5bb977a366526a4cd1d97e426023ecba6e0783088212fd463c3
                      • Instruction ID: 0a874037a9db4f4e6ecb0cfd12de3b2dcc2b15caf272353ba114cb436b012ec0
                      • Opcode Fuzzy Hash: 9c86520c17fee5bb977a366526a4cd1d97e426023ecba6e0783088212fd463c3
                      • Instruction Fuzzy Hash: 87F04F32548700AB9630EB54EAD2C1B77EAFA047187640815F01CD7DD0DBF0F980CA54
                      Function 0043F03A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 0043F052
                        • Part of subcall function 0043ADF5: HeapFree.KERNEL32(00000000,00000000,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?), ref: 0043AE0B
                        • Part of subcall function 0043ADF5: GetLastError.KERNEL32(?,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?,?), ref: 0043AE1D
                      • _free.LIBCMT ref: 0043F064
                      • _free.LIBCMT ref: 0043F076
                      • _free.LIBCMT ref: 0043F088
                      • _free.LIBCMT ref: 0043F09A
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapLast
                      • String ID:
                      • API String ID: 776569668-0
                      • Opcode ID: 9c86520c17fee5bb977a366526a4cd1d97e426023ecba6e0783088212fd463c3
                      • Instruction ID: afd9a687733b4b320e977570e7283cbf07406cc3be8dc42b58a2af08add3b970
                      • Opcode Fuzzy Hash: 9c86520c17fee5bb977a366526a4cd1d97e426023ecba6e0783088212fd463c3
                      • Instruction Fuzzy Hash: 7AF06832904604FB8534EB5DE681C0773FBEA48312B54281BF048D7611CBB8FC84465D
                      Function 0210DC85 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID: *?
                      • API String ID: 269201875-2564092906
                      • Opcode ID: 9ef204f46e1e9e6e895b4fd4c09f2a6869b2f7b57ccd26facbf7b5b5b709429c
                      • Instruction ID: 00c37bb355e9dcaca82d9eeae3721f0ce388f9e45defbaefefd02ce7e611505f
                      • Opcode Fuzzy Hash: 9ef204f46e1e9e6e895b4fd4c09f2a6869b2f7b57ccd26facbf7b5b5b709429c
                      • Instruction Fuzzy Hash: 34612CB5E402199FDF14CFA8D8809EEFBF5EF49310B2581AAD815E7380D771AE418B90
                      Function 0043DA1E Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID: *?
                      • API String ID: 269201875-2564092906
                      • Opcode ID: 9ef204f46e1e9e6e895b4fd4c09f2a6869b2f7b57ccd26facbf7b5b5b709429c
                      • Instruction ID: 8444feb9c58af159b24f360d524a1af6424cb6e40e41c758a4baa9ba100f3a22
                      • Opcode Fuzzy Hash: 9ef204f46e1e9e6e895b4fd4c09f2a6869b2f7b57ccd26facbf7b5b5b709429c
                      • Instruction Fuzzy Hash: 1E618DB1E002199FCB14DFA9D8815EEFBF5EF4C310F25916AE845E7300E639AE418B94
                      Function 004426F2 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 171timeCOMMON
                      Download Yara Rule
                      APIs
                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00456758), ref: 0044275C
                      • _free.LIBCMT ref: 0044274A
                        • Part of subcall function 0043ADF5: HeapFree.KERNEL32(00000000,00000000,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?), ref: 0043AE0B
                        • Part of subcall function 0043ADF5: GetLastError.KERNEL32(?,?,0043F0CD,?,00000000,?,?,?,0043F0F4,?,00000007,?,?,0043F4F6,?,?), ref: 0043AE1D
                      • _free.LIBCMT ref: 00442916
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFreeHeapInformationLastTimeZone
                      • String ID: XgE
                      • API String ID: 2155170405-2984570469
                      • Opcode ID: 408f858600a1f53604d9e13eb6c4a6de5f766e6ad14c8f26f7ae90bdf88e241d
                      • Instruction ID: 8084bd392b0667b16f992d69d3ac30f533f8d402883a3cc5e9c46bc507ca970f
                      • Opcode Fuzzy Hash: 408f858600a1f53604d9e13eb6c4a6de5f766e6ad14c8f26f7ae90bdf88e241d
                      • Instruction Fuzzy Hash: 3B5117B1900215ABFB10EF65CE819AEB7B8EF44314F51026BF510E3291EBF89E418B59
                      Function 02104AA7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON
                      Download Yara Rule
                      APIs
                      • ___except_validate_context_record.LIBVCRUNTIME ref: 02104AE6
                      • __IsNonwritableInCurrentImage.LIBCMT ref: 02104B9A
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: CurrentImageNonwritable___except_validate_context_record
                      • String ID: S9C$csm
                      • API String ID: 3480331319-582408667
                      • Opcode ID: a4331c987b1b53513cbe21c672c92ef55e4810aa54a37fe5f5d469cf9e84ef45
                      • Instruction ID: 6921b6121e2f669dc4825c274a6d8715bbdd81e2b14f8eff76ab3ea70f280cae
                      • Opcode Fuzzy Hash: a4331c987b1b53513cbe21c672c92ef55e4810aa54a37fe5f5d469cf9e84ef45
                      • Instruction Fuzzy Hash: 7541A238A40208AFCF20DF68C8C4B9EBBA5AF45318F148155EA159B3D2D7B5EA15CF91
                      Function 021058C2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlEncodePointer.NTDLL(00000000), ref: 021058E7
                      • CatchIt.LIBVCRUNTIME ref: 021059CD
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: CatchEncodePointer
                      • String ID: MOC$RCC
                      • API String ID: 1435073870-2084237596
                      • Opcode ID: e76bbd798ac2a2531b018cbcd065df587f22d77e50faeab241abe2fb58f9e970
                      • Instruction ID: 4bb621a815b94070514f1028d50c85585eeb1370223c9ec76a085511317b901c
                      • Opcode Fuzzy Hash: e76bbd798ac2a2531b018cbcd065df587f22d77e50faeab241abe2fb58f9e970
                      • Instruction Fuzzy Hash: 96415672D40209BFCF16DF98CC81AAEBBB6BF08314F548099F914A72A1D3B59950DF60
                      Function 0043565B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RtlEncodePointer.NTDLL(00000000), ref: 00435680
                      • CatchIt.LIBVCRUNTIME ref: 00435766
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: CatchEncodePointer
                      • String ID: MOC$RCC
                      • API String ID: 1435073870-2084237596
                      • Opcode ID: e76bbd798ac2a2531b018cbcd065df587f22d77e50faeab241abe2fb58f9e970
                      • Instruction ID: 5e74a0003837bbbf1c0f5d1cc79d9a8e9fb2d82c4166bdd95ad30412f998441c
                      • Opcode Fuzzy Hash: e76bbd798ac2a2531b018cbcd065df587f22d77e50faeab241abe2fb58f9e970
                      • Instruction Fuzzy Hash: 4A418871900609EFCF15CF98DC82AEEBBB5BF4C304F18909AF90867221D339A950DB58
                      Function 0043E4B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0043E259: GetOEMCP.KERNEL32(00000000,0043E4CB,?,?,avC,00437661,?), ref: 0043E284
                      • _free.LIBCMT ref: 0043E528
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID: @"F$avC
                      • API String ID: 269201875-3024483575
                      • Opcode ID: 9908dd6ab1a80c5fc09db8b12665e78ab5e05ea3aa24e2a155a3ad1beaefeb8c
                      • Instruction ID: c2258c4a8f5ad0cbd888ce205a5b2d9973e5ee0a434949fbdbaf9cd53865a0ee
                      • Opcode Fuzzy Hash: 9908dd6ab1a80c5fc09db8b12665e78ab5e05ea3aa24e2a155a3ad1beaefeb8c
                      • Instruction Fuzzy Hash: 5131BE71800249AFDB01DFAAD841B9F7BF5EF48318F1010AAF8109B2A2EB79DD50CB55
                      Function 02112AB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79COMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 02112B27
                      • _free.LIBCMT ref: 02112B7D
                        • Part of subcall function 02112959: _free.LIBCMT ref: 021129B1
                        • Part of subcall function 02112959: GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00456758), ref: 021129C3
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$InformationTimeZone
                      • String ID: XgE
                      • API String ID: 597776487-2984570469
                      • Opcode ID: f87cbb37d26a9294995cc9def7b394ab45dcd78de0b256dadcc3d82326988738
                      • Instruction ID: 308e64908c0a2d102192d5dca960fcc140c5b3ed5f7c293d106a554ffa20a2c5
                      • Opcode Fuzzy Hash: f87cbb37d26a9294995cc9def7b394ab45dcd78de0b256dadcc3d82326988738
                      • Instruction Fuzzy Hash: FA215E318402346BDB356B349C84EEB777DDB45364F1102B5DDA4E30D0EBB05D85CA99
                      Function 020F0EC3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 020F0F31
                      • Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 020F0F3E
                      • Concurrency::details::ResourceManager::ResourceManager.LIBCONCRT ref: 020F0F91
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Resource$AcquireConcurrency::details::Concurrency::details::_H_prolog3Lock::_ManagerManager::Reentrant
                      • String ID: p[F
                      • API String ID: 220083066-1832964472
                      • Opcode ID: 6216d83329a3209df67438af02903c6e9b09d36f54debea953983a2b7a8ea068
                      • Instruction ID: 5ce9e07bd307e03b54cf720efba74e2283f0c3b53b344989861c2eb55308efa5
                      • Opcode Fuzzy Hash: 6216d83329a3209df67438af02903c6e9b09d36f54debea953983a2b7a8ea068
                      • Instruction Fuzzy Hash: 3201DD709443018EDFD1EFB4591039D77E2AF04750F50446ED205EBA86DB744E44AB95
                      Function 0042A0EE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0042A102
                      • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0042A126
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042A139
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Resource$Concurrency::details::Execution$CurrentManager::Proxy::RemoveSchedulerThreadstd::invalid_argument::invalid_argument
                      • String ID: pScheduler
                      • API String ID: 246774199-923244539
                      • Opcode ID: 682a3eefa47bedf4d22a1faa156ea6bcc2a49e045c4e2ce76e6417afd79e9783
                      • Instruction ID: 10cbf4c553f32a99b29d21dedcc7eb1d51cf5285ac80ee2cb09dfeade9188058
                      • Opcode Fuzzy Hash: 682a3eefa47bedf4d22a1faa156ea6bcc2a49e045c4e2ce76e6417afd79e9783
                      • Instruction Fuzzy Hash: 56F02B35700224A38720FA55FC428AEF3789F80729BA0812FEC0517182DB7CAA19C69E
                      Function 020F0081 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29registryCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • RegisterWaitForSingleObject.KERNEL32(?,%C,?,02100C8C,000000FF,0000000C), ref: 020F0098
                      • GetLastError.KERNEL32(?,02100C8C,?,00430925,?,?,?,?,?,?,020F5F15,?), ref: 020F00A7
                      • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 020F00BD
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastObjectRegisterSingleWait
                      • String ID: %C
                      • API String ID: 2296417588-4291884666
                      • Opcode ID: fbcf708f24b496e530a1d5d1bc838a4ad30d765a2443b3a5aa298535997dd61c
                      • Instruction ID: 2c0334ff6b155651f7ddf2e9162de21c516ff014a657a13a8fa20a7d761886a6
                      • Opcode Fuzzy Hash: fbcf708f24b496e530a1d5d1bc838a4ad30d765a2443b3a5aa298535997dd61c
                      • Instruction Fuzzy Hash: 95F0A03564030AFBCF40EFA5DD44EEF37ADAB04705F200625B620E24D2DB39D604AB64
                      Function 020ED400 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25COMMON
                      Download Yara Rule
                      APIs
                      • RtlLeaveCriticalSection.NTDLL(00465750), ref: 020ED42D
                      • WaitForSingleObjectEx.KERNEL32(00468680,00000000,?,020ED39D,00000064,?,0045007C,?,020D7854,00468680), ref: 020ED43E
                      • RtlEnterCriticalSection.NTDLL(00465750), ref: 020ED445
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeaveObjectSingleWait
                      • String ID: PWF
                      • API String ID: 501323975-4189640852
                      • Opcode ID: 797b37c2cabad88e9ba561759b38bac6fac545db67df0b7ba0c67b1f35825c1a
                      • Instruction ID: 79f4f8d49b94fcfb360084f8e9941c0486e37d270a1222b1d87fc0887e826d20
                      • Opcode Fuzzy Hash: 797b37c2cabad88e9ba561759b38bac6fac545db67df0b7ba0c67b1f35825c1a
                      • Instruction Fuzzy Hash: C7E0ED35541B24EBCB021B50AC09A9E3B68EB45753F044021FA06A61619B656D409BDE
                      Function 020D7F97 Relevance: 6.4, APIs: 4, Instructions: 422libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetVersionExW.KERNEL32(0000011C,00462014), ref: 020D8011
                      • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 020D8072
                      • GetProcAddress.KERNEL32(00000000), ref: 020D8079
                      • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 020D813E
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressHandleInfoModuleProcSystemVersion
                      • String ID:
                      • API String ID: 1456109104-0
                      • Opcode ID: f86739a690633f7d14615720dab4f5b7d6e0e144a36365c4640fb5ca6efcc30f
                      • Instruction ID: 2c49dd5917027b7d93fac7222d602d4779a146262acf8b27267d3f967f039048
                      • Opcode Fuzzy Hash: f86739a690633f7d14615720dab4f5b7d6e0e144a36365c4640fb5ca6efcc30f
                      • Instruction Fuzzy Hash: C6E11570E01354ABDB14BB68CD8679CBB72AB86720F94429CD8156B3C0EB754E859FC3
                      Function 0210CE46 Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _strrchr
                      • String ID:
                      • API String ID: 3213747228-0
                      • Opcode ID: d1e2580fea8bb5659ef3a0ec9f2bd8d3f247a712cc4476731abb6eb94a7ef4ee
                      • Instruction ID: 1035c78b384f81664f3a393aa5c8ca41cbda4ee0db0b2f84844cb77391edb44a
                      • Opcode Fuzzy Hash: d1e2580fea8bb5659ef3a0ec9f2bd8d3f247a712cc4476731abb6eb94a7ef4ee
                      • Instruction Fuzzy Hash: 80B148729402859FDB15CF68C8C0BBEBBF5EF45340F1581AAD8549B2C5D7B58902CFA1
                      Function 021052B5 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: AdjustPointer
                      • String ID:
                      • API String ID: 1740715915-0
                      • Opcode ID: ee1216290e05d5aa883e1d856bebe084c5c42d67d7e9ed6b593ecc55b417bb7c
                      • Instruction ID: 1a1f59648acd49c47c36c952a54f0e9a1933abd9490c249f801f005bc9f4a5ce
                      • Opcode Fuzzy Hash: ee1216290e05d5aa883e1d856bebe084c5c42d67d7e9ed6b593ecc55b417bb7c
                      • Instruction Fuzzy Hash: C651BE72680706BFDB289F50D9C0BAA77A6FF04314F94452DE8129A2D0E7F1E880DF90
                      Function 0043504E Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: AdjustPointer
                      • String ID:
                      • API String ID: 1740715915-0
                      • Opcode ID: 24256a6a0eee4dc051d6a34bfd34133c294509d047b55e93e8e20eb2f16a28ea
                      • Instruction ID: de7e3e00fb04a34b96eeb7253be455e546d1f1f5c91bb76df3f696651397a324
                      • Opcode Fuzzy Hash: 24256a6a0eee4dc051d6a34bfd34133c294509d047b55e93e8e20eb2f16a28ea
                      • Instruction Fuzzy Hash: 5851E171A01A06AFEF289F55D841BBB73B4EF18304F14516FE80197291E739ED41CB99
                      Function 020D85E7 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetVersionExW.KERNEL32(0000011C,?,00462014), ref: 020D8660
                      • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 020D86C7
                      • GetProcAddress.KERNEL32(00000000), ref: 020D86CE
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressHandleModuleProcVersion
                      • String ID:
                      • API String ID: 3310240892-0
                      • Opcode ID: a9352ec7e219f5b0e6875a96d9916c0a74e731d0ff9642be5bb7f7817e9f41d6
                      • Instruction ID: dc477fa39c52d70e7a2407dc208a011f69e684b7a260d60fb0ffb8a2110fbe05
                      • Opcode Fuzzy Hash: a9352ec7e219f5b0e6875a96d9916c0a74e731d0ff9642be5bb7f7817e9f41d6
                      • Instruction Fuzzy Hash: 325116709013089BDB28EB64DD887DDBB75EF45710F5082A8E819A72D0EB359AC09F91
                      Function 00408380 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON
                      Download Yara Rule
                      APIs
                      • GetVersionExW.KERNEL32(0000011C,?,6B1A456B), ref: 004083F9
                      • GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408460
                      • GetProcAddress.KERNEL32(00000000), ref: 00408467
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: AddressHandleModuleProcVersion
                      • String ID:
                      • API String ID: 3310240892-0
                      • Opcode ID: 3a9a6616743496babd75a57264d9c112cc3b8580f8eefccc93ff8829d01ba640
                      • Instruction ID: 938ad35630e66277154cddf74743d86f98c067e6d70a9bb90e20810804f89ef8
                      • Opcode Fuzzy Hash: 3a9a6616743496babd75a57264d9c112cc3b8580f8eefccc93ff8829d01ba640
                      • Instruction Fuzzy Hash: E9510870D00214ABDB14EF68DE497DEBB74EB46314F5042BEE445A72C1EF389AC48B99
                      Function 02104E7C Relevance: 6.1, APIs: 4, Instructions: 141COMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: EqualOffsetTypeids
                      • String ID:
                      • API String ID: 1707706676-0
                      • Opcode ID: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
                      • Instruction ID: 4d144a2055e20b7efe3bafa3a41d7e035e86cd1172094c040e25ff904275f8a1
                      • Opcode Fuzzy Hash: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
                      • Instruction Fuzzy Hash: 05519C3590420A9FCF11CF69C4C0AEEBBF1EF05214F15449AEAA1A7390D7B2A944CB90
                      Function 02116235 Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMON
                      Download Yara Rule
                      APIs
                      • _free.LIBCMT ref: 02116305
                      • _free.LIBCMT ref: 0211632E
                      • SetEndOfFile.KERNEL32(00000000,02111C71,00000000,0210AEF9,?,?,?,?,?,?,?,02111C71,0210AEF9,00000000), ref: 02116360
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,02111C71,0210AEF9,00000000,?,?,?,?,00000000), ref: 0211637C
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free$ErrorFileLast
                      • String ID:
                      • API String ID: 1547350101-0
                      • Opcode ID: 6fb0f9e19d4acd712ab8c7b746a97e06f48a18ddc77e8d7a73dfb4aa9b2b61d0
                      • Instruction ID: 85880f1583b141bf695ecc5f3d3e6208cda6162cb58ad93ecbf3dd536e22876f
                      • Opcode Fuzzy Hash: 6fb0f9e19d4acd712ab8c7b746a97e06f48a18ddc77e8d7a73dfb4aa9b2b61d0
                      • Instruction Fuzzy Hash: 1041D5329802819FDB15ABB8CC84B9E77AEEF45320F140535E838A71D0EB72D841CB61
                      Function 020D3127 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Mtx_unlock$Cnd_broadcastCurrentThread
                      • String ID:
                      • API String ID: 3264154886-0
                      • Opcode ID: d95c55a17dc6c0951bf91651ac23ff9b82cafa9506b18cb5ad1f8234279d2599
                      • Instruction ID: 603eceff3c13f42501ec980c5d2d268dfc6500dfab995d2ecaf5c510007da97a
                      • Opcode Fuzzy Hash: d95c55a17dc6c0951bf91651ac23ff9b82cafa9506b18cb5ad1f8234279d2599
                      • Instruction Fuzzy Hash: 0741ADB0A027159FEB21DF64C944BAAB7E8FF05324F00456AE816D7750EB35E604EF82
                      Function 02101D90 Relevance: 6.1, APIs: 4, Instructions: 104threadCOMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 02101DA9
                        • Part of subcall function 02102078: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,02101AF1), ref: 02102088
                      • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 02101DBE
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 02101DCD
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 02101E91
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::std::invalid_argument::invalid_argument$ExecutionFreeIdleObjectProcessorProxy::ResetRoot::SingleSuspendThreadVirtualWait
                      • String ID:
                      • API String ID: 1312548968-0
                      • Opcode ID: 84332b62cc3de3cfa4170185330e29230a9dc1dcd046b531a1b7116e20220df0
                      • Instruction ID: 066dcb7d89da3e7ea2d638e539699701846bad5b0aa618b8646e8c8b373ba81c
                      • Opcode Fuzzy Hash: 84332b62cc3de3cfa4170185330e29230a9dc1dcd046b531a1b7116e20220df0
                      • Instruction Fuzzy Hash: 9031E535A40214BFCF15EF68C8C4AAD7376BF44314F20456AED29972C1DBB9EA05CB90
                      Function 020F2F63 Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 020F2F76
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: BuffersConcurrency::details::InitializeManager::Resource
                      • String ID:
                      • API String ID: 3433162309-0
                      • Opcode ID: 22ca41de25d3fddfd321250d59b84d7d3dba6f78c4a0763dc9e7bbb86f5d08b7
                      • Instruction ID: 83a8a422750ea210005ffba8fbc2f887c455092837edbb54f4347a778affcb34
                      • Opcode Fuzzy Hash: 22ca41de25d3fddfd321250d59b84d7d3dba6f78c4a0763dc9e7bbb86f5d08b7
                      • Instruction Fuzzy Hash: 5C318D75E40349DFCF91DF54C4D0BAE7BB9AF44310F0400AADE45ABA46D731A945EBA0
                      Function 0210DBB6 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 02106C33: _free.LIBCMT ref: 02106C41
                        • Part of subcall function 0210EB8D: WideCharToMultiByte.KERNEL32(020D8A07,00000000,0045FB20,00000000,020D8A07,020D8A07,021108B7,?,0045FB20,?,00000000,?,02110626,0000FDE9,00000000,?), ref: 0210EC2F
                      • GetLastError.KERNEL32 ref: 0210DC1E
                      • __dosmaperr.LIBCMT ref: 0210DC25
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0210DC64
                      • __dosmaperr.LIBCMT ref: 0210DC6B
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                      • String ID:
                      • API String ID: 167067550-0
                      • Opcode ID: e192af22dab1e85764783ba134b35ca1a0735bfe77ce3258f04da4e50815c0b3
                      • Instruction ID: f371752e89aa401378c5d16eb5b6b472a603815f893287726dccf51d9577ac8e
                      • Opcode Fuzzy Hash: e192af22dab1e85764783ba134b35ca1a0735bfe77ce3258f04da4e50815c0b3
                      • Instruction Fuzzy Hash: 9121A471680209AF9B246FA2ADC0E6BB7ADEF053747004529E829971C0D7F1EC41CBA0
                      Function 0043D94F Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 004369CC: _free.LIBCMT ref: 004369DA
                        • Part of subcall function 0043E926: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00444DC0,?,00000000,00000000), ref: 0043E9C8
                      • GetLastError.KERNEL32 ref: 0043D9B7
                      • __dosmaperr.LIBCMT ref: 0043D9BE
                      • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0043D9FD
                      • __dosmaperr.LIBCMT ref: 0043DA04
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                      • String ID:
                      • API String ID: 167067550-0
                      • Opcode ID: e64aadb6d22fe51e849137b99b89815b7d15ae6c09361cf92410591095803afc
                      • Instruction ID: ee20851a037b4c6b58bdbb56dc4c6e04abe5cdf536cd6285cafdd1b842c948ea
                      • Opcode Fuzzy Hash: e64aadb6d22fe51e849137b99b89815b7d15ae6c09361cf92410591095803afc
                      • Instruction Fuzzy Hash: DB21FBF1A04605BFDB206F66AC80E2777ACEF0C368F10511AF86997251D738EC418799
                      Function 02101A91 Relevance: 6.1, APIs: 4, Instructions: 85threadCOMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 02101AEC
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 02101B0B
                      • Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 02101B52
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$ExecutionFreeIdleProcessorProxy::Root::SpinSuspendThreadUntilVirtualstd::invalid_argument::invalid_argument
                      • String ID:
                      • API String ID: 1284976207-0
                      • Opcode ID: e9b064e3ffac3daba16c5b096d74077ea667223e78b02618e4975b94426a83e1
                      • Instruction ID: 267a63faa1c7086704de40612050dfc25dd6e8fd2df74438092bc8aa523683c3
                      • Opcode Fuzzy Hash: e9b064e3ffac3daba16c5b096d74077ea667223e78b02618e4975b94426a83e1
                      • Instruction Fuzzy Hash: 2C212735780615AFCB19AB68D8D4BAD73B6BF80325B00052AE51A872D1DBECE841CB94
                      Function 02100CFF Relevance: 6.1, APIs: 4, Instructions: 80threadCOMMON
                      Download Yara Rule
                      APIs
                      • SetEvent.KERNEL32(?,00000000,?), ref: 02100D50
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 02100D38
                        • Part of subcall function 020F9196: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 020F91B7
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 02100DB3
                      • SwitchToThread.KERNEL32(00000005,00000004,00000000,?,?,?,?,?,?,?,0045F4C0), ref: 02100DB8
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Context$Event$Base::Concurrency::details::$Trace$SwitchThreadThrow
                      • String ID:
                      • API String ID: 2734100425-0
                      • Opcode ID: 2e8a3a5ddc2bebb452bc5efae35c7b376e30f6768224933571346adf22c5373c
                      • Instruction ID: 93eb5d7bee03d73278d928d9074b75ca69d0a453f03e8427e16eda5f5da1e445
                      • Opcode Fuzzy Hash: 2e8a3a5ddc2bebb452bc5efae35c7b376e30f6768224933571346adf22c5373c
                      • Instruction Fuzzy Hash: 00210479640214AFCB10EB58CC84EAEB7B9FF48361B040166FA15A32D1DBB1AD018FA5
                      Function 00430A98 Relevance: 6.1, APIs: 4, Instructions: 80threadCOMMON
                      Download Yara Rule
                      APIs
                      • SetEvent.KERNEL32(?,00000000,?), ref: 00430AE9
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00430AD1
                        • Part of subcall function 00428F2F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00428F50
                      • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00430B4C
                      • SwitchToThread.KERNEL32(00000005,00000004,00000000,?,?,?,?,?,?,?,0045F4C0), ref: 00430B51
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Context$Event$Base::Concurrency::details::$Trace$SwitchThreadThrow
                      • String ID:
                      • API String ID: 2734100425-0
                      • Opcode ID: 2e8a3a5ddc2bebb452bc5efae35c7b376e30f6768224933571346adf22c5373c
                      • Instruction ID: eb585ae1b4d53eae47272984182226d4372f2576b54a2ee7974d2067b554b9fa
                      • Opcode Fuzzy Hash: 2e8a3a5ddc2bebb452bc5efae35c7b376e30f6768224933571346adf22c5373c
                      • Instruction Fuzzy Hash: 54210475700224AFCB10EB59DC45D7EB7A8EF48324F15015BFA16A3292CB74AD018AA9
                      Function 0210B3E4 Relevance: 6.1, APIs: 4, Instructions: 77COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b882474e2421becce6f7ac3255c006c5444dc2a1b8804bcc2ed4a91c923f1653
                      • Instruction ID: 7a8cde4026a48bb6d5768377377984cbc0cd050d2be8ad8d8f83f75428863707
                      • Opcode Fuzzy Hash: b882474e2421becce6f7ac3255c006c5444dc2a1b8804bcc2ed4a91c923f1653
                      • Instruction Fuzzy Hash: 2521C335AC9324ABCB318A649CC5B1A3758AF117A8F110561FC17E72E1D7B0EF00C6E4
                      Function 020F5109 Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulingNode::AddVirtualProcessor.LIBCONCRT ref: 020F5168
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 020F518B
                      • __EH_prolog3.LIBCMT ref: 020F51A6
                      • Concurrency::details::CacheLocalScheduleGroupSegment::CacheLocalScheduleGroupSegment.LIBCONCRT ref: 020F51CD
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: CacheConcurrency::details::GroupLocalSchedule$H_prolog3Node::ProcessorSchedulingSegmentSegment::Virtualstd::invalid_argument::invalid_argument
                      • String ID:
                      • API String ID: 2642201467-0
                      • Opcode ID: 8c7b1ccd00f45581bab929026422e21ff28f01d8dc45cb75e357af66afe4e75e
                      • Instruction ID: aab8fcd92fda44af4775aef9c9764bb2312182c752186fdb2bf39eef9183baea
                      • Opcode Fuzzy Hash: 8c7b1ccd00f45581bab929026422e21ff28f01d8dc45cb75e357af66afe4e75e
                      • Instruction Fuzzy Hash: D421C135640305EFCB54EF58CC80AAD77B6FF48311F50406AEA169BA90DB71AE01EF54
                      Function 02101599 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0210162D
                      • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 021015DE
                        • Part of subcall function 020F8582: SafeRWList.LIBCONCRT ref: 020F8593
                      • SafeRWList.LIBCONCRT ref: 02101623
                      • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 02101643
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Base::Concurrency::details::ContextListSafeStealer$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                      • String ID:
                      • API String ID: 336577199-0
                      • Opcode ID: 633f29ab29772fce27dba393e8379a29e8a0d8340c800c4eeedaee01f30ccdc5
                      • Instruction ID: 2e23fa1ec377a848f61bad94649a630a2a6e005bdd0ad2a581d16e2c99ed5f29
                      • Opcode Fuzzy Hash: 633f29ab29772fce27dba393e8379a29e8a0d8340c800c4eeedaee01f30ccdc5
                      • Instruction Fuzzy Hash: 6F21B07164020AAFCB44DF64C8C0FA5FBEABB85718F14D2A6D40A4F581DBB5E685CBC0
                      Function 00431332 Relevance: 6.1, APIs: 4, Instructions: 71COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 004313C6
                      • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 00431377
                        • Part of subcall function 0042831B: SafeRWList.LIBCONCRT ref: 0042832C
                      • SafeRWList.LIBCONCRT ref: 004313BC
                      • Concurrency::details::ContextBase::AddStealer.LIBCONCRT ref: 004313DC
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Base::Concurrency::details::ContextListSafeStealer$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                      • String ID:
                      • API String ID: 336577199-0
                      • Opcode ID: 633f29ab29772fce27dba393e8379a29e8a0d8340c800c4eeedaee01f30ccdc5
                      • Instruction ID: d9e605bbb79d098c531deca9cf4cd80c541eae854b845806876d4496965d449b
                      • Opcode Fuzzy Hash: 633f29ab29772fce27dba393e8379a29e8a0d8340c800c4eeedaee01f30ccdc5
                      • Instruction Fuzzy Hash: 7521F53160020ADFC704CF24C881FA5F7E8FB48718F54E2ABD8054B552DB39E98ACB94
                      Function 0210621E Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 65fe2d25819fbcf81a19c36cb243a6994e9bb55f4a4ff3c1705520088a00f9a9
                      • Instruction ID: 3d3d18ec92b1c3c014a120e06646e30132a67ebeda1e2581eb4ca49fbad1562e
                      • Opcode Fuzzy Hash: 65fe2d25819fbcf81a19c36cb243a6994e9bb55f4a4ff3c1705520088a00f9a9
                      • Instruction Fuzzy Hash: B011E635A81765ABCB228F649DC4B1A376CAF097A0B110621E911A72D1D7B0ED20C6E0
                      Function 020EF554 Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 020EF576
                        • Part of subcall function 020EF732: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 020F56ED
                      • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 020EF597
                        • Part of subcall function 020F0419: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 020F0435
                      • Concurrency::details::GetSharedTimerQueue.LIBCONCRT ref: 020EF5B3
                      • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 020EF5BA
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Timer$Scheduler$Base::LibraryLoadQueue$AsyncConcurrency::details::platform::__ContextCreateCurrentDefaultReferenceRegisterShared
                      • String ID:
                      • API String ID: 1684785560-0
                      • Opcode ID: 04357caceeb09c65516863605c6f7112208db5e15fbad483dcb42361f4682929
                      • Instruction ID: 79f3e65829e53fd2f9925ad0caec936b592667ee43a1b2d8d1f16a32fe6a6000
                      • Opcode Fuzzy Hash: 04357caceeb09c65516863605c6f7112208db5e15fbad483dcb42361f4682929
                      • Instruction Fuzzy Hash: 710104B25003067FDB207F688C848ABFBA9DF20354B10852BEA56D2581D770A584ABA1
                      Function 0041F2ED Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041F30F
                        • Part of subcall function 0041F4CB: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 00425486
                      • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0041F330
                        • Part of subcall function 004201B2: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004201CE
                      • Concurrency::details::GetSharedTimerQueue.LIBCONCRT ref: 0041F34C
                      • Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 0041F353
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Timer$Scheduler$Base::LibraryLoadQueue$AsyncConcurrency::details::platform::__ContextCreateCurrentDefaultReferenceRegisterShared
                      • String ID:
                      • API String ID: 1684785560-0
                      • Opcode ID: 04357caceeb09c65516863605c6f7112208db5e15fbad483dcb42361f4682929
                      • Instruction ID: fbdee06be22d7eb5cf524bde3a8873450c2cdba4fa94e97b4615b2f8ae6f40be
                      • Opcode Fuzzy Hash: 04357caceeb09c65516863605c6f7112208db5e15fbad483dcb42361f4682929
                      • Instruction Fuzzy Hash: 9C012B71500309BBD720AF66CC859DBFBA8EF10358B10453FFC1492152D778E98A87A9
                      Function 02103628 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 02103642
                      • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 02103656
                      • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 0210366E
                      • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 02103686
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                      • String ID:
                      • API String ID: 78362717-0
                      • Opcode ID: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                      • Instruction ID: 1f7afbb10e79756f5580525dd2b9d4598c155ff00d9d5b1d96886687071c721b
                      • Opcode Fuzzy Hash: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                      • Instruction Fuzzy Hash: B801DB366401146BCF16EE95C890AEF77AEAF44350F000095ED21A73C1DBB1EE119AE0
                      Function 004333C1 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 004333DB
                      • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 004333EF
                      • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00433407
                      • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0043341F
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                      • String ID:
                      • API String ID: 78362717-0
                      • Opcode ID: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                      • Instruction ID: 148698cb8657f3ab7a0d111eac04cd811a00bb0e29ba6abd34784ed5a644fba4
                      • Opcode Fuzzy Hash: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                      • Instruction Fuzzy Hash: 74012632700524A7CF16EF658841AAFB7A99F58314F00001BFC12EB382DA74EE1193A5
                      Function 0210BAA2 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      • GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0210BC07,00000000,?,02112212,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0210BAB8
                      • GetLastError.KERNEL32(?,02112212,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0210BC07,00000000,00000104,?), ref: 0210BAC2
                      • __dosmaperr.LIBCMT ref: 0210BAC9
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorFullLastNamePath__dosmaperr
                      • String ID:
                      • API String ID: 2398240785-0
                      • Opcode ID: 573f122ae82f08db5f9a13de85ef365be3234010d0279eca2789f216f3b9dc80
                      • Instruction ID: 2ed3f7cf5921df85137e585054260db73b63b2b87107003acc4d51f0dd33e1db
                      • Opcode Fuzzy Hash: 573f122ae82f08db5f9a13de85ef365be3234010d0279eca2789f216f3b9dc80
                      • Instruction Fuzzy Hash: 95F08132244615BB8B211FA2DC88966FF6AFF443A57018521F529C74A0D771E911CBE0
                      Function 0210BB0B Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      • GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0210BC07,00000000,?,0211219D,00000000,00000000,0210BC07,?,?,00000000,00000000,00000001), ref: 0210BB21
                      • GetLastError.KERNEL32(?,0211219D,00000000,00000000,0210BC07,?,?,00000000,00000000,00000001,00000000,00000000,?,0210BC07,00000000,00000104), ref: 0210BB2B
                      • __dosmaperr.LIBCMT ref: 0210BB32
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorFullLastNamePath__dosmaperr
                      • String ID:
                      • API String ID: 2398240785-0
                      • Opcode ID: 8d52b872a16da2ecde656976662c890ef9145f26e1d0b0297742ad47c23117d8
                      • Instruction ID: 3b7ace666d399f253423c2984e448b604983049f1400decfbd8eae14394afb26
                      • Opcode Fuzzy Hash: 8d52b872a16da2ecde656976662c890ef9145f26e1d0b0297742ad47c23117d8
                      • Instruction Fuzzy Hash: 02F0AD32644615BB8B301BA2DC8895AFF6AFF443A53008021E529C30A0CB71E911CBD0
                      Function 0043B83B Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      • GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0043B9A0,00000000,?,00441FAB,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0043B851
                      • GetLastError.KERNEL32(?,00441FAB,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0043B9A0,00000000,00000104,?), ref: 0043B85B
                      • __dosmaperr.LIBCMT ref: 0043B862
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorFullLastNamePath__dosmaperr
                      • String ID:
                      • API String ID: 2398240785-0
                      • Opcode ID: 573f122ae82f08db5f9a13de85ef365be3234010d0279eca2789f216f3b9dc80
                      • Instruction ID: 4d38e234b28d8319e4134ca970a631ac6953b460d6f58f575e06abf1e175f512
                      • Opcode Fuzzy Hash: 573f122ae82f08db5f9a13de85ef365be3234010d0279eca2789f216f3b9dc80
                      • Instruction Fuzzy Hash: 51F06D36600615BBCB246FA6DC08E4BBF6DFF483A1B009126F61DC6521D735E811CBD8
                      Function 0043B8A4 Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                      Download Yara Rule
                      APIs
                      • GetFullPathNameW.KERNEL32(?,?,00000000,00000000,0043B9A0,00000000,?,00441F36,00000000,00000000,0043B9A0,?,?,00000000,00000000,00000001), ref: 0043B8BA
                      • GetLastError.KERNEL32(?,00441F36,00000000,00000000,0043B9A0,?,?,00000000,00000000,00000001,00000000,00000000,?,0043B9A0,00000000,00000104), ref: 0043B8C4
                      • __dosmaperr.LIBCMT ref: 0043B8CB
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ErrorFullLastNamePath__dosmaperr
                      • String ID:
                      • API String ID: 2398240785-0
                      • Opcode ID: 8d52b872a16da2ecde656976662c890ef9145f26e1d0b0297742ad47c23117d8
                      • Instruction ID: fe454a788940d8d1b6a18dc845ad3b04fffb8540f5c3b85414d994226db15d49
                      • Opcode Fuzzy Hash: 8d52b872a16da2ecde656976662c890ef9145f26e1d0b0297742ad47c23117d8
                      • Instruction Fuzzy Hash: 26F06D72600619BB8B216BA6DC08B57BF69FF483A0B009526FA19C6521D739E861C7D8
                      Function 020F526C Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 020F01CD: TlsGetValue.KERNEL32(?,?,020EF74E,020EF57B,?,?), ref: 020F01D3
                      • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 020F5296
                        • Part of subcall function 020FE575: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 020FE59C
                        • Part of subcall function 020FE575: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 020FE5B5
                        • Part of subcall function 020FE575: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 020FE62B
                        • Part of subcall function 020FE575: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 020FE633
                      • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 020F52A4
                      • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 020F52AE
                      • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 020F52B8
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceValueVirtualWork
                      • String ID:
                      • API String ID: 2616382602-0
                      • Opcode ID: 70a698541e2e15fa6626dca2384dcb953701250920abc52d754e3547d00c3c09
                      • Instruction ID: 1889d0754e6c9b9ce7254b86bb217301de76a27b53e07a470757ee6d71a20c4a
                      • Opcode Fuzzy Hash: 70a698541e2e15fa6626dca2384dcb953701250920abc52d754e3547d00c3c09
                      • Instruction Fuzzy Hash: 84F0FC31A4071867CAA5B7258C145EDBB675F81B10F40412AE71143A91EF649A15AFC2
                      Function 00425005 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0041FF66: TlsGetValue.KERNEL32(?,?,0041F4E7,0041F314,?,?), ref: 0041FF6C
                      • Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0042502F
                        • Part of subcall function 0042E30E: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0042E335
                        • Part of subcall function 0042E30E: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0042E34E
                        • Part of subcall function 0042E30E: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0042E3C4
                        • Part of subcall function 0042E30E: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 0042E3CC
                      • Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 0042503D
                      • Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00425047
                      • Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 00425051
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceValueVirtualWork
                      • String ID:
                      • API String ID: 2616382602-0
                      • Opcode ID: 70a698541e2e15fa6626dca2384dcb953701250920abc52d754e3547d00c3c09
                      • Instruction ID: 591bd9b18c1ea594323a38232f6cf7a467bdae74b08f21c6b28571b33805ae9f
                      • Opcode Fuzzy Hash: 70a698541e2e15fa6626dca2384dcb953701250920abc52d754e3547d00c3c09
                      • Instruction Fuzzy Hash: 2DF0F63170053927CA25B727E81286EF6659F91B58B80002FF91057252EF7C9E498BCE
                      Function 020EC86B Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 020EFB78
                      • Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 020EFBAB
                      • Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 020EFBB7
                      • Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 020EFBC0
                        • Part of subcall function 020EF554: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 020EF576
                        • Part of subcall function 020EF554: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 020EF597
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::$Concurrency::critical_section::_Timer$Acquire_lockAsyncBase::ContextCurrentDerefH_prolog3LibraryLoadLockNodeNode::QueueRegisterSchedulerSwitch_to_active
                      • String ID:
                      • API String ID: 2559503089-0
                      • Opcode ID: 6202bdfdb5770ea946800c78cd8ea731ca40aa09cdf17d07ebd0c2e6249b1ab2
                      • Instruction ID: 987b590b7aae4d376ce19445454f3ae0f226e4be114d9eedc50e4b5a84f2fcaf
                      • Opcode Fuzzy Hash: 6202bdfdb5770ea946800c78cd8ea731ca40aa09cdf17d07ebd0c2e6249b1ab2
                      • Instruction Fuzzy Hash: F6F0E97160030AAF9F15BE7448699FD32AB9F90324B084169D5139F7C0DF748D80BAA4
                      Function 02116D36 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • WriteConsoleW.KERNEL32(020D8A07,0000000F,0045FB20,00000000,020D8A07,?,02115421,020D8A07,00000001,020D8A07,020D8A07,?,021102FC,00000000,?,020D8A07), ref: 02116D4D
                      • GetLastError.KERNEL32(?,02115421,020D8A07,00000001,020D8A07,020D8A07,?,021102FC,00000000,?,020D8A07,00000000,020D8A07,?,02110850,020D8A07), ref: 02116D59
                        • Part of subcall function 02116D1F: CloseHandle.KERNEL32(00462970,02116D69,?,02115421,020D8A07,00000001,020D8A07,020D8A07,?,021102FC,00000000,?,020D8A07,00000000,020D8A07), ref: 02116D2F
                      • ___initconout.LIBCMT ref: 02116D69
                        • Part of subcall function 02116CE1: CreateFileW.KERNEL32(00457658,40000000,00000003,00000000,00000003,00000000,00000000,02116D10,0211540E,020D8A07,?,021102FC,00000000,?,020D8A07,00000000), ref: 02116CF4
                      • WriteConsoleW.KERNEL32(020D8A07,0000000F,0045FB20,00000000,?,02115421,020D8A07,00000001,020D8A07,020D8A07,?,021102FC,00000000,?,020D8A07,00000000), ref: 02116D7E
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                      • String ID:
                      • API String ID: 2744216297-0
                      • Opcode ID: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
                      • Instruction ID: 2506524e32fe661eee7cdabc72fb316dd153d6e75da10f2f7e0cdd705f28c7e8
                      • Opcode Fuzzy Hash: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
                      • Instruction Fuzzy Hash: 34F0F8361412A8BBCF621FA5AC08A893E2AEB493A1F104071FA1C85120D773C820DB95
                      Function 00446ACF Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • WriteConsoleW.KERNEL32(004087A0,0000000F,0045FB20,00000000,004087A0,?,004451BA,004087A0,00000001,004087A0,004087A0,?,00440095,00000000,?,004087A0), ref: 00446AE6
                      • GetLastError.KERNEL32(?,004451BA,004087A0,00000001,004087A0,004087A0,?,00440095,00000000,?,004087A0,00000000,004087A0,?,004405E9,004087A0), ref: 00446AF2
                        • Part of subcall function 00446AB8: CloseHandle.KERNEL32(FFFFFFFE,00446B02,?,004451BA,004087A0,00000001,004087A0,004087A0,?,00440095,00000000,?,004087A0,00000000,004087A0), ref: 00446AC8
                      • ___initconout.LIBCMT ref: 00446B02
                        • Part of subcall function 00446A7A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00446AA9,004451A7,004087A0,?,00440095,00000000,?,004087A0,00000000), ref: 00446A8D
                      • WriteConsoleW.KERNEL32(004087A0,0000000F,0045FB20,00000000,?,004451BA,004087A0,00000001,004087A0,004087A0,?,00440095,00000000,?,004087A0,00000000), ref: 00446B17
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                      • String ID:
                      • API String ID: 2744216297-0
                      • Opcode ID: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
                      • Instruction ID: 2847bb895f9299352194151eea3b2518d9960724f28a171724648c66562c6119
                      • Opcode Fuzzy Hash: 68f8837eb1d4a2712d10f3c5b8a7bf099e143a904c0dfdbb60282304a99716f4
                      • Instruction Fuzzy Hash: 1DF03736101664BBDF621FA5DC089DA3F65FB457A2F014022FE1C95131D672DC20DB9A
                      Function 020D7A17 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 468sleepCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep
                      • String ID: runas
                      • API String ID: 3472027048-4000483414
                      • Opcode ID: b12352c27eb35c7801b30b77c84677b55ae88f5f3268c2bda28ff34a47bf5de4
                      • Instruction ID: 046be63156d408ad1f800bf8d5a7c051908ca65fb1f6ae6dc329010a016fe5f0
                      • Opcode Fuzzy Hash: b12352c27eb35c7801b30b77c84677b55ae88f5f3268c2bda28ff34a47bf5de4
                      • Instruction Fuzzy Hash: 21E15670A01344AFEB08EB78CD85BDDBB76EF41314F60825CE411AB3D5DB758A809B92
                      Function 004077B0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 468sleepCOMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Sleep
                      • String ID: runas
                      • API String ID: 3472027048-4000483414
                      • Opcode ID: 881957725d7ee65a7f7f3f75449f95d7bbb280d7ad157871870bf31851af7815
                      • Instruction ID: 16d312adbf3c5a63ffdf7f0f3d7c95d875241b4f4b30525d3919e6496bc747c1
                      • Opcode Fuzzy Hash: 881957725d7ee65a7f7f3f75449f95d7bbb280d7ad157871870bf31851af7815
                      • Instruction Fuzzy Hash: D0E13C71E14144ABEB08EB78CD8679D7B72DF42304F60815EF405A73C6DB7D9A80879A
                      Function 0043E6C4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 166COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0043E259: GetOEMCP.KERNEL32(00000000,0043E4CB,?,?,avC,00437661,?), ref: 0043E284
                      • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,avC,0043E512,?,00000000,?,?,?,?,?,?,00437661), ref: 0043E722
                      • GetCPInfo.KERNEL32(00000000,0043E512,?,avC,0043E512,?,00000000,?,?,?,?,?,?,00437661,?), ref: 0043E764
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: CodeInfoPageValid
                      • String ID: avC
                      • API String ID: 546120528-551859807
                      • Opcode ID: 40678aea89edd431b2c9a3e3bda96fb4224bb9d3af1647208ffe2423ccba4704
                      • Instruction ID: 7136e37640ab4f9cfa26bf5a46befe49b79dc652285453c6057786630530e70e
                      • Opcode Fuzzy Hash: 40678aea89edd431b2c9a3e3bda96fb4224bb9d3af1647208ffe2423ccba4704
                      • Instruction Fuzzy Hash: C6512370E012059EEB249F73C8806ABBBF5EF88304F14646FD096973D2E7789546CB99
                      Function 0044532F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158fileCOMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • ReadFile.KERNEL32(?,?,00000002,?,00000000,?,00000000,?), ref: 0044540D
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: FileRead
                      • String ID: )ZD$)ZD
                      • API String ID: 2738559852-3993371512
                      • Opcode ID: 0eb56316cf27b920e1eb67f398ea9860885408d35e2d831988382829233ef988
                      • Instruction ID: fc353a334f2b284155b366ba4413ab3dfc7edfe09a6423858d2821c62ff71e0d
                      • Opcode Fuzzy Hash: 0eb56316cf27b920e1eb67f398ea9860885408d35e2d831988382829233ef988
                      • Instruction Fuzzy Hash: 4651E731A04619EBDF20CF58C881BEDB7B0FF05314F20856AD855AB392E3785981CB99
                      Function 02109280 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                      Download Yara Rule
                      Strings
                      • C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe, xrefs: 021092C3, 02109300
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe
                      • API String ID: 0-2143550836
                      • Opcode ID: 7990cc60f13bbf5db04e74938bd2c0700eb67712c1365d603b23e261442dbb4b
                      • Instruction ID: b98347ba133a2442527a37bb97e6371abd1731ce37a15f5ea0effe8f5b89ac84
                      • Opcode Fuzzy Hash: 7990cc60f13bbf5db04e74938bd2c0700eb67712c1365d603b23e261442dbb4b
                      • Instruction Fuzzy Hash: 38419271E80214AFCB25DBA9DCD09AFBBB9EB89B10F140066E5049B2D1E7F09A40CF55
                      Function 00439019 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                      Download Yara Rule
                      Strings
                      • C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe, xrefs: 0043905C, 00439099
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe
                      • API String ID: 0-2143550836
                      • Opcode ID: 7990cc60f13bbf5db04e74938bd2c0700eb67712c1365d603b23e261442dbb4b
                      • Instruction ID: 5a6a14289eafe60ce2143b443f35f28c3b9330844cb9aa4b0d6a2bcf37f19cd6
                      • Opcode Fuzzy Hash: 7990cc60f13bbf5db04e74938bd2c0700eb67712c1365d603b23e261442dbb4b
                      • Instruction Fuzzy Hash: B841A571A00219AFDB159F9ACC859AFBBF8EB8D310F10106BE404A7351E7F48E41CB59
                      Function 0210E717 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                      Download Yara Rule
                      APIs
                        • Part of subcall function 0210E4C0: GetOEMCP.KERNEL32(00000000,0210E732,?,?,021078C8,021078C8,?), ref: 0210E4EB
                      • _free.LIBCMT ref: 0210E78F
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID: @"F
                      • API String ID: 269201875-3084318295
                      • Opcode ID: 9908dd6ab1a80c5fc09db8b12665e78ab5e05ea3aa24e2a155a3ad1beaefeb8c
                      • Instruction ID: a6b79f45e323c47e707548bd1480c122998d01fb54d61b2dadfb93aac56683a4
                      • Opcode Fuzzy Hash: 9908dd6ab1a80c5fc09db8b12665e78ab5e05ea3aa24e2a155a3ad1beaefeb8c
                      • Instruction Fuzzy Hash: 3D31BE71940209AFDB11DFA9C8C0B9E7BF5EF44314F15086AEA109B2E0EBB1A950CF90
                      Function 0041B5D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __alloca_probe_16.LIBCMT ref: 0041B65E
                      • RaiseException.KERNEL32(?,?,?,?), ref: 0041B683
                        • Part of subcall function 00433B04: RaiseException.KERNEL32(E06D7363,00000001,00000003,0045E3B0,?,?,?,0045E3B0), ref: 00433B64
                        • Part of subcall function 00438BEC: IsProcessorFeaturePresent.KERNEL32(00000017,0043A72D,?,?,0043694A,?,?,?,?,00437661,?), ref: 00438C08
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
                      • String ID: csm
                      • API String ID: 1924019822-1018135373
                      • Opcode ID: ad5d9faefd0c1ab4e9a02e3e4909efcbe63737fe706ed9a567fc9c955821b515
                      • Instruction ID: 9f88b0b7aede3b21d37810e77ce6789f3a807ab352a7de9bd37fa5025d97b667
                      • Opcode Fuzzy Hash: ad5d9faefd0c1ab4e9a02e3e4909efcbe63737fe706ed9a567fc9c955821b515
                      • Instruction Fuzzy Hash: A721AF31D01218AFCF24DF96C945AEFB7B8EF24714F14441AE845AB251CB38AD85CBCA
                      Function 00431704 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 00431764
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004317AF
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::FreeIdleProcessorRoot::SpinUntilVirtualstd::invalid_argument::invalid_argument
                      • String ID: pContext
                      • API String ID: 3390424672-2046700901
                      • Opcode ID: 022a27bc18fa5d8226aa9ea097ec315d7e10c5cb17fb68df421d1453c8f8c9ce
                      • Instruction ID: 942ad2940211714a74bcc9dfb36523be2d48a1416fc9e5f4f6d4d921a905eb8f
                      • Opcode Fuzzy Hash: 022a27bc18fa5d8226aa9ea097ec315d7e10c5cb17fb68df421d1453c8f8c9ce
                      • Instruction Fuzzy Hash: 2F113639A002149BCB05FF58C88596D77A5AF8C365F18406BEC0297362DB3CED05CBD8
                      Function 0210A995 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID: x!F
                      • API String ID: 269201875-3062043068
                      • Opcode ID: db21be25886df150d1c6f332858b9cadf02cf268a657b562b65237ce8408447b
                      • Instruction ID: 8574068d91416cd68c0884fcdfd13fac07598b03a1acb2fb8c5ecf876543d882
                      • Opcode Fuzzy Hash: db21be25886df150d1c6f332858b9cadf02cf268a657b562b65237ce8408447b
                      • Instruction Fuzzy Hash: 16016C319DDB31BED62576B96EC0E7B22499F02B78F160321FF20A51E0E7D24D114AD5
                      Function 0043A72E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                      Download Yara Rule
                      APIs
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: _free
                      • String ID: x!F
                      • API String ID: 269201875-3062043068
                      • Opcode ID: db21be25886df150d1c6f332858b9cadf02cf268a657b562b65237ce8408447b
                      • Instruction ID: a9be1d7356db9bde33694ffb89096973f5cd6b257b37c16ae0656b7abf5e94eb
                      • Opcode Fuzzy Hash: db21be25886df150d1c6f332858b9cadf02cf268a657b562b65237ce8408447b
                      • Instruction Fuzzy Hash: 0F01D831985A203AD52532355C82B6B12299B0D72CF20322BFBA0653E2FB8DCC3201DF
                      Function 00420C5C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 00420CD7
                      • Concurrency::details::ResourceManager::ResourceManager.LIBCONCRT ref: 00420D2A
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Resource$AcquireConcurrency::details::Concurrency::details::_Lock::_ManagerManager::Reentrant
                      • String ID: p[F
                      • API String ID: 3303180142-1832964472
                      • Opcode ID: be93dd124044e3a26704792a574e288825ec5497b2495a662014ec0407777033
                      • Instruction ID: 460490d00550286d74d196cd5a9549fc7c942c0fed1932104b3464a6bc3d5762
                      • Opcode Fuzzy Hash: be93dd124044e3a26704792a574e288825ec5497b2495a662014ec0407777033
                      • Instruction Fuzzy Hash: 510180B0F156249EDB10ABBA755135DA6E06B08318FA0406FE405EB283DA7C5E41876E
                      Function 0043E259 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                      Download Yara Rule
                      APIs
                      • GetOEMCP.KERNEL32(00000000,0043E4CB,?,?,avC,00437661,?), ref: 0043E284
                      • GetACP.KERNEL32(00000000,0043E4CB,?,?,avC,00437661,?), ref: 0043E29B
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID:
                      • String ID: avC
                      • API String ID: 0-551859807
                      • Opcode ID: 45530060523da157e537cdb1f7866b3f2572323f108b7a3cdd4d943330284399
                      • Instruction ID: 791638059a19eb7d03b8e6799ac96854013f7a9a4db5e4c168316c4cba85a157
                      • Opcode Fuzzy Hash: 45530060523da157e537cdb1f7866b3f2572323f108b7a3cdd4d943330284399
                      • Instruction Fuzzy Hash: 15F0F630801202CBE704DFA6E8097AE37B4AB45339F1103D5E439962E2D7B4A841C78A
                      Function 020ED378 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      • RtlEnterCriticalSection.NTDLL(00465750), ref: 020ED383
                      • RtlLeaveCriticalSection.NTDLL(00465750), ref: 020ED3C0
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave
                      • String ID: PWF
                      • API String ID: 3168844106-4189640852
                      • Opcode ID: aa3b7ebb98d861874e14c42a3fd8d5994544321a17c487eeef023a4b97522d77
                      • Instruction ID: 89ac04fcc2590cbd3074dede5865909d55258dbc837f7aa78e0218728340e56d
                      • Opcode Fuzzy Hash: aa3b7ebb98d861874e14c42a3fd8d5994544321a17c487eeef023a4b97522d77
                      • Instruction Fuzzy Hash: 17F02734100700DFCB155F24DC84B2977E9EB41735F20023EEA56472E0D7711C82DA16
                      Function 0041D111 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                      Download Yara Rule
                      APIs
                      • RtlEnterCriticalSection.NTDLL(00465750), ref: 0041D11C
                      • RtlLeaveCriticalSection.NTDLL(00465750), ref: 0041D159
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: CriticalSection$EnterLeave
                      • String ID: PWF
                      • API String ID: 3168844106-4189640852
                      • Opcode ID: aa3b7ebb98d861874e14c42a3fd8d5994544321a17c487eeef023a4b97522d77
                      • Instruction ID: 988e6a820899fd4ceb20f62ffb6a68805dae8dfe7a3415f919f541f0d2922133
                      • Opcode Fuzzy Hash: aa3b7ebb98d861874e14c42a3fd8d5994544321a17c487eeef023a4b97522d77
                      • Instruction Fuzzy Hash: 16F0E275900601EFC3149F14EC44AA677A5EB45736F20022EEA55473D0D7391C82CA1A
                      Function 0042B92C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28threadCOMMON
                      Download Yara Rule
                      APIs
                      • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0042B94E
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042B961
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::FreeIdleProxyProxy::ReturnThreadstd::invalid_argument::invalid_argument
                      • String ID: pContext
                      • API String ID: 548886458-2046700901
                      • Opcode ID: cb3ebfd47da852ef65d275a916c0fe48e2a73adc5c276bf3244062de85799675
                      • Instruction ID: 6d6ffe11be8a4b1ace8c2f2c8a58b350c0e533cc07d7fbfc7cd1cba97992ca6a
                      • Opcode Fuzzy Hash: cb3ebfd47da852ef65d275a916c0fe48e2a73adc5c276bf3244062de85799675
                      • Instruction Fuzzy Hash: 95E02B39B0020467CB04F7A5D845D9DBB789E84715710401BE911A3352EB78AA44C6D8
                      Function 020F25B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                      Download Yara Rule
                      APIs
                      • __EH_prolog3.LIBCMT ref: 020F255C
                      • Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 020F2572
                        • Part of subcall function 020F2A99: Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 020F2AA8
                        • Part of subcall function 020F2A99: Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 020F2ABC
                        • Part of subcall function 020F2A99: Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 020F2ADD
                        • Part of subcall function 020F2A99: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 020F2B46
                        • Part of subcall function 020F2A99: Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 020F2CB4
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1789219495.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_20d0000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: Concurrency::details::Manager::Resource$Information$AffinityTopology$AcquireApplyCaptureCleanupConcurrency::details::_H_prolog3Lock::_ProcessReentrantRestrictionsRetrieveSystemVersion
                      • String ID: p[F
                      • API String ID: 3302332639-1832964472
                      • Opcode ID: 84bf9b1e625644d46c927a665ec91d8dc20bfdb3b0587f4fa2234934793136a5
                      • Instruction ID: 22225496cf206b7ce0935b651a328345c338c03d57abcd6989951489ff0d1799
                      • Opcode Fuzzy Hash: 84bf9b1e625644d46c927a665ec91d8dc20bfdb3b0587f4fa2234934793136a5
                      • Instruction Fuzzy Hash: B4E01AB0740701DBDB90EBA5E92076933E9EB08F04F80042AD6048EA50EBB5E440AF19
                      Function 004234CC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                      Download Yara Rule
                      APIs
                      • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004234FC
                      Strings
                      Memory Dump Source
                      • Source File: 00000019.00000002.1788660911.0000000000400000.00000040.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                      • Associated: 00000019.00000002.1788660911.0000000000462000.00000040.00000001.01000000.00000008.sdmpDownload File
                      • Associated: 00000019.00000002.1788660911.0000000000469000.00000040.00000001.01000000.00000008.sdmpDownload File
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_25_2_400000_skotes.jbxd
                      Yara matches
                      Similarity
                      • API ID: std::invalid_argument::invalid_argument
                      • String ID: pScheduler$version
                      • API String ID: 2141394445-3154422776
                      • Opcode ID: 25f4eee51d5eef7acfdb44f59e56ba93899965d293b766ae16e0c4b89fe0dab4
                      • Instruction ID: 3122fea0a665ef1032727265859f97669ea40e48c80579a70b610642a631ca87
                      • Opcode Fuzzy Hash: 25f4eee51d5eef7acfdb44f59e56ba93899965d293b766ae16e0c4b89fe0dab4
                      • Instruction Fuzzy Hash: 28E04F34A40208B6CB26FE56E84BBC977749B1474BF94C157BC11111929BFCA78CCA89