Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1521605
MD5:c005d4ffa3e28c22b41a9d222598260a
SHA1:57cc3a6540bc38c649ddfdd54fa4f3c8a2423677
SHA256:799d10acbb0e2886c4d32c771964f4c2cb47f93c817cdc26a9acaefa3ba042cb
Tags:exeRedLineStealeruser-jstrosch
Infos:

Detection

PureLog Stealer, RedLine, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Installs new ROOT certificates
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7116 cmdline: "C:\Users\user\Desktop\file.exe" MD5: C005D4FFA3E28C22B41A9D222598260A)
    • IDVNp0HKaI.exe (PID: 4568 cmdline: "C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe" MD5: B473C40205C61DC4750BC49F779908DD)
      • conhost.exe (PID: 3460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 2p4HikHFep.exe (PID: 1512 cmdline: "C:\Users\user\AppData\Roaming\2p4HikHFep.exe" MD5: 65C058E4A90D2EC70B03211D768B6ECC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: RedLine

{"C2 url": "65.21.18.51:45580", "Bot Id": "@OLEH_PSP", "Authorization Header": "04a6d05084f51a7ad0943d64cbd172c6"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
        C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeMALWARE_Win_zgRATDetects zgRATditekSHen
          • 0x45021:$s1: file:///
          • 0x44f7d:$s2: {11111-22222-10009-11112}
          • 0x44fb1:$s3: {11111-22222-50001-00000}
          • 0x4220b:$s4: get_Module
          • 0x3c971:$s5: Reverse
          • 0x3d6bd:$s6: BlockCopy
          • 0x3c9c4:$s7: ReadByte
          • 0x45033:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
          C:\Users\user\AppData\Roaming\2p4HikHFep.exeJoeSecurity_RedLineYara detected RedLine StealerJoe Security

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000004.00000000.2120030420.0000000000142000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  00000002.00000000.2119352114.0000000000C62000.00000002.00000001.01000000.00000005.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Click to see the 5 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      0.2.file.exe.dc6030.2.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        4.0.2p4HikHFep.exe.140000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                          0.2.file.exe.dc6030.2.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                            0.2.file.exe.e12030.1.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                              0.2.file.exe.e12030.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                                Click to see the 11 entries

                                Sigma Signatures

                                No Sigma rule has matched

                                Suricata Signatures

                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-09-29T01:01:30.365180+020020432341A Network Trojan was detected65.21.18.5145580192.168.2.649712TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-09-29T01:01:30.159126+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:35.414922+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:35.922404+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:36.204197+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:38.635563+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:38.848399+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:39.075145+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:39.309080+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:39.526985+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:39.740338+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:39.948801+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:40.349250+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:40.354537+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:40.631571+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:40.956314+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:41.177133+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:41.439832+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:41.513401+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:41.720483+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:41.927155+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:42.132586+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:42.337332+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:42.544940+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                2024-09-29T01:01:42.793733+020020432311A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-09-29T01:01:35.927382+020020460561A Network Trojan was detected65.21.18.5145580192.168.2.649712TCP
                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-09-29T01:01:30.159126+020020460451A Network Trojan was detected192.168.2.64971265.21.18.5145580TCP

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Found malware configuration
                                Source: 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": "65.21.18.51:45580", "Bot Id": "@OLEH_PSP", "Authorization Header": "04a6d05084f51a7ad0943d64cbd172c6"}
                                Multi AV Scanner detection for dropped file
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeReversingLabs: Detection: 87%
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeReversingLabs: Detection: 36%
                                Multi AV Scanner detection for submitted file
                                Source: file.exeReversingLabs: Detection: 71%
                                AI detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                                Machine Learning detection for dropped file
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeJoe Sandbox ML: detected
                                Machine Learning detection for sample
                                Source: file.exeJoe Sandbox ML: detected
                                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DAB6DA FindFirstFileExW,0_2_00DAB6DA

                                Networking

                                barindex
                                Suricata IDS alerts for network traffic
                                Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.6:49712 -> 65.21.18.51:45580
                                Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.6:49712 -> 65.21.18.51:45580
                                Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 65.21.18.51:45580 -> 192.168.2.6:49712
                                Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 65.21.18.51:45580 -> 192.168.2.6:49712
                                C2 URLs / IPs found in malware configuration
                                Source: Malware configuration extractorURLs: 65.21.18.51:45580
                                Source: global trafficTCP traffic: 192.168.2.6:49712 -> 65.21.18.51:45580
                                Source: Joe Sandbox ViewIP Address: 65.21.18.51 65.21.18.51
                                Source: Joe Sandbox ViewASN Name: CP-ASDE CP-ASDE
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: unknownTCP traffic detected without corresponding DNS query: 65.21.18.51
                                Source: IDVNp0HKaI.exe, 00000002.00000002.2141471443.00000000030ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                                Source: IDVNp0HKaI.exe, 00000002.00000002.2141471443.00000000030ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)
                                Source: IDVNp0HKaI.exe, 00000002.00000002.2141471443.00000000030ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldbF. equals www.youtube.com (Youtube)
                                Source: IDVNp0HKaI.exe, 00000002.00000002.2141471443.00000000030ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                                Source: IDVNp0HKaI.exe, 00000002.00000002.2141471443.00000000030ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.000000000271B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.00000000026C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.000000000271B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.000000000271B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmp, 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.00000000027D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002879000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.00000000027B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15V
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002879000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002879000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmp, 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002879000.00000004.00000800.00020000.00000000.sdmp, 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002879000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.00000000027D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.000000000271B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmp, 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002879000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmp, 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmp, 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002879000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.00000000027C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.00000000026C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.00000000026C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.00000000027C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.00000000037D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                                Source: IDVNp0HKaI.exe, 00000002.00000002.2141471443.0000000003063000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.s
                                Source: IDVNp0HKaI.exe, 00000002.00000002.2141471443.0000000003063000.00000004.00000800.00020000.00000000.sdmp, 2p4HikHFep.exe, 00000004.00000000.2120030420.0000000000142000.00000002.00000001.01000000.00000006.sdmp, 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmp, 2p4HikHFep.exe.0.drString found in binary or memory: https://api.ip.sb/ip
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.00000000037D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.00000000037D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.00000000037D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                                Source: IDVNp0HKaI.exe, 00000002.00000002.2141471443.0000000003130000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.00000000037D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.00000000037D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.00000000037D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.00000000037D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.00000000037D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                                Source: IDVNp0HKaI.exe, 00000002.00000002.2141471443.0000000003259000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_347cfd92-5
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp8D43.tmpJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp8D32.tmpJump to dropped file

                                System Summary

                                barindex
                                Malicious sample detected (through community Yara rule)
                                Source: 0.2.file.exe.e12030.1.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                                Source: 0.2.file.exe.e12030.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                                Source: 2.0.IDVNp0HKaI.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                                Source: 0.2.file.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe, type: DROPPEDMatched rule: Detects zgRAT Author: ditekSHen
                                .NET source code contains very large array initializations
                                Source: 0.2.file.exe.e12030.1.raw.unpack, Strings.csLarge array initialization: Strings: array initializer size 6160
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D923100_2_00D92310
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D950B00_2_00D950B0
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9FCE00_2_00D9FCE0
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DB045E0_2_00DB045E
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCBDC00_2_00DCBDC0
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCC5450_2_00DCC545
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA950B0_2_00DA950B
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA9D090_2_00DA9D09
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D94EF00_2_00D94EF0
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA56250_2_00DA5625
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9CF7F0_2_00D9CF7F
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeCode function: 2_2_02F577922_2_02F57792
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeCode function: 2_2_02F574982_2_02F57498
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeCode function: 2_2_02F5746C2_2_02F5746C
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeCode function: 2_2_05570CA82_2_05570CA8
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeCode function: 2_2_05571A702_2_05571A70
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeCode function: 2_2_05571A682_2_05571A68
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeCode function: 4_2_0232DC744_2_0232DC74
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeCode function: 4_2_05C467D84_2_05C467D8
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeCode function: 4_2_05C4A3E84_2_05C4A3E8
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeCode function: 4_2_05C43F504_2_05C43F50
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeCode function: 4_2_05C4A3D84_2_05C4A3D8
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeCode function: 4_2_05C46FE84_2_05C46FE8
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeCode function: 4_2_05C46FF84_2_05C46FF8
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess token adjusted: SecurityJump to behavior
                                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00D97D20 appears 55 times
                                Source: file.exeBinary or memory string: OriginalFilename vs file.exe
                                Source: file.exe, 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePeriblem.exe8 vs file.exe
                                Source: file.exe, 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePercursory.exe" vs file.exe
                                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                Source: 0.2.file.exe.e12030.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                                Source: 0.2.file.exe.e12030.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                                Source: 2.0.IDVNp0HKaI.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                                Source: 0.2.file.exe.d90000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe, type: DROPPEDMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                                Source: file.exeStatic PE information: Section: .cSs ZLIB complexity 0.9997935022026432
                                Source: 0.2.file.exe.e12030.1.raw.unpack, PBE.csCryptographic APIs: 'TransformFinalBlock'
                                Source: 0.2.file.exe.e12030.1.raw.unpack, Strings.csCryptographic APIs: 'CreateDecryptor'
                                Source: 0.2.file.exe.e12030.1.raw.unpack, A2H1lUZ15GsIooGy4G.csCryptographic APIs: 'CreateDecryptor'
                                Source: 0.2.file.exe.e12030.1.raw.unpack, A2H1lUZ15GsIooGy4G.csCryptographic APIs: 'CreateDecryptor'
                                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/8@0/1
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeMutant created: NULL
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3460:120:WilError_03
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile created: C:\Users\user\AppData\Local\Temp\Tmp8D32.tmpJump to behavior
                                Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                                Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                Source: file.exeReversingLabs: Detection: 71%
                                Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe "C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe"
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\2p4HikHFep.exe "C:\Users\user\AppData\Roaming\2p4HikHFep.exe"
                                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe "C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe" Jump to behavior
                                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\2p4HikHFep.exe "C:\Users\user\AppData\Roaming\2p4HikHFep.exe" Jump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeSection loaded: dwrite.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: dwrite.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: wshext.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: appxsip.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: opcservices.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: esdsip.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: dpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: sxs.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: scrrun.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: linkinfo.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: secur32.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: wbemcomn.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: rstrtmgr.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                                Source: Google Chrome.lnk.4.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                                Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                                Data Obfuscation

                                barindex
                                .NET source code contains method to dynamically call methods (often used by packers)
                                Source: 0.2.file.exe.e12030.1.raw.unpack, A2H1lUZ15GsIooGy4G.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),WGLh7hOZTTHiPyN9W5R(typeof(Type).TypeHandle)})
                                Source: IDVNp0HKaI.exe.0.drStatic PE information: 0xFD0920A4 [Fri Jul 11 15:37:08 2104 UTC]
                                Source: file.exeStatic PE information: section name: .cSs
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCB9B6 push es; retn 0000h0_2_00DCBAC6
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCBAD8 push es; retn 0000h0_2_00DCBAC6
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCBAD8 push es; ret 0_2_00DCBAD5
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCBAC9 push es; retn 0000h0_2_00DCBAC6
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCBAC9 push es; ret 0_2_00DCBAD5
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCBB45 push es; retf 0000h0_2_00DCBB32
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DCBB45 push es; retf 0_2_00DCBB42
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D976D3 push ecx; ret 0_2_00D976E6
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeCode function: 4_2_05C30D5B push es; ret 4_2_05C30D62
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeCode function: 4_2_05C4D412 push es; ret 4_2_05C4D420
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeCode function: 4_2_05C4C710 push es; ret 4_2_05C4C720
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeCode function: 4_2_05C4E060 push es; ret 4_2_05C4E070
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeCode function: 4_2_05C4ECF2 push eax; ret 4_2_05C4ED01
                                Source: 0.2.file.exe.e12030.1.raw.unpack, Form1.csHigh entropy of concatenated method names: 'Form1_Load', 'ReadLine', 'Dispose', 'InitializeComponent', 'hslEVK0YRVYVdP1jXHL', 'nHatgm0EHFgWZCImUvw', 'My87Oi037f0J6nyYBa2', 'l1Ur4J0NP3FH6Qek9U5', 'gF2a0S0i574GHi2ycUO', 'zC0ylo0PPjQuylhoBwB'
                                Source: 0.2.file.exe.e12030.1.raw.unpack, FieldRoot20.csHigh entropy of concatenated method names: 'Field1', 'Field5', 'Field2', 'Field3', 'Field4', 'Key4Database', 'Key3Database', 'OTQYODHrh2PCjrwJJca', 'GhSPe4H1kMOaaXAJjwp', 'DR2pE4HBL2JniJJ3lba'
                                Source: 0.2.file.exe.e12030.1.raw.unpack, BCRYPT_AUTHENTICATED_CIPHER_MODE_INFO.csHigh entropy of concatenated method names: 'Dispose', 'O1pymx7hA8CjnLAqW28', 'jVK9lT7zl436RGeqiCa', 'NbG9wubF0AEhqGBl0QJ', 'dj9joF7lIXF3rDvvFO2', 'CD921P7cQYZf5yLoGqu', 'DbOZkebBIX3Vx1pFO4W', 'atLfBCbWroMA9UwqAPZ'
                                Source: 0.2.file.exe.e12030.1.raw.unpack, Auhi.csHigh entropy of concatenated method names: 'I\u04341', 'I\u04342', 'I\u04343', 'I\u04344', 'fHLr5CH0LU6ImQ7akQF', 'DSQ9uuH427Cyq88JbGj', 'OpZpxZH5SuapTriTOAq', 'FMqVPbH752glDSeMbJ8', 'bttmgrHbB3dpfPinxv7', 'coD56bHvCONb23BRE5L'
                                Source: 0.2.file.exe.e12030.1.raw.unpack, FieldRootRoot.csHigh entropy of concatenated method names: 'Field1', 'Jlu9ecHTegm8xw4UBKS', 'IoUvTMHDaYRRK7p0Krk', 'DAOsh9H9jHxvaTVMUf5', 'QIiwtMH6pslF5yF4C3J', 'Ioy7nwHdUXBKxGIvSG6', 'u7kpnOHAVwGu4JwNs51', 'XEvaHSHJffn3JsTsgZu'
                                Source: 0.2.file.exe.e12030.1.raw.unpack, CryptoHelper.csHigh entropy of concatenated method names: 'GetDecoded', 'DecryptBlob', 'cryptUnprotectData', 'GetMd5Hash', 'GetHexString', 'cHLGge4BTo1WYObO9uu', 'jODNO04WlKmh49YYT18', 'xVXJsi4roYFsdlriPbP', 'M6jOaJ0zaR01N0Glgqa', 'FF1htS4FvThRl3Aa8MZ'
                                Source: 0.2.file.exe.e12030.1.raw.unpack, BerkeleyDB.csHigh entropy of concatenated method names: 'Extract', 'L1aWba0RLYGrIYCqlO6', 't8M4Vf0Zbw9qDRCeaAm', 'LWeaqV08lEqIWpk7bd3', 'rmhgy00uP06nkvF8Efs', 'XCEbvI0SXCLbv0dApnF', 'vqlJpt0ljVOBL4eaFFE', 'CHa9Ho0c09E5U0VKeas', 'IDjZhW0QxCOiIw9gpMh', 'Tmcd2x0xZWUCvC8bwHv'
                                Source: 0.2.file.exe.e12030.1.raw.unpack, TripleDes.csHigh entropy of concatenated method names: 'ComputeVoid', 'Compute', 'DecryptStringDesCbc', 'DecryptByteDesCbc', 'C1UyGy5s0hwZN2YrF0L', 'glrIye5IBKHPbbK8XS2', 'pRyvfN5fMygJfYFMpox', 'dLNibF5grGAHmef5LVc', 'd25Gdl5wB5kyUj9s37m', 'HVR9FH5q4oDb9QIxa2C'
                                Source: 0.2.file.exe.e12030.1.raw.unpack, A2H1lUZ15GsIooGy4G.csHigh entropy of concatenated method names: 'KJLJqDCbaj3SN79lIbl', 'dnByv3CvObaojhogyiw', 'LtQPyoxJn7', 'O4cPg5CmZmFVqVM9q3A', 'vDYK2eCesvkMsoMEF5v', 'gk4k0wCksfELvtNF0ns', 'g38PJ8K3c0', 'AZCPHbxqQi', 'kjCPpoa2Hi', 'zssPO0JXVk'

                                Persistence and Installation Behavior

                                barindex
                                Installs new ROOT certificates
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeJump to dropped file
                                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\2p4HikHFep.exeJump to dropped file
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                                Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                                Malware Analysis System Evasion

                                barindex
                                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                                Source: IDVNp0HKaI.exe, 00000002.00000002.2141471443.0000000003130000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE`,
                                Source: IDVNp0HKaI.exe, 00000002.00000002.2141471443.0000000003130000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
                                Source: IDVNp0HKaI.exe, 00000002.00000002.2141471443.0000000003130000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE@\
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeMemory allocated: 1640000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeMemory allocated: 3000000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeMemory allocated: 5000000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeMemory allocated: 22D0000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeMemory allocated: 2470000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeMemory allocated: 4470000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeWindow / User API: threadDelayed 7447Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeWindow / User API: threadDelayed 957Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe TID: 516Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exe TID: 4864Thread sleep time: -21213755684765971s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exe TID: 2168Thread sleep count: 7447 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exe TID: 2168Thread sleep count: 957 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exe TID: 5972Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DAB6DA FindFirstFileExW,0_2_00DAB6DA
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                                Source: IDVNp0HKaI.exe, 00000002.00000002.2141471443.0000000003130000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe@\
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                                Source: IDVNp0HKaI.exe, 00000002.00000002.2141471443.0000000003130000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                                Source: 2p4HikHFep.exe, 00000004.00000002.2291227679.0000000005EA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                                Source: IDVNp0HKaI.exe, 00000002.00000002.2141471443.0000000003130000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe`,
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.00000000025A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9NKNgA+vC8A5zUncE8H2TafulfEOSRqFccYu86ht5uc0nLgpiCrzoulmnAYZLfk4zbvX51WQrYMsc8ORmzRWmqqLFXZVINxxVKaxrpheUhYRfRx54cZnzZZxdMOYT0VhpWbZdIcVFHnb3QBFJEgxwyQpCTte0yQjzn7uCUZsuA+iYIJO4a+Hmq+9ONtmOcMMYl7TbktlwpTMf366yxqm+uPbWY4CHOTnXrwGvPjnt7OfVwg2HHr8jHcJ5uzn/JOx/BvEfztbLR
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.000000000367A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                                Source: 2p4HikHFep.exe, 00000004.00000002.2286181882.0000000003755000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D97AF1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D97AF1
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA913C mov eax, dword ptr fs:[00000030h]0_2_00DA913C
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DA1496 mov ecx, dword ptr fs:[00000030h]0_2_00DA1496
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00DAEFC8 GetProcessHeap,0_2_00DAEFC8
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeProcess token adjusted: DebugJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeProcess token adjusted: DebugJump to behavior
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D97AF1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D97AF1
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D97C53 SetUnhandledExceptionFilter,0_2_00D97C53
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D9DD68 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00D9DD68
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D97D65 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00D97D65
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeMemory allocated: page read and write | page guardJump to behavior
                                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe "C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe" Jump to behavior
                                Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\2p4HikHFep.exe "C:\Users\user\AppData\Roaming\2p4HikHFep.exe" Jump to behavior
                                Source: IDVNp0HKaI.exe, 00000002.00000002.2141471443.0000000003259000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
                                Source: IDVNp0HKaI.exe, 00000002.00000002.2141471443.0000000003259000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D977D0 cpuid 0_2_00D977D0
                                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00DAE815
                                Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00DA4128
                                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00DAEA68
                                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00DAEB91
                                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00DAEC97
                                Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00DAE402
                                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00DAE5FD
                                Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00DAED66
                                Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00DAE6EF
                                Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00DAE6A4
                                Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,0_2_00DA464E
                                Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,0_2_00DAE78A
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeQueries volume information: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeQueries volume information: C:\Users\user\AppData\Roaming\2p4HikHFep.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00D979E4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00D979E4
                                Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                Source: 2p4HikHFep.exe, 00000004.00000002.2296674406.0000000006DB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                                Stealing of Sensitive Information

                                barindex
                                Yara detected PureLog Stealer
                                Source: Yara matchFile source: 0.2.file.exe.e12030.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.file.exe.e12030.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 2.0.IDVNp0HKaI.exe.c60000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.file.exe.d90000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000002.00000000.2119352114.0000000000C62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe, type: DROPPED
                                Yara detected RedLine Stealer
                                Source: Yara matchFile source: dump.pcap, type: PCAP
                                Source: Yara matchFile source: 0.2.file.exe.dc6030.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.2p4HikHFep.exe.140000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.file.exe.dc6030.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.file.exe.d90000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000004.00000000.2120030420.0000000000142000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7116, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: IDVNp0HKaI.exe PID: 4568, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: 2p4HikHFep.exe PID: 1512, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\2p4HikHFep.exe, type: DROPPED
                                Yara detected zgRAT
                                Source: Yara matchFile source: 0.2.file.exe.e12030.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.file.exe.e12030.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 2.0.IDVNp0HKaI.exe.c60000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.file.exe.d90000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe, type: DROPPED
                                Found many strings related to Crypto-Wallets (likely being stolen)
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002879000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q4C:\Users\user\AppData\Roaming\Electrum\wallets\*
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.00000000027D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne|JaxxxLiberty
                                Source: 2p4HikHFep.exe, 00000004.00000002.2296902829.0000000006DFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\*.json}
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002879000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR
                                Source: 2p4HikHFep.exe, 00000004.00000002.2296902829.0000000006DFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\*.json}
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002879000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: qdC:\Users\user\AppData\Roaming\Binance
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002879000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q&%localappdata%\Coinomi\Coinomi\walletsLR
                                Source: 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002879000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q8C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                                Source: file.exeString found in binary or memory: set_UseMachineKeyStore
                                Tries to harvest and steal browser information (history, passwords, etc)
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                                Tries to steal Crypto Currency Wallets
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                                Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                                Source: Yara matchFile source: 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.2282949938.0000000002879000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: 2p4HikHFep.exe PID: 1512, type: MEMORYSTR

                                Remote Access Functionality

                                barindex
                                Yara detected PureLog Stealer
                                Source: Yara matchFile source: 0.2.file.exe.e12030.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.file.exe.e12030.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 2.0.IDVNp0HKaI.exe.c60000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.file.exe.d90000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000002.00000000.2119352114.0000000000C62000.00000002.00000001.01000000.00000005.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe, type: DROPPED
                                Yara detected RedLine Stealer
                                Source: Yara matchFile source: dump.pcap, type: PCAP
                                Source: Yara matchFile source: 0.2.file.exe.dc6030.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 4.0.2p4HikHFep.exe.140000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.file.exe.dc6030.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.file.exe.d90000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000004.00000000.2120030420.0000000000142000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7116, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: IDVNp0HKaI.exe PID: 4568, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: 2p4HikHFep.exe PID: 1512, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\2p4HikHFep.exe, type: DROPPED
                                Yara detected zgRAT
                                Source: Yara matchFile source: 0.2.file.exe.e12030.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.file.exe.e12030.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 2.0.IDVNp0HKaI.exe.c60000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0.2.file.exe.d90000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe, type: DROPPED

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                                Windows Management Instrumentation                                		1
                                DLL Side-Loading                                		1
                                DLL Side-Loading                                		1
                                Disable or Modify Tools                                		1
                                OS Credential Dumping                                		1
                                System Time Discovery                                		Remote Services11
                                Archive Collected Data                                		1
                                Encrypted Channel                                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts12
                                Process Injection                                		11
                                Deobfuscate/Decode Files or Information                                		11
                                Input Capture                                		2
                                File and Directory Discovery                                		Remote Desktop Protocol3
                                Data from Local System                                		1
                                Non-Standard Port                                		Exfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                                Obfuscated Files or Information                                		Security Account Manager134
                                System Information Discovery                                		SMB/Windows Admin Shares11
                                Input Capture                                		1
                                Application Layer Protocol                                		Automated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                                Install Root Certificate                                		NTDS1
                                Query Registry                                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                                Software Packing                                		LSA Secrets451
                                Security Software Discovery                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                Timestomp                                		Cached Domain Credentials2
                                Process Discovery                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                                DLL Side-Loading                                		DCSync241
                                Virtualization/Sandbox Evasion                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                Masquerading                                		Proc Filesystem1
                                Application Window Discovery                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt241
                                Virtualization/Sandbox Evasion                                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
                                Process Injection                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                file.exe71%ReversingLabsWin32.Trojan.Seraph
                                file.exe100%Joe Sandbox ML

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe100%Joe Sandbox ML
                                C:\Users\user\AppData\Roaming\2p4HikHFep.exe88%ReversingLabsByteCode-MSIL.Ransomware.RedLine
                                C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe37%ReversingLabsWin32.Trojan.Jalapeno

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                SourceDetectionScannerLabelLink
                                https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                                https://api.ip.sb/ip0%URL Reputationsafe
                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                                https://www.ecosia.org/newtab/0%URL Reputationsafe
                                http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe

                                Domains and IPs

                                Contacted Domains

                                No contacted domains info

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/02/sc/sct2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://duckduckgo.com/ac/?q=2p4HikHFep.exe, 00000004.00000002.2286181882.00000000037D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://tempuri.org/Entity/Id14ResponseD2p4HikHFep.exe, 00000004.00000002.2282949938.00000000027D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://tempuri.org/Entity/Id23ResponseD2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002879000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://tempuri.org/Entity/Id12Response2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://tempuri.org/2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://tempuri.org/Entity/Id2Response2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://tempuri.org/Entity/Id15V2p4HikHFep.exe, 00000004.00000002.2282949938.00000000027B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha12p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://tempuri.org/Entity/Id21Response2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://tempuri.org/Entity/Id92p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://tempuri.org/Entity/Id82p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://tempuri.org/Entity/Id6ResponseD2p4HikHFep.exe, 00000004.00000002.2282949938.00000000027C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://tempuri.org/Entity/Id52p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://tempuri.org/Entity/Id42p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://tempuri.org/Entity/Id72p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://tempuri.org/Entity/Id62p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://tempuri.org/Entity/Id19Response2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002879000.00000004.00000800.00020000.00000000.sdmp, 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://tempuri.org/Entity/Id13ResponseD2p4HikHFep.exe, 00000004.00000002.2282949938.000000000271B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://discord.com/api/v9/users/IDVNp0HKaI.exe, 00000002.00000002.2141471443.0000000003130000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://schemas.xmlsoap.org/ws/2004/10/wsat/fault2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://tempuri.org/Entity/Id15Response2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp92p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://tempuri.org/Entity/Id6Response2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://api.ip.sb/ipIDVNp0HKaI.exe, 00000002.00000002.2141471443.0000000003063000.00000004.00000800.00020000.00000000.sdmp, 2p4HikHFep.exe, 00000004.00000000.2120030420.0000000000142000.00000002.00000001.01000000.00000006.sdmp, 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmp, 2p4HikHFep.exe.0.drfalse
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://schemas.xmlsoap.org/ws/2004/04/sc2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://tempuri.org/Entity/Id1ResponseD2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://tempuri.org/Entity/Id9Response2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=2p4HikHFep.exe, 00000004.00000002.2286181882.00000000037D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        http://tempuri.org/Entity/Id202p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://tempuri.org/Entity/Id212p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://tempuri.org/Entity/Id222p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA12p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://tempuri.org/Entity/Id232p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmp, 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA12p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://tempuri.org/Entity/Id242p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://tempuri.org/Entity/Id24Response2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          https://www.ecosia.org/newtab/2p4HikHFep.exe, 00000004.00000002.2286181882.00000000037D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          • URL Reputation: safe
                                                                                                                                          		unknown
                                                                                                                                          http://tempuri.org/Entity/Id1Response2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          http://tempuri.org/Entity/Id21ResponseD2p4HikHFep.exe, 00000004.00000002.2282949938.000000000271B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2004/04/trust2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://tempuri.org/Entity/Id102p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://tempuri.org/Entity/Id112p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://tempuri.org/Entity/Id10ResponseD2p4HikHFep.exe, 00000004.00000002.2282949938.000000000271B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          http://tempuri.org/Entity/Id122p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            http://tempuri.org/Entity/Id16Response2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  http://tempuri.org/Entity/Id132p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    http://tempuri.org/Entity/Id142p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      http://tempuri.org/Entity/Id152p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        http://tempuri.org/Entity/Id162p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            http://tempuri.org/Entity/Id172p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              http://tempuri.org/Entity/Id182p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                http://tempuri.org/Entity/Id5Response2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  http://tempuri.org/Entity/Id192p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmp, 2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      http://tempuri.org/Entity/Id15ResponseD2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002879000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        http://tempuri.org/Entity/Id10Response2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/trust/Renew2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            http://tempuri.org/Entity/Id11ResponseD2p4HikHFep.exe, 00000004.00000002.2282949938.00000000026C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              http://tempuri.org/Entity/Id8Response2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		unknown
                                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                                  http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.02p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                                    http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                                      http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2006/02/addressingidentity2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                                          http://tempuri.org/Entity/Id17ResponseD2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002879000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                                            http://schemas.xmlsoap.org/soap/envelope/2p4HikHFep.exe, 00000004.00000002.2282949938.0000000002471000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                                                                                            		unknown

                                                                                                                                                                                                                            World Map of Contacted IPs

                                                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                                                                            Public IPs

                                                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                            65.21.18.51
                                                                                                                                                                                                                            		unknownUnited States
                                                                                                                                                                                                                            		199592CP-ASDEtrue

                                                                                                                                                                                                                            General Information

                                                                                                                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                            Analysis ID:1521605
                                                                                                                                                                                                                            Start date and time:2024-09-29 01:00:35 +02:00
                                                                                                                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                            Overall analysis duration:0h 6m 36s
                                                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                            Report type:full
                                                                                                                                                                                                                            Cookbook file name:default.jbs
                                                                                                                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                            Number of analysed new started processes analysed:13
                                                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                                                            Technologies:
                                                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                                                            Sample name:file.exe
                                                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@6/8@0/1
                                                                                                                                                                                                                            EGA Information:
                                                                                                                                                                                                                            • Successful, ratio: 100%
                                                                                                                                                                                                                            HCA Information:
                                                                                                                                                                                                                            • Successful, ratio: 99%
                                                                                                                                                                                                                            • Number of executed functions: 118
                                                                                                                                                                                                                            • Number of non-executed functions: 52
                                                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                                                            • Found application associated with file extension: .exe

                                                                                                                                                                                                                            Warnings

                                                                                                                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                            • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                            • VT rate limit hit for: file.exe

                                                                                                                                                                                                                            Simulations

                                                                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                                                            19:01:36API Interceptor43x Sleep call for process: 2p4HikHFep.exe modified

                                                                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                                                                            IPs

                                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                            65.21.18.51file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                                                                                                                                                                                                                              file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
                                                                                                                                                                                                                                eovQPjY5wz.exeGet hashmaliciousLummaC, RedLineBrowse
                                                                                                                                                                                                                                  file.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog StealerBrowse
                                                                                                                                                                                                                                    file.exeGet hashmaliciousAmadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RATBrowse
                                                                                                                                                                                                                                      jD6b7MZOhT.exeGet hashmaliciousAmadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLineBrowse
                                                                                                                                                                                                                                        file.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                          SecuriteInfo.com.Win32.TrojanX-gen.1325.25139.exeGet hashmaliciousAmadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Stealc, VidarBrowse
                                                                                                                                                                                                                                            file.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                              file.exeGet hashmaliciousAmadey, Cryptbot, PureLog Stealer, RedLine, XWorm, zgRATBrowse

                                                                                                                                                                                                                                                Domains

                                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                                ASNs

                                                                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                CP-ASDEQuote #260924.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                • 65.21.196.90
                                                                                                                                                                                                                                                https://claim.eventsmidasbuys.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                • 65.21.235.194
                                                                                                                                                                                                                                                Quote #270924.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                • 65.21.196.90
                                                                                                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                                                                                                                                                                                                                                                • 65.21.18.51
                                                                                                                                                                                                                                                https://bn54.donegabang.com/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                • 65.21.235.194
                                                                                                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
                                                                                                                                                                                                                                                • 65.21.18.51
                                                                                                                                                                                                                                                eovQPjY5wz.exeGet hashmaliciousLummaC, RedLineBrowse
                                                                                                                                                                                                                                                • 65.21.18.51
                                                                                                                                                                                                                                                file.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog StealerBrowse
                                                                                                                                                                                                                                                • 65.21.18.51
                                                                                                                                                                                                                                                Audio playback00_05-30-00000.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                • 65.21.45.74
                                                                                                                                                                                                                                                file.exeGet hashmaliciousAmadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RATBrowse
                                                                                                                                                                                                                                                • 65.21.18.51

                                                                                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                                Dropped Files

                                                                                                                                                                                                                                                No context

                                                                                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                                                                                C:\Users\Public\Desktop\Google Chrome.lnk

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\2p4HikHFep.exe
                                                                                                                                                                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 05:47:17 2023, atime=Wed Sep 27 08:36:54 2023, length=3242272, window=hide
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):2104
                                                                                                                                                                                                                                                Entropy (8bit):3.467262442226708
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:48:8S4d5TvGk0lRYrnvPdAKRkdAGdAKRFdAKR6P:8SSbH7
                                                                                                                                                                                                                                                MD5:55342943CC12E243AB7A0947AABA3332
                                                                                                                                                                                                                                                SHA1:83906C0D6EA81A9D02E049098104566D14B9691E
                                                                                                                                                                                                                                                SHA-256:9439C344A1D1CD025D4FD0024578D843B5AA4B7F6C83402D7A98493DAF9FC16F
                                                                                                                                                                                                                                                SHA-512:50E2790E9EF711049910FE2E53C31EC78A580FA19685C60975A33E559F4339072BB03D7317ED303C056C41B1EAB1945DCEFFF92E9408B96351B8FF786FEED06A
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                                Preview:L..................F.@.. ......,.....)..W....X.&&... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....EW.3..PROGRA~1..t......O.IEW.5....B...............J.......j.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VEW@2....L.....................p+j.G.o.o.g.l.e.....T.1.....EW.2..Chrome..>......CW.VEW.2....M.....................7...C.h.r.o.m.e.....`.1.....EW.2..APPLIC~1..H......CW.VEW.2..........................7...A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.L .chrome.exe..F......CW.VEW.5.........................l...c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

                                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2p4HikHFep.exe.log

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\2p4HikHFep.exe
                                                                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):3274
                                                                                                                                                                                                                                                Entropy (8bit):5.3318368586986695
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
                                                                                                                                                                                                                                                MD5:0B2E58EF6402AD69025B36C36D16B67F
                                                                                                                                                                                                                                                SHA1:5ECC642327EF5E6A54B7918A4BD7B46A512BF926
                                                                                                                                                                                                                                                SHA-256:4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
                                                                                                                                                                                                                                                SHA-512:1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IDVNp0HKaI.exe.log

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe
                                                                                                                                                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):1119
                                                                                                                                                                                                                                                Entropy (8bit):5.345080863654519
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
                                                                                                                                                                                                                                                MD5:88593431AEF401417595E7A00FE86E5F
                                                                                                                                                                                                                                                SHA1:1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
                                                                                                                                                                                                                                                SHA-256:ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
                                                                                                                                                                                                                                                SHA-512:1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Tmp8D32.tmp

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\2p4HikHFep.exe
                                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):2662
                                                                                                                                                                                                                                                Entropy (8bit):7.8230547059446645
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                                                                                                                                MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                                                                                                                                SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                                                                                                                                SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                                                                                                                                SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                                                                                                                                C:\Users\user\AppData\Local\Temp\Tmp8D43.tmp

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\2p4HikHFep.exe
                                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):2662
                                                                                                                                                                                                                                                Entropy (8bit):7.8230547059446645
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                                                                                                                                                                MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                                                                                                                                                                SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                                                                                                                                                                SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                                                                                                                                                                SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\2p4HikHFep.exe

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):311296
                                                                                                                                                                                                                                                Entropy (8bit):5.082476369292545
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3072:Vq6EgY6iYrUjxQMbwPP9ktwT9N3TAVtYSK6VcZqf7D34teqiOLibBOc:cqY6i/wPCKN3TAbYgVcZqf7DIXL
                                                                                                                                                                                                                                                MD5:65C058E4A90D2EC70B03211D768B6ECC
                                                                                                                                                                                                                                                SHA1:BF5AF6F650759E5E612D42D72145660056737164
                                                                                                                                                                                                                                                SHA-256:5A00E3718AFB5BFB18A6B1C824B680015733F0403AF0D5663289A17BA8206CC3
                                                                                                                                                                                                                                                SHA-512:3D9114409F8096CE8A1D134A48235FBBAD0C6C53F820707A951BAC42C4F7BA6A38E98A50C9D929F049042263A7C0E24DA8368D3AA4E934F5DA79E9BDA4A930AA
                                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exe, Author: Joe Security
                                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 88%
                                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ... ....@.. ....................... ............@.................................d...O.... ..............................H................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                                                File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):501760
                                                                                                                                                                                                                                                Entropy (8bit):6.1274870659064
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:6144:ChhuRs6j+uinO16pSuHugxyyyuf7CQHKCt/qXiZDo3xOxAAFQXNDHrg49/2CXfG:kuRR8YmpHug/7bXtiyZAcaAFyNR9Oqf
                                                                                                                                                                                                                                                MD5:B473C40205C61DC4750BC49F779908DD
                                                                                                                                                                                                                                                SHA1:88A0FC0962099F0AC2D827D2C4D691ED9CADE251
                                                                                                                                                                                                                                                SHA-256:8707C03158BA6395A11BDFD8C1B11EEEDC2E052D3B55D73D0A5C64417E5FBD3B
                                                                                                                                                                                                                                                SHA-512:8FBAAA5BDE30FE7C6E31A349C14E3BD710E92C4DBCCA8CBDBAF34583887BC31E07E10A0223FC6C6C0D091787C296EBA139EC91AF44EC4EE6ABBFB611493951D1
                                                                                                                                                                                                                                                Malicious:true
                                                                                                                                                                                                                                                Yara Hits:
                                                                                                                                                                                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe, Author: Joe Security
                                                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe, Author: Joe Security
                                                                                                                                                                                                                                                • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe, Author: ditekSHen
                                                                                                                                                                                                                                                Antivirus:
                                                                                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 37%
                                                                                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ................0..$...........C... ...`....@.. ....................................@..................................C..K....`............................................................................... ............... ..H............text....#... ...$.................. ..`.rsrc........`.......&..............@..@.reloc..............................@..B.................C......H........V...v......7........)...........................................*...(....*...(....*.0...........s........~....%:....&~......"...s....%.....(...+o.....8[....o...............%..F~e...(.....%..G~e...(.....%..H~e...(.....%..e~e...(.....~f...(.......o......8......(......s.......sF.......~....}....~...........s....(....o....}......{.....I~e...(....o........9......I~e...(.......8C........~e...(....o....:......{....~g...(....8......{....~h...(.........(...........9........o.

                                                                                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                                                                                                                                                                                                Download File
                                                                                                                                                                                                                                                Process:C:\Users\user\AppData\Roaming\2p4HikHFep.exe
                                                                                                                                                                                                                                                File Type:data
                                                                                                                                                                                                                                                Category:dropped
                                                                                                                                                                                                                                                Size (bytes):2251
                                                                                                                                                                                                                                                Entropy (8bit):0.0
                                                                                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                                                                                SSDEEP:3::
                                                                                                                                                                                                                                                MD5:0158FE9CEAD91D1B027B795984737614
                                                                                                                                                                                                                                                SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                                                                                                                                                                                                                                                SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                                                                                                                                                                                                                                                SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                                                                                                                                                                                                                                                Malicious:false
                                                                                                                                                                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                Static File Info

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                Entropy (8bit):7.876578872512974
                                                                                                                                                                                                                                                TrID:
                                                                                                                                                                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                File name:file.exe
                                                                                                                                                                                                                                                File size:1'030'144 bytes
                                                                                                                                                                                                                                                MD5:c005d4ffa3e28c22b41a9d222598260a
                                                                                                                                                                                                                                                SHA1:57cc3a6540bc38c649ddfdd54fa4f3c8a2423677
                                                                                                                                                                                                                                                SHA256:799d10acbb0e2886c4d32c771964f4c2cb47f93c817cdc26a9acaefa3ba042cb
                                                                                                                                                                                                                                                SHA512:ce39903c46160deeee1c7b362000361a3f5a9243b2e180bbaafa5b8ab09cc09ca413ce32f4deb2074fa928110d25b3dae7465c849fc388a58ddf649a9caa3a68
                                                                                                                                                                                                                                                SSDEEP:24576:WdZE+NmjQ5WymWeoSAj6YztpJF+6Xkb1rlNF:YZbAjQ5WZW2KNFNXmF
                                                                                                                                                                                                                                                TLSH:21251202B8D08073D832263A09D5EBB5897DB8700B524EAB63F51B7E9F706D1E734967
                                                                                                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........`!...r...r...r...s...r...s|..r...s...r...s...r...rJ..r...s...r...s...r...s...r...s...r...s...rRich...r.......................

                                                                                                                                                                                                                                                File Icon

                                                                                                                                                                                                                                                Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                                Static PE Info

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Entrypoint:0x407409
                                                                                                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                                                                                                Digitally signed:false
                                                                                                                                                                                                                                                Imagebase:0x400000
                                                                                                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                Time Stamp:0x66F6CD8C [Fri Sep 27 15:21:48 2024 UTC]
                                                                                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                                                                                OS Version Major:6
                                                                                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                                                                                File Version Major:6
                                                                                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                                                                                Subsystem Version Major:6
                                                                                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                                                                                Import Hash:53ff33fd5198e78ab468db682bbdf2b7

                                                                                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                                                                                Instruction
                                                                                                                                                                                                                                                call 00007FC5CC4F16C8h
                                                                                                                                                                                                                                                jmp 00007FC5CC4F0F19h
                                                                                                                                                                                                                                                cmp ecx, dword ptr [00434010h]
                                                                                                                                                                                                                                                jne 00007FC5CC4F10A3h
                                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                                jmp 00007FC5CC4F1A11h
                                                                                                                                                                                                                                                push ebp
                                                                                                                                                                                                                                                mov ebp, esp
                                                                                                                                                                                                                                                jmp 00007FC5CC4F10AFh
                                                                                                                                                                                                                                                push dword ptr [ebp+08h]
                                                                                                                                                                                                                                                call 00007FC5CC4FCAFFh
                                                                                                                                                                                                                                                pop ecx
                                                                                                                                                                                                                                                test eax, eax
                                                                                                                                                                                                                                                je 00007FC5CC4F10B1h
                                                                                                                                                                                                                                                push dword ptr [ebp+08h]
                                                                                                                                                                                                                                                call 00007FC5CC4F7DDAh
                                                                                                                                                                                                                                                pop ecx
                                                                                                                                                                                                                                                test eax, eax
                                                                                                                                                                                                                                                je 00007FC5CC4F1088h
                                                                                                                                                                                                                                                pop ebp
                                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                                cmp dword ptr [ebp+08h], FFFFFFFFh
                                                                                                                                                                                                                                                je 00007FC5CC4F1BD9h
                                                                                                                                                                                                                                                jmp 00007FC5CC4F1BB6h
                                                                                                                                                                                                                                                push ebp
                                                                                                                                                                                                                                                mov ebp, esp
                                                                                                                                                                                                                                                push dword ptr [ebp+08h]
                                                                                                                                                                                                                                                call 00007FC5CC4F1BE5h
                                                                                                                                                                                                                                                pop ecx
                                                                                                                                                                                                                                                pop ebp
                                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                                push ebp
                                                                                                                                                                                                                                                mov ebp, esp
                                                                                                                                                                                                                                                test byte ptr [ebp+08h], 00000001h
                                                                                                                                                                                                                                                push esi
                                                                                                                                                                                                                                                mov esi, ecx
                                                                                                                                                                                                                                                mov dword ptr [esi], 00427168h
                                                                                                                                                                                                                                                je 00007FC5CC4F10ACh
                                                                                                                                                                                                                                                push 0000000Ch
                                                                                                                                                                                                                                                push esi
                                                                                                                                                                                                                                                call 00007FC5CC4F107Dh
                                                                                                                                                                                                                                                pop ecx
                                                                                                                                                                                                                                                pop ecx
                                                                                                                                                                                                                                                mov eax, esi
                                                                                                                                                                                                                                                pop esi
                                                                                                                                                                                                                                                pop ebp
                                                                                                                                                                                                                                                retn 0004h
                                                                                                                                                                                                                                                push ebp
                                                                                                                                                                                                                                                mov ebp, esp
                                                                                                                                                                                                                                                mov eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                                                push esi
                                                                                                                                                                                                                                                mov ecx, dword ptr [eax+3Ch]
                                                                                                                                                                                                                                                add ecx, eax
                                                                                                                                                                                                                                                movzx eax, word ptr [ecx+14h]
                                                                                                                                                                                                                                                lea edx, dword ptr [ecx+18h]
                                                                                                                                                                                                                                                add edx, eax
                                                                                                                                                                                                                                                movzx eax, word ptr [ecx+06h]
                                                                                                                                                                                                                                                imul esi, eax, 28h
                                                                                                                                                                                                                                                add esi, edx
                                                                                                                                                                                                                                                cmp edx, esi
                                                                                                                                                                                                                                                je 00007FC5CC4F10BBh
                                                                                                                                                                                                                                                mov ecx, dword ptr [ebp+0Ch]
                                                                                                                                                                                                                                                cmp ecx, dword ptr [edx+0Ch]
                                                                                                                                                                                                                                                jc 00007FC5CC4F10ACh
                                                                                                                                                                                                                                                mov eax, dword ptr [edx+08h]
                                                                                                                                                                                                                                                add eax, dword ptr [edx+0Ch]
                                                                                                                                                                                                                                                cmp ecx, eax
                                                                                                                                                                                                                                                jc 00007FC5CC4F10AEh
                                                                                                                                                                                                                                                add edx, 28h
                                                                                                                                                                                                                                                cmp edx, esi
                                                                                                                                                                                                                                                jne 00007FC5CC4F108Ch
                                                                                                                                                                                                                                                xor eax, eax
                                                                                                                                                                                                                                                pop esi
                                                                                                                                                                                                                                                pop ebp
                                                                                                                                                                                                                                                ret
                                                                                                                                                                                                                                                mov eax, edx
                                                                                                                                                                                                                                                jmp 00007FC5CC4F109Bh
                                                                                                                                                                                                                                                push esi
                                                                                                                                                                                                                                                call 00007FC5CC4F1B7Ah
                                                                                                                                                                                                                                                test eax, eax
                                                                                                                                                                                                                                                je 00007FC5CC4F10C2h

                                                                                                                                                                                                                                                Data Directories

                                                                                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x330080x28.rdata
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xfd0000x1bb0.reloc
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x315e80x1c.rdata
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x315280x40.rdata
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x260000x140.rdata
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                Sections

                                                                                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                .text0x10000x244660x246000c4738d81d73c682a7176c49d884d028False0.5877094072164949data6.678101569726585IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                .rdata0x260000xd7360xd80080d6e2694c167a79376bff718ea4ab9fFalse0.5212492766203703data5.545848281195964IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                                .data0x340000x1e1c0x100068571ce5c9d38881bd2e610f56aba1fcFalse0.18359375DOS executable (block device driver \377\377\377\377N,32-bit sector-support)2.8939753263815224IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                .cSs0x360000xc68300xc6a00c831c9a0567b486aa9fb7d2ac48d3f14False0.9997935022026432data7.999710653343722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                .reloc0xfd0000x1bb00x1c00b6b13820d4fcbed996b2b36260b09defFalse0.7466517857142857data6.53780749791959IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                                Imports

                                                                                                                                                                                                                                                DLLImport
                                                                                                                                                                                                                                                KERNEL32.dllWaitForSingleObject, LoadLibraryW, CreateThread, MultiByteToWideChar, GetStringTypeW, WideCharToMultiByte, CloseHandle, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, QueryPerformanceCounter, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetCPInfo, IsProcessorFeaturePresent, GetCurrentProcessId, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, SetEndOfFile, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetModuleHandleExW, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetConsoleOutputCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, ReadFile, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetProcessHeap, CreateFileW, ReadConsoleW, HeapSize, WriteConsoleW

                                                                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                2024-09-29T01:01:30.159126+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:30.159126+02002046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:30.365180+02002043234ET MALWARE Redline Stealer TCP CnC - Id1Response165.21.18.5145580192.168.2.649712TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:35.414922+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:35.922404+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:35.927382+02002046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)165.21.18.5145580192.168.2.649712TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:36.204197+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:38.635563+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:38.848399+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:39.075145+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:39.309080+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:39.526985+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:39.740338+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:39.948801+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:40.349250+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:40.354537+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:40.631571+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:40.956314+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:41.177133+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:41.439832+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:41.513401+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:41.720483+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:41.927155+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:42.132586+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:42.337332+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:42.544940+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP
                                                                                                                                                                                                                                                2024-09-29T01:01:42.793733+02002043231ET MALWARE Redline Stealer TCP CnC Activity1192.168.2.64971265.21.18.5145580TCP

                                                                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                                                                TCP Packets

                                                                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:29.406912088 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:29.414182901 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:29.416230917 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:29.425641060 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:29.432833910 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:30.095062017 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:30.142929077 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:30.159126043 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:30.165451050 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:30.365180016 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:30.408520937 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:35.414921999 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:35.420120955 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:35.622122049 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:35.622139931 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:35.622153044 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:35.622164965 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:35.622178078 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:35.622184038 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:35.622245073 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:35.622278929 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:35.922404051 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:35.927381992 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:36.130783081 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:36.174209118 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:36.204196930 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:36.209060907 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:36.410026073 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:36.455478907 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:38.635562897 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:38.641061068 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:38.842802048 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:38.848398924 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:38.855581999 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:39.059225082 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:39.075145006 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:39.083317995 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:39.282284021 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:39.309079885 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:39.314026117 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:39.513540983 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:39.526984930 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:39.532046080 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:39.732289076 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:39.740338087 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:39.745279074 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:39.944636106 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:39.948801041 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:39.955832005 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.155760050 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.205430984 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.349250078 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.354446888 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.354461908 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.354484081 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.354496002 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.354537010 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.354573011 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.354583025 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.354610920 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.354620934 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.354711056 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.354721069 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.359076023 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.359091997 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.359103918 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.359312057 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.359433889 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.587551117 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.631571054 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.636430025 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.835732937 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.877280951 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.956314087 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:40.961505890 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:41.160842896 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:41.177133083 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:41.182010889 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:41.182023048 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:41.182033062 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:41.182142019 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:41.182173967 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:41.182183981 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:41.391231060 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:41.439831972 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:41.513401031 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:41.518357992 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:41.718204975 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:41.720483065 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:41.725698948 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:41.925117016 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:41.927155018 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:41.932029009 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:42.131433964 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:42.132586002 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:42.137415886 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:42.336760044 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:42.337332010 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:42.342153072 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:42.541729927 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:42.544939995 CEST4971245580192.168.2.665.21.18.51
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:42.550035000 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:42.761431932 CEST455804971265.21.18.51192.168.2.6
                                                                                                                                                                                                                                                Sep 29, 2024 01:01:42.793732882 CEST4971245580192.168.2.665.21.18.51

                                                                                                                                                                                                                                                Statistics

                                                                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                                                                Behavior

                                                                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Target ID:0
                                                                                                                                                                                                                                                Start time:19:01:25
                                                                                                                                                                                                                                                Start date:28/09/2024
                                                                                                                                                                                                                                                Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                                                                                                                                Imagebase:0xd90000
                                                                                                                                                                                                                                                File size:1'030'144 bytes
                                                                                                                                                                                                                                                MD5 hash:C005D4FFA3E28C22B41A9D222598260A
                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Target ID:2
                                                                                                                                                                                                                                                Start time:19:01:25
                                                                                                                                                                                                                                                Start date:28/09/2024
                                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe"
                                                                                                                                                                                                                                                Imagebase:0xc60000
                                                                                                                                                                                                                                                File size:501'760 bytes
                                                                                                                                                                                                                                                MD5 hash:B473C40205C61DC4750BC49F779908DD
                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000000.2119352114.0000000000C62000.00000002.00000001.01000000.00000005.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe, Author: Joe Security
                                                                                                                                                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe, Author: Joe Security
                                                                                                                                                                                                                                                • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Roaming\IDVNp0HKaI.exe, Author: ditekSHen
                                                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                                                • Detection: 37%, ReversingLabs
                                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Target ID:3
                                                                                                                                                                                                                                                Start time:19:01:25
                                                                                                                                                                                                                                                Start date:28/09/2024
                                                                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                Imagebase:0x7ff66e660000
                                                                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                General

                                                                                                                                                                                                                                                Target ID:4
                                                                                                                                                                                                                                                Start time:19:01:25
                                                                                                                                                                                                                                                Start date:28/09/2024
                                                                                                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\2p4HikHFep.exe
                                                                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\2p4HikHFep.exe"
                                                                                                                                                                                                                                                Imagebase:0x140000
                                                                                                                                                                                                                                                File size:311'296 bytes
                                                                                                                                                                                                                                                MD5 hash:65C058E4A90D2EC70B03211D768B6ECC
                                                                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000004.00000000.2120030420.0000000000142000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2282949938.0000000002518000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2282949938.0000000002879000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Roaming\2p4HikHFep.exe, Author: Joe Security
                                                                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                                                                • Detection: 88%, ReversingLabs
                                                                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                                  Execution Coverage:6.1%
                                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                  Signature Coverage:1.9%
                                                                                                                                                                                                                                                  Total number of Nodes:2000
                                                                                                                                                                                                                                                  Total number of Limit Nodes:58
                                                                                                                                                                                                                                                  execution_graph 19936 d910da 19941 d95437 19936->19941 19942 d910df 19941->19942 19943 d95447 19941->19943 19945 d976be 19942->19945 19943->19942 19948 d96f17 InitializeCriticalSectionEx 19943->19948 19949 d97691 19945->19949 19948->19943 19950 d976a0 19949->19950 19951 d976a7 19949->19951 19955 da31a3 19950->19955 19958 da3220 19951->19958 19954 d910e9 19956 da3220 44 API calls 19955->19956 19957 da31b5 19956->19957 19957->19954 19961 da2f6c 19958->19961 19962 da2f78 __FrameHandler3::FrameUnwindToState 19961->19962 19969 d9e0b6 EnterCriticalSection 19962->19969 19964 da2f86 19970 da2fc7 19964->19970 19966 da2f93 19980 da2fbb 19966->19980 19969->19964 19971 da2fe2 19970->19971 19972 da3055 std::_Locinfo::_Locinfo_dtor 19970->19972 19971->19972 19973 da3035 19971->19973 19983 daef5b 19971->19983 19972->19966 19973->19972 19974 daef5b 44 API calls 19973->19974 19976 da304b 19974->19976 19978 da40e1 ___free_lconv_mon 14 API calls 19976->19978 19977 da302b 19979 da40e1 ___free_lconv_mon 14 API calls 19977->19979 19978->19972 19979->19973 20011 d9e0fe LeaveCriticalSection 19980->20011 19982 da2fa4 19982->19954 19984 daef68 19983->19984 19985 daef83 19983->19985 19984->19985 19986 daef74 19984->19986 19987 daef92 19985->19987 19992 db39e1 19985->19992 19988 d9e062 __Wcrtomb 14 API calls 19986->19988 19999 da9bf5 19987->19999 19991 daef79 codecvt 19988->19991 19991->19977 19993 db39ec 19992->19993 19994 db3a01 HeapSize 19992->19994 19995 d9e062 __Wcrtomb 14 API calls 19993->19995 19994->19987 19996 db39f1 19995->19996 19997 d9df64 ___std_exception_copy 41 API calls 19996->19997 19998 db39fc 19997->19998 19998->19987 20000 da9c0d 19999->20000 20001 da9c02 19999->20001 20003 da9c15 20000->20003 20009 da9c1e __Wcrtomb 20000->20009 20002 da5416 std::_Locinfo::_Locinfo_dtor 15 API calls 20001->20002 20007 da9c0a 20002->20007 20004 da40e1 ___free_lconv_mon 14 API calls 20003->20004 20004->20007 20005 da9c48 HeapReAlloc 20005->20007 20005->20009 20006 da9c23 20008 d9e062 __Wcrtomb 14 API calls 20006->20008 20007->19991 20008->20007 20009->20005 20009->20006 20010 da2e88 std::_Facet_Register 2 API calls 20009->20010 20010->20009 20011->19982 20012 da1add 20015 da17a9 20012->20015 20016 da17b5 __FrameHandler3::FrameUnwindToState 20015->20016 20023 d9e0b6 EnterCriticalSection 20016->20023 20018 da17ed 20024 da180b 20018->20024 20019 da17bf 20019->20018 20021 dadcb6 __Getctype 14 API calls 20019->20021 20021->20019 20023->20019 20027 d9e0fe LeaveCriticalSection 20024->20027 20026 da17f9 20027->20026 20028 d966de 20029 d96700 20028->20029 20033 d96715 20028->20033 20034 d95e55 20029->20034 20037 d95e70 20034->20037 20039 d95ec1 20034->20039 20035 d97413 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 20036 d95ed9 20035->20036 20036->20033 20040 d9eff2 20036->20040 20038 d9dcea 69 API calls 20037->20038 20037->20039 20038->20039 20039->20035 20041 d9effd 20040->20041 20042 d9f012 20040->20042 20043 d9e062 __Wcrtomb 14 API calls 20041->20043 20042->20041 20044 d9f019 20042->20044 20045 d9f002 20043->20045 20050 d9f308 20044->20050 20047 d9df64 ___std_exception_copy 41 API calls 20045->20047 20049 d9f00d 20047->20049 20049->20033 20051 d9f31b _Fputc 20050->20051 20056 d9f0a7 20051->20056 20054 d9bbc5 _Fputc 41 API calls 20055 d9f028 20054->20055 20055->20033 20060 d9f0b3 __FrameHandler3::FrameUnwindToState 20056->20060 20057 d9f0b9 20058 d9dee7 _Fputc 41 API calls 20057->20058 20066 d9f0d4 20058->20066 20059 d9f0ed 20067 d9bb55 EnterCriticalSection 20059->20067 20060->20057 20060->20059 20062 d9f0f9 20068 d9f21c 20062->20068 20064 d9f110 20077 d9f139 20064->20077 20066->20054 20067->20062 20069 d9f22f 20068->20069 20070 d9f242 20068->20070 20069->20064 20080 d9f143 20070->20080 20072 d9f2f3 20072->20064 20073 d9f265 20073->20072 20074 d9ed18 ___scrt_uninitialize_crt 66 API calls 20073->20074 20075 d9f293 20074->20075 20076 da8ae3 __wsopen_s 43 API calls 20075->20076 20076->20072 20084 d9bb69 LeaveCriticalSection 20077->20084 20079 d9f141 20079->20066 20081 d9f154 20080->20081 20082 d9f1ac 20080->20082 20081->20082 20083 da8aa3 __wsopen_s 43 API calls 20081->20083 20082->20073 20083->20082 20084->20079 20277 d960c1 20278 d960c8 20277->20278 20279 d96114 20277->20279 20282 d9bb55 EnterCriticalSection 20278->20282 20281 d960cd 20282->20281 21546 d965fe 21547 d96612 21546->21547 21548 d95e55 69 API calls 21547->21548 21553 d9666d 21547->21553 21549 d9663d 21548->21549 21550 d9665a 21549->21550 21551 d9f308 68 API calls 21549->21551 21549->21553 21550->21553 21554 d9ef97 21550->21554 21551->21550 21555 d9efa2 21554->21555 21556 d9efb7 21554->21556 21557 d9e062 __Wcrtomb 14 API calls 21555->21557 21558 d9efbf 21556->21558 21559 d9efd4 21556->21559 21561 d9efa7 21557->21561 21562 d9e062 __Wcrtomb 14 API calls 21558->21562 21568 da885b 21559->21568 21564 d9df64 ___std_exception_copy 41 API calls 21561->21564 21565 d9efc4 21562->21565 21563 d9efcf 21563->21553 21567 d9efb2 21564->21567 21566 d9df64 ___std_exception_copy 41 API calls 21565->21566 21566->21563 21567->21553 21569 da886f _Fputc 21568->21569 21574 da8270 21569->21574 21572 d9bbc5 _Fputc 41 API calls 21573 da8889 21572->21573 21573->21563 21575 da827c __FrameHandler3::FrameUnwindToState 21574->21575 21576 da8283 21575->21576 21577 da82a6 21575->21577 21578 d9dee7 _Fputc 41 API calls 21576->21578 21585 d9bb55 EnterCriticalSection 21577->21585 21584 da829c 21578->21584 21580 da82b4 21586 da82ff 21580->21586 21582 da82c3 21599 da82f5 21582->21599 21584->21572 21585->21580 21587 da830e 21586->21587 21588 da8336 21586->21588 21590 d9dee7 _Fputc 41 API calls 21587->21590 21589 da4bc2 _Ungetc 41 API calls 21588->21589 21592 da833f 21589->21592 21591 da8329 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 21590->21591 21591->21582 21602 da8a85 21592->21602 21594 da8400 21594->21591 21617 da84a0 21594->21617 21596 da83e9 21605 da865f 21596->21605 21624 d9bb69 LeaveCriticalSection 21599->21624 21601 da82fd 21601->21584 21603 da889c 45 API calls 21602->21603 21604 da835d 21603->21604 21604->21591 21604->21594 21604->21596 21606 da866e __wsopen_s 21605->21606 21607 da4bc2 _Ungetc 41 API calls 21606->21607 21608 da868a __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 21607->21608 21611 da8a85 45 API calls 21608->21611 21616 da8696 21608->21616 21609 d97413 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 21610 da8808 21609->21610 21610->21591 21612 da86ea 21611->21612 21613 da871c ReadFile 21612->21613 21612->21616 21614 da8743 21613->21614 21613->21616 21615 da8a85 45 API calls 21614->21615 21615->21616 21616->21609 21618 da4bc2 _Ungetc 41 API calls 21617->21618 21619 da84b3 21618->21619 21620 da8a85 45 API calls 21619->21620 21623 da84fb __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 21619->21623 21621 da854e 21620->21621 21622 da8a85 45 API calls 21621->21622 21621->21623 21622->21623 21623->21591 21624->21601 21625 da4ff2 21626 da500d 21625->21626 21627 da4ffd 21625->21627 21631 da5013 21627->21631 21630 da40e1 ___free_lconv_mon 14 API calls 21630->21626 21632 da5028 21631->21632 21633 da502e 21631->21633 21635 da40e1 ___free_lconv_mon 14 API calls 21632->21635 21634 da40e1 ___free_lconv_mon 14 API calls 21633->21634 21636 da503a 21634->21636 21635->21633 21637 da40e1 ___free_lconv_mon 14 API calls 21636->21637 21638 da5045 21637->21638 21639 da40e1 ___free_lconv_mon 14 API calls 21638->21639 21640 da5050 21639->21640 21641 da40e1 ___free_lconv_mon 14 API calls 21640->21641 21642 da505b 21641->21642 21643 da40e1 ___free_lconv_mon 14 API calls 21642->21643 21644 da5066 21643->21644 21645 da40e1 ___free_lconv_mon 14 API calls 21644->21645 21646 da5071 21645->21646 21647 da40e1 ___free_lconv_mon 14 API calls 21646->21647 21648 da507c 21647->21648 21649 da40e1 ___free_lconv_mon 14 API calls 21648->21649 21650 da5087 21649->21650 21651 da40e1 ___free_lconv_mon 14 API calls 21650->21651 21652 da5095 21651->21652 21657 da4e3f 21652->21657 21658 da4e4b __FrameHandler3::FrameUnwindToState 21657->21658 21673 d9e0b6 EnterCriticalSection 21658->21673 21660 da4e7f 21674 da4e9e 21660->21674 21663 da4e55 21663->21660 21664 da40e1 ___free_lconv_mon 14 API calls 21663->21664 21664->21660 21665 da4eaa 21666 da4eb6 __FrameHandler3::FrameUnwindToState 21665->21666 21678 d9e0b6 EnterCriticalSection 21666->21678 21668 da4ec0 21669 da50e0 __Wcrtomb 14 API calls 21668->21669 21670 da4ed3 21669->21670 21679 da4ef3 21670->21679 21673->21663 21677 d9e0fe LeaveCriticalSection 21674->21677 21676 da4e8c 21676->21665 21677->21676 21678->21668 21682 d9e0fe LeaveCriticalSection 21679->21682 21681 da4ee1 21681->21630 21682->21681 21690 d967e8 21691 d96826 21690->21691 21692 d967f1 21690->21692 21692->21691 21695 d9edef 21692->21695 21694 d96819 21696 d9ee01 21695->21696 21699 d9ee0a ___scrt_uninitialize_crt 21695->21699 21697 d9ec73 ___scrt_uninitialize_crt 70 API calls 21696->21697 21698 d9ee07 21697->21698 21698->21694 21700 d9ee1b 21699->21700 21703 d9ec13 21699->21703 21700->21694 21704 d9ec1f __FrameHandler3::FrameUnwindToState 21703->21704 21711 d9bb55 EnterCriticalSection 21704->21711 21706 d9ec2d 21707 d9ed81 ___scrt_uninitialize_crt 70 API calls 21706->21707 21708 d9ec3e 21707->21708 21712 d9ec67 21708->21712 21711->21706 21715 d9bb69 LeaveCriticalSection 21712->21715 21714 d9ec50 21714->21694 21715->21714 18108 da3ee2 18113 da3cb8 18108->18113 18111 da3f21 18114 da3cd7 18113->18114 18115 da3cea 18114->18115 18123 da3cff 18114->18123 18116 d9e062 __Wcrtomb 14 API calls 18115->18116 18117 da3cef 18116->18117 18118 d9df64 ___std_exception_copy 41 API calls 18117->18118 18119 da3cfa 18118->18119 18119->18111 18130 dafe7d 18119->18130 18120 d9e062 __Wcrtomb 14 API calls 18121 da3ed0 18120->18121 18122 d9df64 ___std_exception_copy 41 API calls 18121->18122 18122->18119 18123->18123 18128 da3e1f 18123->18128 18133 daf70f 18123->18133 18125 da3e6f 18126 daf70f 41 API calls 18125->18126 18125->18128 18127 da3e8d 18126->18127 18127->18128 18129 daf70f 41 API calls 18127->18129 18128->18119 18128->18120 18129->18128 18165 daf847 18130->18165 18134 daf71e 18133->18134 18135 daf766 18133->18135 18136 daf724 18134->18136 18140 daf741 18134->18140 18147 daf77c 18135->18147 18139 d9e062 __Wcrtomb 14 API calls 18136->18139 18138 daf734 18138->18125 18141 daf729 18139->18141 18143 d9e062 __Wcrtomb 14 API calls 18140->18143 18146 daf75f 18140->18146 18142 d9df64 ___std_exception_copy 41 API calls 18141->18142 18142->18138 18144 daf750 18143->18144 18145 d9df64 ___std_exception_copy 41 API calls 18144->18145 18145->18138 18146->18125 18148 daf78c 18147->18148 18149 daf7a6 18147->18149 18150 d9e062 __Wcrtomb 14 API calls 18148->18150 18151 daf7ae 18149->18151 18152 daf7c5 18149->18152 18156 daf791 18150->18156 18153 d9e062 __Wcrtomb 14 API calls 18151->18153 18154 daf7e8 18152->18154 18155 daf7d1 18152->18155 18157 daf7b3 18153->18157 18162 d9fc50 __wsopen_s 41 API calls 18154->18162 18163 daf79c 18154->18163 18158 d9e062 __Wcrtomb 14 API calls 18155->18158 18159 d9df64 ___std_exception_copy 41 API calls 18156->18159 18160 d9df64 ___std_exception_copy 41 API calls 18157->18160 18161 daf7d6 18158->18161 18159->18163 18160->18163 18164 d9df64 ___std_exception_copy 41 API calls 18161->18164 18162->18163 18163->18138 18164->18163 18168 daf853 __FrameHandler3::FrameUnwindToState 18165->18168 18166 daf85a 18167 d9e062 __Wcrtomb 14 API calls 18166->18167 18170 daf85f 18167->18170 18168->18166 18169 daf885 18168->18169 18176 dafe0f 18169->18176 18172 d9df64 ___std_exception_copy 41 API calls 18170->18172 18175 daf869 18172->18175 18175->18111 18189 dab2e4 18176->18189 18181 dafe45 18183 da40e1 ___free_lconv_mon 14 API calls 18181->18183 18184 daf8a9 18181->18184 18183->18184 18185 daf8dc 18184->18185 18186 daf8e2 18185->18186 18187 daf906 18185->18187 18561 daca58 LeaveCriticalSection 18186->18561 18187->18175 18190 d9fc50 __wsopen_s 41 API calls 18189->18190 18191 dab2f6 18190->18191 18193 dab308 18191->18193 18244 da447f 18191->18244 18194 da0954 18193->18194 18250 da07e0 18194->18250 18197 dafe9d 18285 dafbeb 18197->18285 18200 dafee8 18303 daca7b 18200->18303 18201 dafecf 18203 d9e04f __dosmaperr 14 API calls 18201->18203 18216 dafed4 18203->18216 18205 daff0d 18316 dafb56 CreateFileW 18205->18316 18206 dafef6 18208 d9e04f __dosmaperr 14 API calls 18206->18208 18207 d9e062 __Wcrtomb 14 API calls 18210 dafee1 18207->18210 18211 dafefb 18208->18211 18210->18181 18212 d9e062 __Wcrtomb 14 API calls 18211->18212 18212->18216 18213 daffc3 GetFileType 18214 daffce GetLastError 18213->18214 18215 db0015 18213->18215 18219 d9e008 __dosmaperr 14 API calls 18214->18219 18318 dac9c6 18215->18318 18216->18207 18217 daff98 GetLastError 18218 d9e008 __dosmaperr 14 API calls 18217->18218 18218->18216 18222 daffdc CloseHandle 18219->18222 18220 daff46 18220->18213 18220->18217 18317 dafb56 CreateFileW 18220->18317 18222->18216 18225 db0005 18222->18225 18223 daff8b 18223->18213 18223->18217 18227 d9e062 __Wcrtomb 14 API calls 18225->18227 18229 db000a 18227->18229 18228 db0082 18233 db0089 18228->18233 18348 daf908 18228->18348 18229->18216 18342 da4d1d 18233->18342 18234 db00c5 18234->18210 18236 db0141 CloseHandle 18234->18236 18375 dafb56 CreateFileW 18236->18375 18247 da41d3 18244->18247 18248 da43bc std::_Locinfo::_Locinfo_dtor 5 API calls 18247->18248 18249 da41e9 18248->18249 18249->18193 18251 da0808 18250->18251 18252 da07ee 18250->18252 18254 da082e 18251->18254 18255 da080f 18251->18255 18268 da0995 18252->18268 18257 daafff __wsopen_s MultiByteToWideChar 18254->18257 18256 da07f8 18255->18256 18272 da09d6 18255->18272 18256->18181 18256->18197 18259 da083d 18257->18259 18260 da0844 GetLastError 18259->18260 18262 da09d6 __wsopen_s 15 API calls 18259->18262 18265 da086a 18259->18265 18277 d9e008 18260->18277 18262->18265 18263 daafff __wsopen_s MultiByteToWideChar 18266 da0881 18263->18266 18265->18256 18265->18263 18266->18256 18266->18260 18267 d9e062 __Wcrtomb 14 API calls 18267->18256 18269 da09a8 18268->18269 18270 da09a0 18268->18270 18269->18256 18271 da40e1 ___free_lconv_mon 14 API calls 18270->18271 18271->18269 18273 da0995 __wsopen_s 14 API calls 18272->18273 18274 da09e4 18273->18274 18282 da0a15 18274->18282 18278 d9e04f __dosmaperr 14 API calls 18277->18278 18279 d9e013 __dosmaperr 18278->18279 18280 d9e062 __Wcrtomb 14 API calls 18279->18280 18281 d9e026 18280->18281 18281->18267 18283 da5416 std::_Locinfo::_Locinfo_dtor 15 API calls 18282->18283 18284 da09f5 18283->18284 18284->18256 18286 dafc0c 18285->18286 18287 dafc26 18285->18287 18286->18287 18289 d9e062 __Wcrtomb 14 API calls 18286->18289 18385 dafb7b 18287->18385 18290 dafc1b 18289->18290 18291 d9df64 ___std_exception_copy 41 API calls 18290->18291 18291->18287 18292 dafc5e 18293 dafc8d 18292->18293 18295 d9e062 __Wcrtomb 14 API calls 18292->18295 18302 dafce0 18293->18302 18392 da15b9 18293->18392 18297 dafc82 18295->18297 18296 dafcdb 18299 dafd58 18296->18299 18296->18302 18298 d9df64 ___std_exception_copy 41 API calls 18297->18298 18298->18293 18300 d9df91 __Getctype 11 API calls 18299->18300 18301 dafd64 18300->18301 18302->18200 18302->18201 18304 daca87 __FrameHandler3::FrameUnwindToState 18303->18304 18399 d9e0b6 EnterCriticalSection 18304->18399 18306 dacad5 18400 dacb85 18306->18400 18307 dacab3 18403 dac855 18307->18403 18308 daca8e 18308->18306 18308->18307 18313 dacb22 EnterCriticalSection 18308->18313 18313->18306 18314 dacb2f LeaveCriticalSection 18313->18314 18314->18308 18316->18220 18317->18223 18319 daca3e 18318->18319 18320 dac9d5 18318->18320 18321 d9e062 __Wcrtomb 14 API calls 18319->18321 18320->18319 18326 dac9fb __wsopen_s 18320->18326 18322 daca43 18321->18322 18323 d9e04f __dosmaperr 14 API calls 18322->18323 18324 daca2b 18323->18324 18324->18228 18327 dafd65 18324->18327 18325 daca25 SetStdHandle 18325->18324 18326->18324 18326->18325 18328 dafdbf 18327->18328 18329 dafd8d 18327->18329 18328->18228 18329->18328 18417 da8aa3 18329->18417 18343 da4d30 _Fputc 18342->18343 18542 da4d4d 18343->18542 18349 daf939 18348->18349 18371 dafa1c 18348->18371 18350 da15b9 __wsopen_s 41 API calls 18349->18350 18356 daf959 18349->18356 18351 daf950 18350->18351 18352 dafb4b 18351->18352 18351->18356 18353 d9df91 __Getctype 11 API calls 18352->18353 18355 db2220 __wsopen_s 53 API calls 18358 da8aa3 __wsopen_s 43 API calls 18356->18358 18363 dafa13 18356->18363 18356->18371 18373 dafa42 18356->18373 18359 dafa2c 18358->18359 18359->18363 18363->18371 18372 dafa4c 18363->18372 18555 da6c60 18363->18555 18371->18233 18371->18234 18372->18371 18373->18355 18373->18371 18373->18372 18386 dafb93 18385->18386 18387 d9e062 __Wcrtomb 14 API calls 18386->18387 18389 dafbae 18386->18389 18388 dafbd2 18387->18388 18390 d9df64 ___std_exception_copy 41 API calls 18388->18390 18389->18292 18391 dafbdd 18390->18391 18391->18292 18393 da15da 18392->18393 18394 da15c5 18392->18394 18393->18296 18395 d9e062 __Wcrtomb 14 API calls 18394->18395 18396 da15ca 18395->18396 18397 d9df64 ___std_exception_copy 41 API calls 18396->18397 18398 da15d5 18397->18398 18398->18296 18399->18308 18411 d9e0fe LeaveCriticalSection 18400->18411 18402 dacaf5 18402->18205 18402->18206 18404 da4084 __Wcrtomb 14 API calls 18403->18404 18405 dac867 18404->18405 18409 dac874 18405->18409 18412 da46c9 18405->18412 18406 da40e1 ___free_lconv_mon 14 API calls 18408 dac8c9 18406->18408 18408->18306 18410 dac9a3 EnterCriticalSection 18408->18410 18409->18406 18410->18306 18411->18402 18413 da43bc std::_Locinfo::_Locinfo_dtor 5 API calls 18412->18413 18414 da46e5 18413->18414 18415 da4703 InitializeCriticalSectionAndSpinCount 18414->18415 18416 da46ee 18414->18416 18415->18416 18416->18405 18418 da8ab7 _Fputc 18417->18418 18419 da89c2 __wsopen_s 43 API calls 18418->18419 18420 da8acc 18419->18420 18543 dacc1f __wsopen_s 41 API calls 18542->18543 18561->18187 17897 da6f9f 17909 da4bc2 17897->17909 17899 da6fac 17900 da6fb8 17899->17900 17901 da7004 17899->17901 17927 da7335 17899->17927 17901->17900 17902 da7066 17901->17902 17916 da638d 17901->17916 17935 da718f 17902->17935 17910 da4bce 17909->17910 17911 da4be3 17909->17911 17912 d9e062 __Wcrtomb 14 API calls 17910->17912 17911->17899 17913 da4bd3 17912->17913 17914 d9df64 ___std_exception_copy 41 API calls 17913->17914 17915 da4bde 17914->17915 17915->17899 17918 da6399 17916->17918 17917 da63ba 17917->17902 17922 da80f5 17917->17922 17918->17917 17919 da4bc2 _Ungetc 41 API calls 17918->17919 17920 da63b4 17919->17920 17946 db1bbe 17920->17946 17923 da4084 __Wcrtomb 14 API calls 17922->17923 17924 da8112 17923->17924 17925 da40e1 ___free_lconv_mon 14 API calls 17924->17925 17926 da811c 17925->17926 17926->17902 17928 da734b 17927->17928 17929 da734f 17927->17929 17928->17901 17932 da739e 17929->17932 17955 dacc1f 17929->17955 17931 da7370 17931->17932 17933 da7378 SetFilePointerEx 17931->17933 17932->17901 17933->17932 17934 da738f GetFileSizeEx 17933->17934 17934->17932 17936 da4bc2 _Ungetc 41 API calls 17935->17936 17937 da719e 17936->17937 17938 da71b1 17937->17938 17939 da7244 17937->17939 17941 da71ce 17938->17941 17944 da71f5 17938->17944 17940 da6c97 __wsopen_s 66 API calls 17939->17940 17943 da7077 17940->17943 17971 da6c97 17941->17971 17944->17943 17982 da8a45 17944->17982 17947 db1bcb 17946->17947 17948 db1bd8 17946->17948 17949 d9e062 __Wcrtomb 14 API calls 17947->17949 17950 db1be4 17948->17950 17951 d9e062 __Wcrtomb 14 API calls 17948->17951 17952 db1bd0 17949->17952 17950->17917 17953 db1c05 17951->17953 17952->17917 17954 d9df64 ___std_exception_copy 41 API calls 17953->17954 17954->17952 17956 dacc2c 17955->17956 17957 dacc41 17955->17957 17968 d9e04f 17956->17968 17960 d9e04f __dosmaperr 14 API calls 17957->17960 17962 dacc66 17957->17962 17963 dacc71 17960->17963 17961 d9e062 __Wcrtomb 14 API calls 17964 dacc39 17961->17964 17962->17931 17965 d9e062 __Wcrtomb 14 API calls 17963->17965 17964->17931 17966 dacc79 17965->17966 17967 d9df64 ___std_exception_copy 41 API calls 17966->17967 17967->17964 17969 da527c __Wcrtomb 14 API calls 17968->17969 17970 d9e054 17969->17970 17970->17961 17972 da6ca3 __FrameHandler3::FrameUnwindToState 17971->17972 17973 da6d67 17972->17973 17975 da6cf8 17972->17975 17981 da6cab 17972->17981 17974 d9dee7 _Fputc 41 API calls 17973->17974 17974->17981 17988 dac9a3 EnterCriticalSection 17975->17988 17977 da6cfe 17978 da6d1b 17977->17978 17989 da6d9f 17977->17989 18017 da6d5f 17978->18017 17981->17943 17983 da8a59 _Fputc 17982->17983 18092 da889c 17983->18092 17986 d9bbc5 _Fputc 41 API calls 17987 da8a7d 17986->17987 17987->17943 17988->17977 17991 da6dc4 17989->17991 18014 da6de7 __wsopen_s 17989->18014 17990 da6dc8 17992 d9dee7 _Fputc 41 API calls 17990->17992 17991->17990 17993 da6e26 17991->17993 17992->18014 17994 da6e3d 17993->17994 18027 da8ae3 17993->18027 18020 da68ec 17994->18020 17998 da6e8d 18000 da6ef0 WriteFile 17998->18000 18001 da6ea1 17998->18001 17999 da6e4d 18002 da6e77 17999->18002 18003 da6e54 17999->18003 18004 da6f12 GetLastError 18000->18004 18000->18014 18006 da6ea9 18001->18006 18007 da6ede 18001->18007 18035 da64b2 GetConsoleOutputCP 18002->18035 18003->18014 18030 da6884 18003->18030 18004->18014 18008 da6eae 18006->18008 18009 da6ecc 18006->18009 18063 da696a 18007->18063 18012 da6eb7 18008->18012 18008->18014 18055 da6b2e 18009->18055 18048 da6a45 18012->18048 18014->17978 18015 da6e88 18015->18014 18091 daca58 LeaveCriticalSection 18017->18091 18019 da6d65 18019->17981 18021 db1bbe __wsopen_s 41 API calls 18020->18021 18023 da68fe 18021->18023 18022 da692c 18025 da6946 GetConsoleMode 18022->18025 18026 da695f 18022->18026 18023->18022 18023->18026 18070 d9d720 18023->18070 18025->18026 18026->17998 18026->17999 18085 da89c2 18027->18085 18029 da8afc 18029->17994 18031 da68a6 18030->18031 18032 da68db 18030->18032 18031->18032 18033 db1c14 5 API calls __wsopen_s 18031->18033 18034 da68dd GetLastError 18031->18034 18032->18014 18033->18031 18034->18032 18036 da6524 18035->18036 18044 da652b codecvt 18035->18044 18037 d9d720 _Fputc 41 API calls 18036->18037 18037->18044 18038 d97413 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 18039 da687d 18038->18039 18039->18015 18040 da620e 42 API calls __wsopen_s 18040->18044 18041 da67e8 18041->18038 18042 dab07b _Fputc WideCharToMultiByte 18042->18044 18043 da6763 WriteFile 18043->18044 18045 da685b GetLastError 18043->18045 18044->18040 18044->18041 18044->18042 18044->18043 18046 db1ab6 5 API calls std::_Locinfo::_Locinfo_dtor 18044->18046 18047 da67a3 WriteFile 18044->18047 18045->18041 18046->18044 18047->18044 18047->18045 18052 da6a54 __wsopen_s 18048->18052 18049 da6b13 18050 d97413 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 18049->18050 18054 da6b2c 18050->18054 18051 da6ac9 WriteFile 18051->18052 18053 da6b15 GetLastError 18051->18053 18052->18049 18052->18051 18053->18049 18054->18014 18062 da6b3d __wsopen_s 18055->18062 18056 da6c45 18057 d97413 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 18056->18057 18058 da6c5e 18057->18058 18058->18015 18059 dab07b _Fputc WideCharToMultiByte 18059->18062 18060 da6c47 GetLastError 18060->18056 18061 da6bfc WriteFile 18061->18060 18061->18062 18062->18056 18062->18059 18062->18060 18062->18061 18068 da6979 __wsopen_s 18063->18068 18064 da6a2a 18065 d97413 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 18064->18065 18066 da6a43 18065->18066 18066->18015 18067 da69e9 WriteFile 18067->18068 18069 da6a2c GetLastError 18067->18069 18068->18064 18068->18067 18069->18064 18071 d9bd6c _Fputc 41 API calls 18070->18071 18072 d9d730 18071->18072 18077 da5491 18072->18077 18078 da54a8 18077->18078 18079 d9d74d 18077->18079 18078->18079 18080 dadc35 __Getctype 41 API calls 18078->18080 18081 da54ef 18079->18081 18080->18079 18082 d9d75a 18081->18082 18083 da5506 18081->18083 18082->18022 18083->18082 18084 dac173 __wsopen_s 41 API calls 18083->18084 18084->18082 18086 dacc1f __wsopen_s 41 API calls 18085->18086 18087 da89d4 18086->18087 18088 da89f0 SetFilePointerEx 18087->18088 18090 da89dc __wsopen_s 18087->18090 18089 da8a08 GetLastError 18088->18089 18088->18090 18089->18090 18090->18029 18091->18019 18093 da88a8 __FrameHandler3::FrameUnwindToState 18092->18093 18094 da8986 18093->18094 18096 da8904 18093->18096 18102 da88b0 18093->18102 18095 d9dee7 _Fputc 41 API calls 18094->18095 18095->18102 18103 dac9a3 EnterCriticalSection 18096->18103 18098 da890a 18099 da892f 18098->18099 18100 da89c2 __wsopen_s 43 API calls 18098->18100 18104 da897e 18099->18104 18100->18099 18102->17986 18103->18098 18107 daca58 LeaveCriticalSection 18104->18107 18106 da8984 18106->18102 18107->18106 22033 d9678d 22034 d9679c 22033->22034 22036 d967c0 22034->22036 22037 d9f506 22034->22037 22038 d9f519 _Fputc 22037->22038 22043 d9f43d 22038->22043 22040 d9f52e 22041 d9bbc5 _Fputc 41 API calls 22040->22041 22042 d9f53b 22041->22042 22042->22036 22044 d9f44f 22043->22044 22045 d9f472 22043->22045 22046 d9dee7 _Fputc 41 API calls 22044->22046 22045->22044 22048 d9f499 22045->22048 22047 d9f46a 22046->22047 22047->22040 22051 d9f342 22048->22051 22052 d9f34e __FrameHandler3::FrameUnwindToState 22051->22052 22059 d9bb55 EnterCriticalSection 22052->22059 22054 d9f35c 22060 d9f39d 22054->22060 22056 d9f369 22069 d9f391 22056->22069 22059->22054 22061 d9ed18 ___scrt_uninitialize_crt 66 API calls 22060->22061 22062 d9f3b8 22061->22062 22063 da4990 14 API calls 22062->22063 22064 d9f3c2 22063->22064 22065 da4084 __Wcrtomb 14 API calls 22064->22065 22066 d9f3dd 22064->22066 22067 d9f401 22065->22067 22066->22056 22068 da40e1 ___free_lconv_mon 14 API calls 22067->22068 22068->22066 22072 d9bb69 LeaveCriticalSection 22069->22072 22071 d9f37a 22071->22040 22072->22071 22084 da7d81 22085 da7d8e 22084->22085 22089 da7da6 22084->22089 22086 d9e062 __Wcrtomb 14 API calls 22085->22086 22087 da7d93 22086->22087 22090 d9df64 ___std_exception_copy 41 API calls 22087->22090 22088 da7d9e 22089->22088 22091 da7e05 22089->22091 22092 da80f5 _Ungetc 14 API calls 22089->22092 22090->22088 22093 da4bc2 _Ungetc 41 API calls 22091->22093 22092->22091 22094 da7e1e 22093->22094 22104 db210c 22094->22104 22097 da4bc2 _Ungetc 41 API calls 22098 da7e57 22097->22098 22098->22088 22099 da4bc2 _Ungetc 41 API calls 22098->22099 22100 da7e65 22099->22100 22100->22088 22101 da4bc2 _Ungetc 41 API calls 22100->22101 22102 da7e73 22101->22102 22103 da4bc2 _Ungetc 41 API calls 22102->22103 22103->22088 22105 db2118 __FrameHandler3::FrameUnwindToState 22104->22105 22106 db2138 22105->22106 22107 db2120 22105->22107 22109 db21f5 22106->22109 22114 db216e 22106->22114 22108 d9e04f __dosmaperr 14 API calls 22107->22108 22111 db2125 22108->22111 22110 d9e04f __dosmaperr 14 API calls 22109->22110 22112 db21fa 22110->22112 22113 d9e062 __Wcrtomb 14 API calls 22111->22113 22117 d9e062 __Wcrtomb 14 API calls 22112->22117 22118 da7e26 22113->22118 22115 db218c 22114->22115 22116 db2177 22114->22116 22134 dac9a3 EnterCriticalSection 22115->22134 22119 d9e04f __dosmaperr 14 API calls 22116->22119 22121 db2184 22117->22121 22118->22088 22118->22097 22122 db217c 22119->22122 22127 d9df64 ___std_exception_copy 41 API calls 22121->22127 22124 d9e062 __Wcrtomb 14 API calls 22122->22124 22123 db2192 22125 db21ae 22123->22125 22126 db21c3 22123->22126 22124->22121 22128 d9e062 __Wcrtomb 14 API calls 22125->22128 22129 db2220 __wsopen_s 53 API calls 22126->22129 22127->22118 22130 db21b3 22128->22130 22133 db21be 22129->22133 22131 d9e04f __dosmaperr 14 API calls 22130->22131 22131->22133 22135 db21ed 22133->22135 22134->22123 22138 daca58 LeaveCriticalSection 22135->22138 22137 db21f3 22137->22118 22138->22137 18562 d97287 18563 d97293 __FrameHandler3::FrameUnwindToState 18562->18563 18588 d974f8 18563->18588 18565 d9729a 18566 d973f3 18565->18566 18574 d972c4 ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState ___scrt_release_startup_lock 18565->18574 18622 d97af1 IsProcessorFeaturePresent 18566->18622 18568 d973fa 18603 da15a3 18568->18603 18571 da1567 __FrameHandler3::FrameUnwindToState 23 API calls 18572 d97408 18571->18572 18573 d972e3 18574->18573 18578 d97364 18574->18578 18606 da157d 18574->18606 18576 d9736a 18600 d93ed0 CreateThread WaitForSingleObject 18576->18600 18596 da11e1 18578->18596 18583 d9738f 18584 d97398 18583->18584 18613 da1558 18583->18613 18616 d97669 18584->18616 18589 d97501 18588->18589 18626 d977d0 IsProcessorFeaturePresent 18589->18626 18593 d97512 18594 d97516 18593->18594 18636 d9a59d 18593->18636 18594->18565 18597 da11ea 18596->18597 18598 da11ef 18596->18598 18696 da0f3b 18597->18696 18598->18576 18601 d97413 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 18600->18601 18791 d938b0 18600->18791 18602 d93f12 18601->18602 18611 d97c11 GetModuleHandleW 18602->18611 18604 da138b __FrameHandler3::FrameUnwindToState 23 API calls 18603->18604 18605 d97400 18604->18605 18605->18571 18607 da1593 std::_Locinfo::_Locinfo_dtor 18606->18607 18610 da07a4 __FrameHandler3::FrameUnwindToState 18606->18610 18607->18578 18608 da512b __Getctype 41 API calls 18608->18610 18609 d9e12c __FrameHandler3::FrameUnwindToState 41 API calls 18609->18610 18610->18606 18610->18608 18610->18609 18612 d9738b 18611->18612 18612->18568 18612->18583 18614 da138b __FrameHandler3::FrameUnwindToState 23 API calls 18613->18614 18615 da1563 18614->18615 18615->18584 18617 d97675 18616->18617 18618 d973a1 18617->18618 19814 da3360 18617->19814 18618->18573 18620 d97683 18621 d9a59d ___scrt_uninitialize_crt 7 API calls 18620->18621 18621->18618 18623 d97b07 __FrameHandler3::FrameUnwindToState codecvt 18622->18623 18624 d97bb2 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18623->18624 18625 d97bfd __FrameHandler3::FrameUnwindToState 18624->18625 18625->18568 18627 d9750d 18626->18627 18628 d9a57e 18627->18628 18642 d9b657 18628->18642 18631 d9a587 18631->18593 18633 d9a58f 18634 d9a59a 18633->18634 18656 d9b693 18633->18656 18634->18593 18637 d9a5b0 18636->18637 18638 d9a5a6 18636->18638 18637->18594 18639 d9a716 ___vcrt_uninitialize_ptd 6 API calls 18638->18639 18640 d9a5ab 18639->18640 18641 d9b693 ___vcrt_uninitialize_locks DeleteCriticalSection 18640->18641 18641->18637 18643 d9b660 18642->18643 18645 d9b689 18643->18645 18646 d9a583 18643->18646 18660 d9b89c 18643->18660 18647 d9b693 ___vcrt_uninitialize_locks DeleteCriticalSection 18645->18647 18646->18631 18648 d9a6e3 18646->18648 18647->18646 18677 d9b7ad 18648->18677 18651 d9a6f8 18651->18633 18654 d9a713 18654->18633 18657 d9b6bd 18656->18657 18658 d9b69e 18656->18658 18657->18631 18659 d9b6a8 DeleteCriticalSection 18658->18659 18659->18657 18659->18659 18665 d9b6c2 18660->18665 18663 d9b8d4 InitializeCriticalSectionAndSpinCount 18664 d9b8bf 18663->18664 18664->18643 18666 d9b6e3 18665->18666 18667 d9b6df 18665->18667 18666->18667 18669 d9b74b GetProcAddress 18666->18669 18670 d9b73c 18666->18670 18672 d9b762 LoadLibraryExW 18666->18672 18667->18663 18667->18664 18669->18667 18670->18669 18671 d9b744 FreeLibrary 18670->18671 18671->18669 18673 d9b779 GetLastError 18672->18673 18674 d9b7a9 18672->18674 18673->18674 18675 d9b784 ___vcrt_InitializeCriticalSectionEx 18673->18675 18674->18666 18675->18674 18676 d9b79a LoadLibraryExW 18675->18676 18676->18666 18678 d9b6c2 ___vcrt_InitializeCriticalSectionEx 5 API calls 18677->18678 18679 d9b7c7 18678->18679 18680 d9b7e0 TlsAlloc 18679->18680 18681 d9a6ed 18679->18681 18681->18651 18682 d9b85e 18681->18682 18683 d9b6c2 ___vcrt_InitializeCriticalSectionEx 5 API calls 18682->18683 18684 d9b878 18683->18684 18685 d9b893 TlsSetValue 18684->18685 18686 d9a706 18684->18686 18685->18686 18686->18654 18687 d9a716 18686->18687 18688 d9a726 18687->18688 18689 d9a720 18687->18689 18688->18651 18691 d9b7e8 18689->18691 18692 d9b6c2 ___vcrt_InitializeCriticalSectionEx 5 API calls 18691->18692 18693 d9b802 18692->18693 18694 d9b81a TlsFree 18693->18694 18695 d9b80e 18693->18695 18694->18695 18695->18688 18697 da0f44 18696->18697 18700 da0f5a 18696->18700 18697->18700 18702 da0f67 18697->18702 18699 da0f51 18699->18700 18719 da10d2 18699->18719 18700->18598 18703 da0f73 18702->18703 18704 da0f70 18702->18704 18727 dac12b 18703->18727 18704->18699 18709 da0f90 18754 da0fc1 18709->18754 18710 da0f84 18711 da40e1 ___free_lconv_mon 14 API calls 18710->18711 18713 da0f8a 18711->18713 18713->18699 18715 da40e1 ___free_lconv_mon 14 API calls 18716 da0fb4 18715->18716 18717 da40e1 ___free_lconv_mon 14 API calls 18716->18717 18718 da0fba 18717->18718 18718->18699 18720 da1143 18719->18720 18723 da10e1 18719->18723 18720->18700 18721 dab07b WideCharToMultiByte _Fputc 18721->18723 18722 da4084 __Wcrtomb 14 API calls 18722->18723 18723->18720 18723->18721 18723->18722 18724 da1147 18723->18724 18726 da40e1 ___free_lconv_mon 14 API calls 18723->18726 18725 da40e1 ___free_lconv_mon 14 API calls 18724->18725 18725->18720 18726->18723 18728 da0f79 18727->18728 18729 dac134 18727->18729 18733 dac42d GetEnvironmentStringsW 18728->18733 18730 da51e6 41 API calls 18729->18730 18731 dac157 18730->18731 18732 dabf36 52 API calls 18731->18732 18732->18728 18734 dac445 18733->18734 18747 da0f7e 18733->18747 18735 dab07b _Fputc WideCharToMultiByte 18734->18735 18736 dac462 18735->18736 18737 dac46c FreeEnvironmentStringsW 18736->18737 18738 dac477 18736->18738 18737->18747 18739 da5416 std::_Locinfo::_Locinfo_dtor 15 API calls 18738->18739 18740 dac47e 18739->18740 18741 dac486 18740->18741 18742 dac497 18740->18742 18743 da40e1 ___free_lconv_mon 14 API calls 18741->18743 18744 dab07b _Fputc WideCharToMultiByte 18742->18744 18745 dac48b FreeEnvironmentStringsW 18743->18745 18746 dac4a7 18744->18746 18745->18747 18748 dac4ae 18746->18748 18749 dac4b6 18746->18749 18747->18709 18747->18710 18751 da40e1 ___free_lconv_mon 14 API calls 18748->18751 18750 da40e1 ___free_lconv_mon 14 API calls 18749->18750 18752 dac4b4 FreeEnvironmentStringsW 18750->18752 18751->18752 18752->18747 18755 da0fd6 18754->18755 18756 da4084 __Wcrtomb 14 API calls 18755->18756 18757 da0ffd 18756->18757 18758 da1005 18757->18758 18767 da100f 18757->18767 18759 da40e1 ___free_lconv_mon 14 API calls 18758->18759 18775 da0f97 18759->18775 18760 da106c 18761 da40e1 ___free_lconv_mon 14 API calls 18760->18761 18761->18775 18762 da4084 __Wcrtomb 14 API calls 18762->18767 18763 da107b 18785 da10a3 18763->18785 18767->18760 18767->18762 18767->18763 18769 da1096 18767->18769 18771 da40e1 ___free_lconv_mon 14 API calls 18767->18771 18776 da33ef 18767->18776 18768 da40e1 ___free_lconv_mon 14 API calls 18770 da1088 18768->18770 18772 d9df91 __Getctype 11 API calls 18769->18772 18774 da40e1 ___free_lconv_mon 14 API calls 18770->18774 18771->18767 18773 da10a2 18772->18773 18774->18775 18775->18715 18777 da340b 18776->18777 18778 da33fd 18776->18778 18779 d9e062 __Wcrtomb 14 API calls 18777->18779 18778->18777 18783 da3423 18778->18783 18780 da3413 18779->18780 18782 d9df64 ___std_exception_copy 41 API calls 18780->18782 18781 da341d 18781->18767 18782->18781 18783->18781 18784 d9e062 __Wcrtomb 14 API calls 18783->18784 18784->18780 18786 da1081 18785->18786 18790 da10b0 18785->18790 18786->18768 18787 da10c7 18788 da40e1 ___free_lconv_mon 14 API calls 18787->18788 18788->18786 18789 da40e1 ___free_lconv_mon 14 API calls 18789->18790 18790->18787 18790->18789 18830 d97421 18791->18830 18793 d938d3 std::ios_base::_Ios_base_dtor 18794 d938f2 LoadLibraryW 18793->18794 18840 d92310 18794->18840 18833 d97426 18830->18833 18832 d97440 18832->18793 18833->18832 18834 da2e88 std::_Facet_Register 2 API calls 18833->18834 18835 d97442 std::_Facet_Register 18833->18835 18926 d9e170 18833->18926 18834->18833 18836 d97f7e std::_Facet_Register 18835->18836 18935 d98080 18835->18935 18837 d98080 CallUnexpected RaiseException 18836->18837 18838 d97f9b 18837->18838 18843 d92358 std::ios_base::_Ios_base_dtor 18840->18843 18847 d936b0 std::ios_base::_Ios_base_dtor 18840->18847 18841 d97413 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 18842 d93713 18841->18842 18851 d91fd0 18842->18851 18844 d94380 std::ios_base::_Init 43 API calls 18843->18844 18846 d936b2 18843->18846 18843->18847 18848 d93717 18843->18848 18938 d91110 18843->18938 18844->18843 18846->18847 18846->18848 18847->18841 18942 d9df74 18848->18942 19154 d93fb0 18851->19154 18927 da5416 18926->18927 18928 da5454 18927->18928 18930 da543f HeapAlloc 18927->18930 18933 da5428 __Wcrtomb 18927->18933 18929 d9e062 __Wcrtomb 14 API calls 18928->18929 18931 da5459 18929->18931 18932 da5452 18930->18932 18930->18933 18931->18833 18932->18931 18933->18928 18933->18930 18934 da2e88 std::_Facet_Register 2 API calls 18933->18934 18934->18933 18936 d980c7 RaiseException 18935->18936 18937 d9809a 18935->18937 18936->18836 18937->18936 18939 d91122 18938->18939 18947 d9d97e 18939->18947 18943 d9deb0 ___std_exception_copy 41 API calls 18942->18943 18944 d9df83 18943->18944 18945 d9df91 __Getctype 11 API calls 18944->18945 18946 d9df90 18945->18946 18949 d9d992 _Fputc 18947->18949 18948 d9d9b4 18950 d9dee7 _Fputc 41 API calls 18948->18950 18949->18948 18951 d9d9db 18949->18951 18952 d9d9cf 18950->18952 18956 d9bdb9 18951->18956 18954 d9bbc5 _Fputc 41 API calls 18952->18954 18955 d9113c 18954->18955 18955->18843 18957 d9bdc5 __FrameHandler3::FrameUnwindToState 18956->18957 18964 d9bb55 EnterCriticalSection 18957->18964 18959 d9bdd3 18965 d9c96a 18959->18965 18964->18959 18979 da63c8 18965->18979 18967 d9c991 18986 d9cb75 18967->18986 18980 da638d 41 API calls 18979->18980 18982 da63d9 18980->18982 18981 da643c 18981->18967 18982->18981 18983 da5416 std::_Locinfo::_Locinfo_dtor 15 API calls 18982->18983 18984 da6433 18983->18984 18985 da40e1 ___free_lconv_mon 14 API calls 18984->18985 18985->18981 19008 d9d796 18986->19008 18989 d9cb9e 18990 d9dee7 _Fputc 41 API calls 18989->18990 18991 d9c9d8 18990->18991 19001 d9c92c 18991->19001 18992 d9cbc9 std::_Locinfo::_Locinfo_dtor 18992->18991 18995 d9d720 _Fputc 41 API calls 18992->18995 18997 d9cda6 18992->18997 19014 d9cafd 18992->19014 19017 d9ce21 18992->19017 19051 d9cf7f 18992->19051 18995->18992 18998 d9dee7 _Fputc 41 API calls 18997->18998 18999 d9cdc2 18998->18999 19000 d9dee7 _Fputc 41 API calls 18999->19000 19000->18991 19002 da40e1 ___free_lconv_mon 14 API calls 19001->19002 19003 d9c93c 19002->19003 19004 da6474 19003->19004 19009 d9d7a1 19008->19009 19010 d9d7c3 19008->19010 19011 d9dee7 _Fputc 41 API calls 19009->19011 19080 d9d7ce 19010->19080 19013 d9cb90 19011->19013 19013->18989 19013->18991 19013->18992 19088 d9bf0f 19014->19088 19018 d9ce28 19017->19018 19019 d9ce3f 19017->19019 19021 d9cfa3 19018->19021 19022 d9d014 19018->19022 19028 d9ce7e 19018->19028 19020 d9dee7 _Fputc 41 API calls 19019->19020 19019->19028 19023 d9ce73 19020->19023 19026 d9cfa9 19021->19026 19027 d9d041 19021->19027 19024 d9d019 19022->19024 19025 d9d067 19022->19025 19023->18992 19025->19027 19028->18992 19052 d9cfa3 19051->19052 19053 d9d014 19051->19053 19056 d9cfa9 19052->19056 19057 d9d041 19052->19057 19054 d9d019 19053->19054 19055 d9d067 19053->19055 19058 d9d05b 19054->19058 19059 d9d01b 19054->19059 19055->19057 19066 d9cfe6 19055->19066 19079 d9cfcb 19055->19079 19060 d9cfaf 19056->19060 19056->19066 19061 d9c2b9 42 API calls 19057->19061 19060->19079 19061->19079 19081 d9d84c 19080->19081 19082 d9d7e2 19080->19082 19081->19013 19083 da4bc2 _Ungetc 41 API calls 19082->19083 19084 d9d7e9 19083->19084 19084->19081 19085 d9e062 __Wcrtomb 14 API calls 19084->19085 19086 d9d841 19085->19086 19087 d9df64 ___std_exception_copy 41 API calls 19086->19087 19087->19081 19089 d9d77b std::_Locinfo::_Locinfo_dtor 41 API calls 19088->19089 19090 d9bf21 19089->19090 19155 d93ff2 19154->19155 19224 d946f0 19155->19224 19157 d9404c 19159 d94b10 73 API calls 19157->19159 19163 d94052 std::ios_base::_Ios_base_dtor 19157->19163 19159->19163 19160 d91fff 19164 d94b10 19160->19164 19161 d94246 19161->19160 19239 d94a80 19161->19239 19229 d91f00 19163->19229 19347 d95464 19164->19347 19167 d95464 std::_Lockit::_Lockit 7 API calls 19169 d94b5e 19167->19169 19168 d94ba1 19353 d954bc 19168->19353 19173 d954bc std::_Lockit::~_Lockit 2 API calls 19169->19173 19171 d94bad 19174 d97413 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 19171->19174 19172 d94b82 19172->19168 19176 d97421 std::_Facet_Register 16 API calls 19172->19176 19173->19172 19177 d94bf3 19176->19177 19178 d95464 std::_Lockit::_Lockit 7 API calls 19177->19178 19179 d94c1f 19178->19179 19180 d94c69 19179->19180 19181 d94d88 19179->19181 19360 d9589a 19180->19360 19398 d9560e 19181->19398 19225 d9470c 19224->19225 19226 d94720 19225->19226 19227 d94770 43 API calls 19225->19227 19226->19157 19228 d9473f 19227->19228 19228->19157 19230 d91f1a 19229->19230 19230->19161 19231 d98080 CallUnexpected RaiseException 19230->19231 19232 d91f32 std::ios_base::_Init 19230->19232 19231->19232 19243 d91e50 19232->19243 19240 d94ae3 19239->19240 19241 d94abe 19239->19241 19240->19160 19241->19240 19344 d949f0 19241->19344 19244 d91e90 19243->19244 19244->19244 19245 d94380 std::ios_base::_Init 43 API calls 19244->19245 19246 d91ea6 19245->19246 19268 d913b0 19246->19268 19269 d913f3 19268->19269 19270 d91641 19269->19270 19273 d91408 19269->19273 19321 d912d0 19270->19321 19272 d91646 19274 d9df74 std::ios_base::_Init 41 API calls 19272->19274 19276 d91415 codecvt 19273->19276 19292 d94a30 19273->19292 19282 d91490 19276->19282 19306 d94550 19276->19306 19284 d94550 std::ios_base::_Init 43 API calls 19282->19284 19285 d9150a codecvt 19282->19285 19284->19285 19285->19272 19286 d91580 std::ios_base::_Ios_base_dtor 19285->19286 19287 d97fdb ___std_exception_copy 42 API calls 19286->19287 19293 d94a3b 19292->19293 19294 d94a5d 19292->19294 19296 d94a72 19293->19296 19297 d94a42 19293->19297 19295 d94a6d 19294->19295 19298 d97421 std::_Facet_Register 16 API calls 19294->19298 19295->19276 19330 d91250 19296->19330 19300 d97421 std::_Facet_Register 16 API calls 19297->19300 19301 d94a67 19298->19301 19302 d94a48 19300->19302 19301->19276 19307 d946a0 19306->19307 19308 d94577 19306->19308 19310 d912d0 std::ios_base::_Init 43 API calls 19307->19310 19309 d94590 19308->19309 19313 d945d9 19308->19313 19314 d945e6 19308->19314 19315 d97421 std::_Facet_Register 16 API calls 19309->19315 19311 d946a5 19310->19311 19313->19309 19313->19311 19316 d97421 std::_Facet_Register 16 API calls 19314->19316 19319 d945a0 codecvt 19314->19319 19315->19319 19316->19319 19336 d955ce 19321->19336 19331 d9125b std::_Facet_Register 19330->19331 19341 d9550e 19336->19341 19342 d91150 std::invalid_argument::invalid_argument 42 API calls 19341->19342 19343 d95520 19342->19343 19345 d91f00 std::ios_base::_Init 43 API calls 19344->19345 19346 d94a0f 19345->19346 19346->19240 19348 d9547a 19347->19348 19349 d95473 19347->19349 19351 d94b41 19348->19351 19408 d96f2c EnterCriticalSection 19348->19408 19403 d9e115 19349->19403 19351->19167 19351->19172 19354 d9e123 19353->19354 19355 d954c6 19353->19355 19455 d9e0fe LeaveCriticalSection 19354->19455 19357 d954d9 19355->19357 19454 d96f3a LeaveCriticalSection 19355->19454 19357->19171 19358 d9e12a 19358->19171 19409 da4864 19403->19409 19408->19351 19410 da41d3 std::_Locinfo::_Locinfo_dtor 5 API calls 19409->19410 19411 da4869 19410->19411 19430 da41ed 19411->19430 19431 da43bc std::_Locinfo::_Locinfo_dtor 5 API calls 19430->19431 19432 da4203 19431->19432 19433 da4207 19432->19433 19454->19357 19455->19358 19816 da336b 19814->19816 19817 da337d ___scrt_uninitialize_crt 19814->19817 19815 da3379 19815->18620 19816->19815 19819 d9ede6 19816->19819 19817->18620 19822 d9ec73 19819->19822 19825 d9eb67 19822->19825 19826 d9eb73 __FrameHandler3::FrameUnwindToState 19825->19826 19833 d9e0b6 EnterCriticalSection 19826->19833 19828 d9ebe9 19842 d9ec07 19828->19842 19830 d9eb7d ___scrt_uninitialize_crt 19830->19828 19834 d9eadb 19830->19834 19833->19830 19835 d9eae7 __FrameHandler3::FrameUnwindToState 19834->19835 19845 d9bb55 EnterCriticalSection 19835->19845 19837 d9eaf1 ___scrt_uninitialize_crt 19841 d9eb2a 19837->19841 19846 d9ed81 19837->19846 19859 d9eb5b 19841->19859 19891 d9e0fe LeaveCriticalSection 19842->19891 19844 d9ebf5 19844->19815 19845->19837 19847 d9ed96 _Fputc 19846->19847 19848 d9eda8 19847->19848 19849 d9ed9d 19847->19849 19851 d9ed18 ___scrt_uninitialize_crt 66 API calls 19848->19851 19850 d9ec73 ___scrt_uninitialize_crt 70 API calls 19849->19850 19858 d9eda3 19850->19858 19853 d9edb2 19851->19853 19852 d9bbc5 _Fputc 41 API calls 19854 d9ede0 19852->19854 19855 da4bc2 _Ungetc 41 API calls 19853->19855 19853->19858 19854->19841 19856 d9edc9 19855->19856 19862 da81f3 19856->19862 19858->19852 19890 d9bb69 LeaveCriticalSection 19859->19890 19861 d9eb49 19861->19830 19863 da8204 19862->19863 19867 da8211 19862->19867 19864 d9e062 __Wcrtomb 14 API calls 19863->19864 19869 da8209 19864->19869 19865 da825a 19866 d9e062 __Wcrtomb 14 API calls 19865->19866 19868 da825f 19866->19868 19867->19865 19870 da8238 19867->19870 19872 d9df64 ___std_exception_copy 41 API calls 19868->19872 19869->19858 19873 da8151 19870->19873 19872->19869 19874 da815d __FrameHandler3::FrameUnwindToState 19873->19874 19886 dac9a3 EnterCriticalSection 19874->19886 19890->19861 19891->19844 20816 d96454 20817 d96475 20816->20817 20821 d96479 20816->20821 20818 d97413 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 20817->20818 20819 d964e1 20818->20819 20821->20817 20822 d9652f 20821->20822 20823 d964bd 20821->20823 20822->20817 20824 d9dcea 69 API calls 20822->20824 20823->20817 20825 d959db 20823->20825 20824->20817 20828 d9e7eb 20825->20828 20829 d9e7fe _Fputc 20828->20829 20834 d9e5ef 20829->20834 20832 d9bbc5 _Fputc 41 API calls 20833 d959e9 20832->20833 20833->20817 20835 d9e5fb __FrameHandler3::FrameUnwindToState 20834->20835 20836 d9e602 20835->20836 20837 d9e627 20835->20837 20839 d9dee7 _Fputc 41 API calls 20836->20839 20845 d9bb55 EnterCriticalSection 20837->20845 20841 d9e61d 20839->20841 20840 d9e636 20846 d9e6b3 20840->20846 20841->20832 20845->20840 20847 d9e6ea 20846->20847 20866 d9e6d8 _Fputc 20846->20866 20848 da4bc2 _Ungetc 41 API calls 20847->20848 20849 d9e6f1 20848->20849 20850 da4bc2 _Ungetc 41 API calls 20849->20850 20854 d9e719 20849->20854 20852 d9e702 20850->20852 20851 d97413 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 20853 d9e647 20851->20853 20852->20854 20856 da4bc2 _Ungetc 41 API calls 20852->20856 20868 d9e677 20853->20868 20855 da4bc2 _Ungetc 41 API calls 20854->20855 20854->20866 20857 d9e74c 20855->20857 20858 d9e70e 20856->20858 20859 d9e76f 20857->20859 20861 da4bc2 _Ungetc 41 API calls 20857->20861 20860 da4bc2 _Ungetc 41 API calls 20858->20860 20863 da606a _Fputc 43 API calls 20859->20863 20859->20866 20860->20854 20862 d9e758 20861->20862 20862->20859 20864 da4bc2 _Ungetc 41 API calls 20862->20864 20863->20866 20865 d9e764 20864->20865 20867 da4bc2 _Ungetc 41 API calls 20865->20867 20866->20851 20867->20859 20871 d9bb69 LeaveCriticalSection 20868->20871 20870 d9e67d 20870->20841 20871->20870 22406 d9656c 22407 d96587 22406->22407 22408 d96599 22407->22408 22410 d959f8 22407->22410 22413 d9ea5d 22410->22413 22414 d9ea69 __FrameHandler3::FrameUnwindToState 22413->22414 22415 d9ea70 22414->22415 22416 d9ea87 22414->22416 22417 d9e062 __Wcrtomb 14 API calls 22415->22417 22426 d9bb55 EnterCriticalSection 22416->22426 22419 d9ea75 22417->22419 22421 d9df64 ___std_exception_copy 41 API calls 22419->22421 22420 d9ea96 22427 d9e9a7 22420->22427 22424 d95a0a 22421->22424 22423 d9eaa4 22441 d9ead3 22423->22441 22424->22408 22426->22420 22428 d9e9bd 22427->22428 22429 d9ea47 _Ungetc 22427->22429 22428->22429 22430 d9e9eb 22428->22430 22431 da80f5 _Ungetc 14 API calls 22428->22431 22429->22423 22430->22429 22432 da4bc2 _Ungetc 41 API calls 22430->22432 22431->22430 22433 d9e9fd 22432->22433 22434 d9ea20 22433->22434 22435 da4bc2 _Ungetc 41 API calls 22433->22435 22434->22429 22444 d9e89a 22434->22444 22436 d9ea09 22435->22436 22436->22434 22438 da4bc2 _Ungetc 41 API calls 22436->22438 22439 d9ea15 22438->22439 22440 da4bc2 _Ungetc 41 API calls 22439->22440 22440->22434 22463 d9bb69 LeaveCriticalSection 22441->22463 22443 d9ead9 22443->22424 22445 da4bc2 _Ungetc 41 API calls 22444->22445 22446 d9e8bd 22445->22446 22447 da4bc2 _Ungetc 41 API calls 22446->22447 22448 d9e8e6 22446->22448 22449 d9e8cb 22447->22449 22453 d9e920 22448->22453 22457 da61d4 22448->22457 22449->22448 22451 da4bc2 _Ungetc 41 API calls 22449->22451 22452 d9e8d9 22451->22452 22454 da4bc2 _Ungetc 41 API calls 22452->22454 22455 d97413 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 22453->22455 22454->22448 22456 d9e99e 22455->22456 22456->22429 22458 da61e7 _Fputc 22457->22458 22459 da606a _Fputc 43 API calls 22458->22459 22460 da61fc 22459->22460 22461 d9bbc5 _Fputc 41 API calls 22460->22461 22462 da6209 22461->22462 22462->22453 22463->22443 22508 d9bb09 22509 d9ede6 ___scrt_uninitialize_crt 70 API calls 22508->22509 22510 d9bb11 22509->22510 22518 da48e5 22510->22518 22512 d9bb16 22513 da4990 14 API calls 22512->22513 22514 d9bb25 DeleteCriticalSection 22513->22514 22514->22512 22515 d9bb40 22514->22515 22516 da40e1 ___free_lconv_mon 14 API calls 22515->22516 22517 d9bb4b 22516->22517 22519 da48f1 __FrameHandler3::FrameUnwindToState 22518->22519 22528 d9e0b6 EnterCriticalSection 22519->22528 22521 da4968 22529 da4987 22521->22529 22523 da493c DeleteCriticalSection 22526 da40e1 ___free_lconv_mon 14 API calls 22523->22526 22525 d9bd89 71 API calls 22527 da48fc 22525->22527 22526->22527 22527->22521 22527->22523 22527->22525 22528->22527 22532 d9e0fe LeaveCriticalSection 22529->22532 22531 da4974 22531->22512 22532->22531 22578 da4b36 22579 da4b42 __FrameHandler3::FrameUnwindToState 22578->22579 22590 d9e0b6 EnterCriticalSection 22579->22590 22581 da4b49 22591 dac905 22581->22591 22589 da4b67 22615 da4b8d 22589->22615 22590->22581 22592 dac911 __FrameHandler3::FrameUnwindToState 22591->22592 22593 dac91a 22592->22593 22594 dac93b 22592->22594 22595 d9e062 __Wcrtomb 14 API calls 22593->22595 22618 d9e0b6 EnterCriticalSection 22594->22618 22597 dac91f 22595->22597 22598 d9df64 ___std_exception_copy 41 API calls 22597->22598 22599 da4b58 22598->22599 22599->22589 22604 da49d0 GetStartupInfoW 22599->22604 22600 dac973 22619 dac99a 22600->22619 22601 dac947 22601->22600 22603 dac855 __wsopen_s 15 API calls 22601->22603 22603->22601 22605 da49ed 22604->22605 22606 da4a81 22604->22606 22605->22606 22607 dac905 42 API calls 22605->22607 22610 da4a86 22606->22610 22608 da4a15 22607->22608 22608->22606 22609 da4a45 GetFileType 22608->22609 22609->22608 22612 da4a8d 22610->22612 22611 da4ad0 GetStdHandle 22611->22612 22612->22611 22613 da4b32 22612->22613 22614 da4ae3 GetFileType 22612->22614 22613->22589 22614->22612 22623 d9e0fe LeaveCriticalSection 22615->22623 22617 da4b78 22618->22601 22622 d9e0fe LeaveCriticalSection 22619->22622 22621 dac9a1 22621->22599 22622->22621 22623->22617 17163 dac12b 17164 dac166 17163->17164 17165 dac134 17163->17165 17169 da51e6 17165->17169 17170 da51f7 17169->17170 17171 da51f1 17169->17171 17192 da51fd 17170->17192 17222 da460c 17170->17222 17217 da45cd 17171->17217 17177 da5202 17194 dabf36 17177->17194 17180 da5229 17182 da460c __Wcrtomb 6 API calls 17180->17182 17181 da523e 17183 da460c __Wcrtomb 6 API calls 17181->17183 17184 da5235 17182->17184 17185 da524a 17183->17185 17234 da40e1 17184->17234 17186 da524e 17185->17186 17187 da525d 17185->17187 17189 da460c __Wcrtomb 6 API calls 17186->17189 17240 da4f59 17187->17240 17189->17184 17192->17177 17245 d9e12c 17192->17245 17193 da40e1 ___free_lconv_mon 14 API calls 17193->17177 17687 dac08b 17194->17687 17201 dabf92 17204 da40e1 ___free_lconv_mon 14 API calls 17201->17204 17202 dabfa0 17714 dac186 17202->17714 17206 dabf79 17204->17206 17206->17164 17207 dabfd8 17208 d9e062 __Wcrtomb 14 API calls 17207->17208 17209 dabfdd 17208->17209 17212 da40e1 ___free_lconv_mon 14 API calls 17209->17212 17210 dac01f 17211 dac068 17210->17211 17725 dabba8 17210->17725 17215 da40e1 ___free_lconv_mon 14 API calls 17211->17215 17212->17206 17213 dabff3 17213->17210 17216 da40e1 ___free_lconv_mon 14 API calls 17213->17216 17215->17206 17216->17210 17256 da43bc 17217->17256 17219 da45e9 17220 da45f2 17219->17220 17221 da4604 TlsGetValue 17219->17221 17220->17170 17223 da43bc std::_Locinfo::_Locinfo_dtor 5 API calls 17222->17223 17224 da4628 17223->17224 17225 da4631 17224->17225 17226 da4646 TlsSetValue 17224->17226 17225->17192 17227 da4084 17225->17227 17228 da4091 __Wcrtomb 17227->17228 17229 da40d1 17228->17229 17230 da40bc RtlAllocateHeap 17228->17230 17270 da2e88 17228->17270 17273 d9e062 17229->17273 17230->17228 17232 da40cf 17230->17232 17232->17180 17232->17181 17235 da4116 17234->17235 17236 da40ec HeapFree 17234->17236 17235->17192 17236->17235 17237 da4101 GetLastError 17236->17237 17238 da410e __dosmaperr 17237->17238 17239 d9e062 __Wcrtomb 12 API calls 17238->17239 17239->17235 17310 da4ded 17240->17310 17452 da749e 17245->17452 17248 d9e13c 17250 d9e146 IsProcessorFeaturePresent 17248->17250 17255 d9e165 17248->17255 17251 d9e152 17250->17251 17482 d9dd68 17251->17482 17488 da1567 17255->17488 17257 da43ea 17256->17257 17260 da43e6 std::_Locinfo::_Locinfo_dtor 17256->17260 17257->17260 17262 da42f1 17257->17262 17260->17219 17261 da4404 GetProcAddress 17261->17260 17268 da4302 ___vcrt_InitializeCriticalSectionEx 17262->17268 17263 da4398 17263->17260 17263->17261 17264 da4320 LoadLibraryExW 17265 da433b GetLastError 17264->17265 17266 da439f 17264->17266 17265->17268 17266->17263 17267 da43b1 FreeLibrary 17266->17267 17267->17263 17268->17263 17268->17264 17269 da436e LoadLibraryExW 17268->17269 17269->17266 17269->17268 17276 da2eb5 17270->17276 17287 da527c GetLastError 17273->17287 17275 d9e067 17275->17232 17277 da2ec1 __FrameHandler3::FrameUnwindToState 17276->17277 17282 d9e0b6 EnterCriticalSection 17277->17282 17279 da2ecc 17283 da2f08 17279->17283 17282->17279 17286 d9e0fe LeaveCriticalSection 17283->17286 17285 da2e93 17285->17228 17286->17285 17288 da5298 17287->17288 17289 da5292 17287->17289 17291 da460c __Wcrtomb 6 API calls 17288->17291 17293 da529c SetLastError 17288->17293 17290 da45cd __Wcrtomb 6 API calls 17289->17290 17290->17288 17292 da52b4 17291->17292 17292->17293 17295 da4084 __Wcrtomb 12 API calls 17292->17295 17293->17275 17296 da52c9 17295->17296 17297 da52e2 17296->17297 17298 da52d1 17296->17298 17300 da460c __Wcrtomb 6 API calls 17297->17300 17299 da460c __Wcrtomb 6 API calls 17298->17299 17307 da52df 17299->17307 17301 da52ee 17300->17301 17302 da5309 17301->17302 17303 da52f2 17301->17303 17306 da4f59 __Wcrtomb 12 API calls 17302->17306 17304 da460c __Wcrtomb 6 API calls 17303->17304 17304->17307 17305 da40e1 ___free_lconv_mon 12 API calls 17305->17293 17308 da5314 17306->17308 17307->17305 17309 da40e1 ___free_lconv_mon 12 API calls 17308->17309 17309->17293 17311 da4df9 __FrameHandler3::FrameUnwindToState 17310->17311 17324 d9e0b6 EnterCriticalSection 17311->17324 17313 da4e03 17325 da4e33 17313->17325 17316 da4eff 17317 da4f0b __FrameHandler3::FrameUnwindToState 17316->17317 17329 d9e0b6 EnterCriticalSection 17317->17329 17319 da4f15 17330 da50e0 17319->17330 17321 da4f2d 17334 da4f4d 17321->17334 17324->17313 17328 d9e0fe LeaveCriticalSection 17325->17328 17327 da4e21 17327->17316 17328->17327 17329->17319 17331 da5116 __Getctype 17330->17331 17332 da50ef __Getctype 17330->17332 17331->17321 17332->17331 17337 dad9e9 17332->17337 17451 d9e0fe LeaveCriticalSection 17334->17451 17336 da4f3b 17336->17193 17339 dada69 17337->17339 17340 dad9ff 17337->17340 17342 da40e1 ___free_lconv_mon 14 API calls 17339->17342 17364 dadab7 17339->17364 17340->17339 17345 dada32 17340->17345 17348 da40e1 ___free_lconv_mon 14 API calls 17340->17348 17341 dadac5 17352 dadb25 17341->17352 17361 da40e1 14 API calls ___free_lconv_mon 17341->17361 17343 dada8b 17342->17343 17344 da40e1 ___free_lconv_mon 14 API calls 17343->17344 17346 dada9e 17344->17346 17349 da40e1 ___free_lconv_mon 14 API calls 17345->17349 17363 dada54 17345->17363 17350 da40e1 ___free_lconv_mon 14 API calls 17346->17350 17347 da40e1 ___free_lconv_mon 14 API calls 17351 dada5e 17347->17351 17353 dada27 17348->17353 17354 dada49 17349->17354 17355 dadaac 17350->17355 17356 da40e1 ___free_lconv_mon 14 API calls 17351->17356 17357 da40e1 ___free_lconv_mon 14 API calls 17352->17357 17365 dacc9f 17353->17365 17393 dad153 17354->17393 17360 da40e1 ___free_lconv_mon 14 API calls 17355->17360 17356->17339 17362 dadb2b 17357->17362 17360->17364 17361->17341 17362->17331 17363->17347 17405 dadb5a 17364->17405 17366 daccb0 17365->17366 17392 dacd99 17365->17392 17367 daccc1 17366->17367 17369 da40e1 ___free_lconv_mon 14 API calls 17366->17369 17368 daccd3 17367->17368 17370 da40e1 ___free_lconv_mon 14 API calls 17367->17370 17371 dacce5 17368->17371 17372 da40e1 ___free_lconv_mon 14 API calls 17368->17372 17369->17367 17370->17368 17373 daccf7 17371->17373 17374 da40e1 ___free_lconv_mon 14 API calls 17371->17374 17372->17371 17375 dacd09 17373->17375 17377 da40e1 ___free_lconv_mon 14 API calls 17373->17377 17374->17373 17376 dacd1b 17375->17376 17378 da40e1 ___free_lconv_mon 14 API calls 17375->17378 17379 dacd2d 17376->17379 17380 da40e1 ___free_lconv_mon 14 API calls 17376->17380 17377->17375 17378->17376 17381 dacd3f 17379->17381 17382 da40e1 ___free_lconv_mon 14 API calls 17379->17382 17380->17379 17383 da40e1 ___free_lconv_mon 14 API calls 17381->17383 17384 dacd51 17381->17384 17382->17381 17383->17384 17385 da40e1 ___free_lconv_mon 14 API calls 17384->17385 17386 dacd63 17384->17386 17385->17386 17387 dacd75 17386->17387 17388 da40e1 ___free_lconv_mon 14 API calls 17386->17388 17389 dacd87 17387->17389 17390 da40e1 ___free_lconv_mon 14 API calls 17387->17390 17388->17387 17391 da40e1 ___free_lconv_mon 14 API calls 17389->17391 17389->17392 17390->17389 17391->17392 17392->17345 17394 dad1b8 17393->17394 17395 dad160 17393->17395 17394->17363 17396 dad170 17395->17396 17398 da40e1 ___free_lconv_mon 14 API calls 17395->17398 17397 dad182 17396->17397 17399 da40e1 ___free_lconv_mon 14 API calls 17396->17399 17400 dad194 17397->17400 17401 da40e1 ___free_lconv_mon 14 API calls 17397->17401 17398->17396 17399->17397 17402 dad1a6 17400->17402 17403 da40e1 ___free_lconv_mon 14 API calls 17400->17403 17401->17400 17402->17394 17404 da40e1 ___free_lconv_mon 14 API calls 17402->17404 17403->17402 17404->17394 17406 dadb67 17405->17406 17410 dadb86 17405->17410 17406->17410 17411 dad66e 17406->17411 17409 da40e1 ___free_lconv_mon 14 API calls 17409->17410 17410->17341 17412 dad74c 17411->17412 17413 dad67f 17411->17413 17412->17409 17447 dad3cd 17413->17447 17416 dad3cd __Getctype 14 API calls 17417 dad692 17416->17417 17418 dad3cd __Getctype 14 API calls 17417->17418 17419 dad69d 17418->17419 17420 dad3cd __Getctype 14 API calls 17419->17420 17421 dad6a8 17420->17421 17422 dad3cd __Getctype 14 API calls 17421->17422 17423 dad6b6 17422->17423 17424 da40e1 ___free_lconv_mon 14 API calls 17423->17424 17425 dad6c1 17424->17425 17426 da40e1 ___free_lconv_mon 14 API calls 17425->17426 17427 dad6cc 17426->17427 17428 da40e1 ___free_lconv_mon 14 API calls 17427->17428 17448 dad3df 17447->17448 17449 dad3ee 17448->17449 17450 da40e1 ___free_lconv_mon 14 API calls 17448->17450 17449->17416 17450->17448 17451->17336 17491 da73d0 17452->17491 17455 da74e3 17456 da74ef __FrameHandler3::FrameUnwindToState 17455->17456 17457 da527c __Wcrtomb 14 API calls 17456->17457 17460 da751c __FrameHandler3::FrameUnwindToState 17456->17460 17463 da7516 __FrameHandler3::FrameUnwindToState 17456->17463 17457->17463 17458 da7563 17459 d9e062 __Wcrtomb 14 API calls 17458->17459 17461 da7568 17459->17461 17462 da758f 17460->17462 17505 d9e0b6 EnterCriticalSection 17460->17505 17502 d9df64 17461->17502 17467 da76c2 17462->17467 17468 da75d1 17462->17468 17478 da7600 17462->17478 17463->17458 17463->17460 17481 da754d 17463->17481 17470 da76cd 17467->17470 17537 d9e0fe LeaveCriticalSection 17467->17537 17468->17478 17506 da512b GetLastError 17468->17506 17472 da1567 __FrameHandler3::FrameUnwindToState 23 API calls 17470->17472 17473 da76d5 17472->17473 17475 da512b __Getctype 41 API calls 17479 da7655 17475->17479 17477 da512b __Getctype 41 API calls 17477->17478 17533 da766f 17478->17533 17480 da512b __Getctype 41 API calls 17479->17480 17479->17481 17480->17481 17481->17248 17483 d9dd84 __FrameHandler3::FrameUnwindToState codecvt 17482->17483 17484 d9ddb0 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 17483->17484 17487 d9de81 __FrameHandler3::FrameUnwindToState 17484->17487 17486 d9de9f 17486->17255 17602 d97413 17487->17602 17610 da138b 17488->17610 17492 da73dc __FrameHandler3::FrameUnwindToState 17491->17492 17497 d9e0b6 EnterCriticalSection 17492->17497 17494 da73ea 17498 da7428 17494->17498 17497->17494 17501 d9e0fe LeaveCriticalSection 17498->17501 17500 d9e131 17500->17248 17500->17455 17501->17500 17538 d9deb0 17502->17538 17505->17462 17507 da5141 17506->17507 17510 da5147 17506->17510 17508 da45cd __Wcrtomb 6 API calls 17507->17508 17508->17510 17509 da460c __Wcrtomb 6 API calls 17511 da5163 17509->17511 17510->17509 17530 da514b SetLastError 17510->17530 17513 da4084 __Wcrtomb 14 API calls 17511->17513 17511->17530 17516 da5178 17513->17516 17514 da51db 17514->17477 17515 da51e0 17517 d9e12c __FrameHandler3::FrameUnwindToState 39 API calls 17515->17517 17518 da5180 17516->17518 17519 da5191 17516->17519 17522 da51e5 17517->17522 17520 da460c __Wcrtomb 6 API calls 17518->17520 17521 da460c __Wcrtomb 6 API calls 17519->17521 17523 da518e 17520->17523 17524 da519d 17521->17524 17528 da40e1 ___free_lconv_mon 14 API calls 17523->17528 17525 da51b8 17524->17525 17526 da51a1 17524->17526 17529 da4f59 __Wcrtomb 14 API calls 17525->17529 17527 da460c __Wcrtomb 6 API calls 17526->17527 17527->17523 17528->17530 17531 da51c3 17529->17531 17530->17514 17530->17515 17532 da40e1 ___free_lconv_mon 14 API calls 17531->17532 17532->17530 17534 da7646 17533->17534 17535 da7675 17533->17535 17534->17475 17534->17479 17534->17481 17601 d9e0fe LeaveCriticalSection 17535->17601 17537->17470 17539 d9dec2 _Fputc 17538->17539 17544 d9dee7 17539->17544 17541 d9deda 17555 d9bbc5 17541->17555 17545 d9def7 17544->17545 17547 d9defe 17544->17547 17561 d9bd26 GetLastError 17545->17561 17548 d9df0c 17547->17548 17565 d9dd3f 17547->17565 17548->17541 17550 d9df33 17550->17548 17568 d9df91 IsProcessorFeaturePresent 17550->17568 17552 d9df63 17553 d9deb0 ___std_exception_copy 41 API calls 17552->17553 17554 d9df70 17553->17554 17554->17541 17556 d9bbd1 17555->17556 17557 d9bbe8 17556->17557 17594 d9bd6c 17556->17594 17559 d9bbfb 17557->17559 17560 d9bd6c _Fputc 41 API calls 17557->17560 17559->17481 17560->17559 17562 d9bd3f 17561->17562 17572 da532d 17562->17572 17566 d9dd4a GetLastError SetLastError 17565->17566 17567 d9dd63 17565->17567 17566->17550 17567->17550 17569 d9df9d 17568->17569 17570 d9dd68 __FrameHandler3::FrameUnwindToState 8 API calls 17569->17570 17571 d9dfb2 GetCurrentProcess TerminateProcess 17570->17571 17571->17552 17573 da5346 17572->17573 17574 da5340 17572->17574 17576 da460c __Wcrtomb 6 API calls 17573->17576 17593 d9bd57 SetLastError 17573->17593 17575 da45cd __Wcrtomb 6 API calls 17574->17575 17575->17573 17577 da5360 17576->17577 17578 da4084 __Wcrtomb 14 API calls 17577->17578 17577->17593 17579 da5370 17578->17579 17580 da5378 17579->17580 17581 da538d 17579->17581 17583 da460c __Wcrtomb 6 API calls 17580->17583 17582 da460c __Wcrtomb 6 API calls 17581->17582 17584 da5399 17582->17584 17585 da5384 17583->17585 17586 da53ac 17584->17586 17587 da539d 17584->17587 17588 da40e1 ___free_lconv_mon 14 API calls 17585->17588 17590 da4f59 __Wcrtomb 14 API calls 17586->17590 17589 da460c __Wcrtomb 6 API calls 17587->17589 17588->17593 17589->17585 17591 da53b7 17590->17591 17592 da40e1 ___free_lconv_mon 14 API calls 17591->17592 17592->17593 17593->17547 17595 d9bd7f 17594->17595 17596 d9bd76 17594->17596 17595->17557 17597 d9bd26 _Fputc 16 API calls 17596->17597 17598 d9bd7b 17597->17598 17598->17595 17599 d9e12c __FrameHandler3::FrameUnwindToState 41 API calls 17598->17599 17600 d9bd88 17599->17600 17601->17534 17603 d9741b 17602->17603 17604 d9741c IsProcessorFeaturePresent 17602->17604 17603->17486 17606 d97da2 17604->17606 17609 d97d65 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 17606->17609 17608 d97e85 17608->17486 17609->17608 17611 da13ca 17610->17611 17612 da13b8 17610->17612 17622 da1253 17611->17622 17637 da1453 GetModuleHandleW 17612->17637 17617 d9e16f 17623 da125f __FrameHandler3::FrameUnwindToState 17622->17623 17645 d9e0b6 EnterCriticalSection 17623->17645 17625 da1269 17646 da12a0 17625->17646 17627 da1276 17650 da1294 17627->17650 17630 da1422 17675 da1496 17630->17675 17633 da1440 17635 da14b8 __FrameHandler3::FrameUnwindToState 3 API calls 17633->17635 17634 da1430 GetCurrentProcess TerminateProcess 17634->17633 17636 da1448 ExitProcess 17635->17636 17638 da13bd 17637->17638 17638->17611 17639 da14b8 GetModuleHandleExW 17638->17639 17640 da1518 17639->17640 17641 da14f7 GetProcAddress 17639->17641 17643 da151e FreeLibrary 17640->17643 17644 da13c9 17640->17644 17641->17640 17642 da150b 17641->17642 17642->17640 17643->17644 17644->17611 17645->17625 17647 da12ac __FrameHandler3::FrameUnwindToState 17646->17647 17649 da1313 __FrameHandler3::FrameUnwindToState 17647->17649 17653 da31b9 17647->17653 17649->17627 17674 d9e0fe LeaveCriticalSection 17650->17674 17652 da1282 17652->17617 17652->17630 17654 da31c5 __EH_prolog3 17653->17654 17657 da2f11 17654->17657 17656 da31ec std::ios_base::_Init 17656->17649 17658 da2f1d __FrameHandler3::FrameUnwindToState 17657->17658 17665 d9e0b6 EnterCriticalSection 17658->17665 17660 da2f2b 17666 da30c9 17660->17666 17665->17660 17667 da30e8 17666->17667 17668 da2f38 17666->17668 17667->17668 17669 da40e1 ___free_lconv_mon 14 API calls 17667->17669 17670 da2f60 17668->17670 17669->17668 17673 d9e0fe LeaveCriticalSection 17670->17673 17672 da2f49 17672->17656 17673->17672 17674->17652 17680 da913c GetPEB 17675->17680 17678 da14a0 GetPEB 17679 da142c 17678->17679 17679->17633 17679->17634 17681 da9156 17680->17681 17682 da149b 17680->17682 17684 da443f 17681->17684 17682->17678 17682->17679 17685 da43bc std::_Locinfo::_Locinfo_dtor 5 API calls 17684->17685 17686 da445b 17685->17686 17686->17682 17688 dac097 __FrameHandler3::FrameUnwindToState 17687->17688 17689 dac0b1 17688->17689 17733 d9e0b6 EnterCriticalSection 17688->17733 17692 dabf60 17689->17692 17694 d9e12c __FrameHandler3::FrameUnwindToState 41 API calls 17689->17694 17691 dac0c1 17696 da40e1 ___free_lconv_mon 14 API calls 17691->17696 17697 dac0ed 17691->17697 17698 dabcb6 17692->17698 17695 dac12a 17694->17695 17696->17697 17734 dac10a 17697->17734 17738 d9fc50 17698->17738 17701 dabce9 17703 dabcee GetACP 17701->17703 17704 dabd00 17701->17704 17702 dabcd7 GetOEMCP 17702->17704 17703->17704 17704->17206 17705 da5416 17704->17705 17706 da5454 17705->17706 17707 da5424 17705->17707 17708 d9e062 __Wcrtomb 14 API calls 17706->17708 17709 da543f HeapAlloc 17707->17709 17713 da5428 __Wcrtomb 17707->17713 17710 da5459 17708->17710 17711 da5452 17709->17711 17709->17713 17710->17201 17710->17202 17711->17710 17712 da2e88 std::_Facet_Register 2 API calls 17712->17713 17713->17706 17713->17709 17713->17712 17715 dabcb6 43 API calls 17714->17715 17716 dac1a6 17715->17716 17718 dac1e3 IsValidCodePage 17716->17718 17723 dac21f codecvt 17716->17723 17717 d97413 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 17719 dabfcd 17717->17719 17720 dac1f5 17718->17720 17718->17723 17719->17207 17719->17213 17721 dac224 GetCPInfo 17720->17721 17724 dac1fe codecvt 17720->17724 17721->17723 17721->17724 17723->17717 17723->17723 17781 dabd8a 17724->17781 17726 dabbb4 __FrameHandler3::FrameUnwindToState 17725->17726 17871 d9e0b6 EnterCriticalSection 17726->17871 17728 dabbbe 17872 dabbf5 17728->17872 17733->17691 17737 d9e0fe LeaveCriticalSection 17734->17737 17736 dac111 17736->17689 17737->17736 17739 d9fc6e 17738->17739 17745 d9fc67 17738->17745 17740 da512b __Getctype 41 API calls 17739->17740 17739->17745 17741 d9fc8f 17740->17741 17746 da5464 17741->17746 17745->17701 17745->17702 17747 d9fca5 17746->17747 17748 da5477 17746->17748 17750 da54c2 17747->17750 17748->17747 17754 dadc35 17748->17754 17751 da54d5 17750->17751 17753 da54ea 17750->17753 17751->17753 17776 dac173 17751->17776 17753->17745 17755 dadc41 __FrameHandler3::FrameUnwindToState 17754->17755 17756 da512b __Getctype 41 API calls 17755->17756 17757 dadc4a 17756->17757 17758 dadc90 17757->17758 17767 d9e0b6 EnterCriticalSection 17757->17767 17758->17747 17760 dadc68 17768 dadcb6 17760->17768 17765 d9e12c __FrameHandler3::FrameUnwindToState 41 API calls 17766 dadcb5 17765->17766 17767->17760 17769 dadc79 17768->17769 17770 dadcc4 __Getctype 17768->17770 17772 dadc95 17769->17772 17770->17769 17771 dad9e9 __Getctype 14 API calls 17770->17771 17771->17769 17775 d9e0fe LeaveCriticalSection 17772->17775 17774 dadc8c 17774->17758 17774->17765 17775->17774 17777 da512b __Getctype 41 API calls 17776->17777 17778 dac178 17777->17778 17779 dac08b __wsopen_s 41 API calls 17778->17779 17780 dac183 17779->17780 17780->17753 17782 dabdb2 GetCPInfo 17781->17782 17791 dabe7b 17781->17791 17788 dabdca 17782->17788 17782->17791 17783 d97413 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 17786 dabf34 17783->17786 17786->17723 17792 da8d98 17788->17792 17790 da908f 46 API calls 17790->17791 17791->17783 17793 d9fc50 __wsopen_s 41 API calls 17792->17793 17794 da8db8 17793->17794 17812 daafff 17794->17812 17796 da8e7c 17798 d97413 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 17796->17798 17797 da8e74 17815 d9715f 17797->17815 17800 da8e9f 17798->17800 17799 da8de5 17799->17796 17799->17797 17802 da5416 std::_Locinfo::_Locinfo_dtor 15 API calls 17799->17802 17803 da8e0a __alloca_probe_16 codecvt 17799->17803 17807 da908f 17800->17807 17802->17803 17803->17797 17804 daafff __wsopen_s MultiByteToWideChar 17803->17804 17805 da8e55 17804->17805 17805->17797 17806 da8e60 GetStringTypeW 17805->17806 17806->17797 17808 d9fc50 __wsopen_s 41 API calls 17807->17808 17809 da90a2 17808->17809 17822 da8ea1 17809->17822 17813 dab010 MultiByteToWideChar 17812->17813 17813->17799 17816 d97169 17815->17816 17818 d9717a 17815->17818 17816->17818 17819 d9dd24 17816->17819 17818->17796 17820 da40e1 ___free_lconv_mon 14 API calls 17819->17820 17821 d9dd3c 17820->17821 17821->17818 17823 da8ebc 17822->17823 17824 daafff __wsopen_s MultiByteToWideChar 17823->17824 17828 da8f02 17824->17828 17825 da907a 17826 d97413 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 17825->17826 17827 da908d 17826->17827 17827->17790 17828->17825 17829 da5416 std::_Locinfo::_Locinfo_dtor 15 API calls 17828->17829 17831 da8f28 __alloca_probe_16 17828->17831 17838 da8fae 17828->17838 17829->17831 17830 d9715f __freea 14 API calls 17830->17825 17832 daafff __wsopen_s MultiByteToWideChar 17831->17832 17831->17838 17833 da8f6d 17832->17833 17833->17838 17850 da478b 17833->17850 17838->17830 17862 da42bd 17850->17862 17863 da43bc std::_Locinfo::_Locinfo_dtor 5 API calls 17862->17863 17864 da42d3 17863->17864 17871->17728 17882 da0168 17872->17882 17874 dabc17 17875 da0168 41 API calls 17874->17875 17876 dabc36 17875->17876 17877 dabbcb 17876->17877 17878 da40e1 ___free_lconv_mon 14 API calls 17876->17878 17879 dabbe9 17877->17879 17878->17877 17896 d9e0fe LeaveCriticalSection 17879->17896 17881 dabbd7 17881->17211 17883 da0179 17882->17883 17891 da0175 codecvt 17882->17891 17884 da0180 17883->17884 17888 da0193 codecvt 17883->17888 17885 d9e062 __Wcrtomb 14 API calls 17884->17885 17886 da0185 17885->17886 17887 d9df64 ___std_exception_copy 41 API calls 17886->17887 17887->17891 17889 da01ca 17888->17889 17890 da01c1 17888->17890 17888->17891 17889->17891 17893 d9e062 __Wcrtomb 14 API calls 17889->17893 17892 d9e062 __Wcrtomb 14 API calls 17890->17892 17891->17874 17894 da01c6 17892->17894 17893->17894 17895 d9df64 ___std_exception_copy 41 API calls 17894->17895 17895->17891 17896->17881 21207 d9682d 21208 d96839 __EH_prolog3_GS 21207->21208 21210 d96888 21208->21210 21214 d96850 21208->21214 21216 d968a2 21208->21216 21221 d959b4 21210->21221 21254 d976e7 21214->21254 21218 d96951 21216->21218 21220 d9698c 21216->21220 21224 d93f70 21216->21224 21229 d9ee8b 21216->21229 21249 d93f20 21218->21249 21220->21218 21257 d9f639 21220->21257 21270 d9e578 21221->21270 21225 d93f79 21224->21225 21226 d93f97 21224->21226 21225->21216 21227 d94410 43 API calls 21226->21227 21228 d93fab 21227->21228 21228->21216 21230 d9ee97 __FrameHandler3::FrameUnwindToState 21229->21230 21231 d9eeb9 21230->21231 21232 d9eea1 21230->21232 21354 d9bb55 EnterCriticalSection 21231->21354 21234 d9e062 __Wcrtomb 14 API calls 21232->21234 21235 d9eea6 21234->21235 21237 d9df64 ___std_exception_copy 41 API calls 21235->21237 21236 d9eec3 21238 d9ef5f 21236->21238 21240 da4bc2 _Ungetc 41 API calls 21236->21240 21239 d9eeb1 21237->21239 21355 d9ee44 21238->21355 21239->21216 21244 d9eee0 21240->21244 21242 d9ef65 21362 d9ef8f 21242->21362 21244->21238 21245 d9ef37 21244->21245 21246 d9e062 __Wcrtomb 14 API calls 21245->21246 21247 d9ef3c 21246->21247 21248 d9df64 ___std_exception_copy 41 API calls 21247->21248 21248->21239 21250 d93f2b 21249->21250 21251 d93f46 std::ios_base::_Ios_base_dtor 21249->21251 21250->21251 21252 d9df74 std::ios_base::_Init 41 API calls 21250->21252 21251->21214 21253 d93f6a 21252->21253 21255 d97413 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 21254->21255 21256 d976f1 21255->21256 21256->21256 21258 d9f645 __FrameHandler3::FrameUnwindToState 21257->21258 21259 d9f64c 21258->21259 21260 d9f661 21258->21260 21261 d9e062 __Wcrtomb 14 API calls 21259->21261 21366 d9bb55 EnterCriticalSection 21260->21366 21263 d9f651 21261->21263 21266 d9df64 ___std_exception_copy 41 API calls 21263->21266 21264 d9f66b 21367 d9f540 21264->21367 21268 d9f65c 21266->21268 21268->21220 21271 d9e584 __FrameHandler3::FrameUnwindToState 21270->21271 21272 d9e58b 21271->21272 21273 d9e5a2 21271->21273 21275 d9e062 __Wcrtomb 14 API calls 21272->21275 21283 d9bb55 EnterCriticalSection 21273->21283 21277 d9e590 21275->21277 21276 d9e5ae 21284 d9e408 21276->21284 21279 d9df64 ___std_exception_copy 41 API calls 21277->21279 21281 d959bf 21279->21281 21280 d9e5b9 21318 d9e5e7 21280->21318 21281->21214 21283->21276 21285 d9e48b 21284->21285 21286 d9e425 21284->21286 21289 da4bc2 _Ungetc 41 API calls 21285->21289 21317 d9e482 21285->21317 21287 da4bc2 _Ungetc 41 API calls 21286->21287 21288 d9e42b 21287->21288 21290 da4bc2 _Ungetc 41 API calls 21288->21290 21293 d9e44e 21288->21293 21292 d9e4a0 21289->21292 21294 d9e437 21290->21294 21291 d9e4c3 21296 d9ee80 41 API calls 21291->21296 21291->21317 21292->21291 21295 da4bc2 _Ungetc 41 API calls 21292->21295 21293->21285 21301 d9e469 21293->21301 21294->21293 21300 da4bc2 _Ungetc 41 API calls 21294->21300 21297 d9e4ac 21295->21297 21299 d9e4e3 21296->21299 21297->21291 21303 da4bc2 _Ungetc 41 API calls 21297->21303 21304 d9f6f4 __Getctype 41 API calls 21299->21304 21299->21317 21302 d9e443 21300->21302 21301->21317 21321 d9ee80 21301->21321 21305 da4bc2 _Ungetc 41 API calls 21302->21305 21306 d9e4b8 21303->21306 21308 d9e4fb 21304->21308 21305->21293 21307 da4bc2 _Ungetc 41 API calls 21306->21307 21307->21291 21309 d9e525 21308->21309 21311 d9ee80 41 API calls 21308->21311 21328 da6341 21309->21328 21313 d9e50c 21311->21313 21313->21309 21314 d9e512 21313->21314 21316 d9f639 43 API calls 21314->21316 21315 d9e062 __Wcrtomb 14 API calls 21315->21317 21316->21317 21317->21280 21353 d9bb69 LeaveCriticalSection 21318->21353 21320 d9e5ed 21320->21281 21322 d9ee44 21321->21322 21323 d9e062 __Wcrtomb 14 API calls 21322->21323 21326 d9ee65 21322->21326 21324 d9ee55 21323->21324 21325 d9df64 ___std_exception_copy 41 API calls 21324->21325 21327 d9ee60 21325->21327 21326->21301 21327->21301 21329 da6354 _Fputc 21328->21329 21334 da620e 21329->21334 21332 d9bbc5 _Fputc 41 API calls 21333 d9e539 21332->21333 21333->21315 21333->21317 21335 da6222 21334->21335 21344 da6232 21334->21344 21336 da6257 21335->21336 21339 d9d720 _Fputc 41 API calls 21335->21339 21335->21344 21337 da628b 21336->21337 21338 da6268 21336->21338 21341 da62b3 21337->21341 21342 da6307 21337->21342 21337->21344 21346 db1a73 21338->21346 21339->21336 21341->21344 21345 daafff __wsopen_s MultiByteToWideChar 21341->21345 21343 daafff __wsopen_s MultiByteToWideChar 21342->21343 21343->21344 21344->21332 21345->21344 21349 db3fc6 21346->21349 21350 db3ff1 _Fputc 21349->21350 21351 d97413 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 5 API calls 21350->21351 21352 db1a8e 21351->21352 21352->21344 21353->21320 21354->21236 21356 d9ee50 21355->21356 21357 d9ee65 21355->21357 21358 d9e062 __Wcrtomb 14 API calls 21356->21358 21357->21242 21359 d9ee55 21358->21359 21360 d9df64 ___std_exception_copy 41 API calls 21359->21360 21361 d9ee60 21360->21361 21361->21242 21365 d9bb69 LeaveCriticalSection 21362->21365 21364 d9ef95 21364->21239 21365->21364 21366->21264 21368 d9f558 21367->21368 21370 d9f5c8 21367->21370 21369 da4bc2 _Ungetc 41 API calls 21368->21369 21374 d9f55e 21369->21374 21371 da80f5 _Ungetc 14 API calls 21370->21371 21372 d9f5c0 21370->21372 21371->21372 21378 d9f6a4 21372->21378 21373 d9f5b0 21375 d9e062 __Wcrtomb 14 API calls 21373->21375 21374->21370 21374->21373 21376 d9f5b5 21375->21376 21377 d9df64 ___std_exception_copy 41 API calls 21376->21377 21377->21372 21381 d9bb69 LeaveCriticalSection 21378->21381 21380 d9f6aa 21380->21268 21381->21380

                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                  Function 00D92310 Relevance: 6.7, Strings: 4, Instructions: 1670COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 249 d92310-d92352 250 d92358 249->250 251 d93700-d93716 call d97413 249->251 252 d92360-d92481 250->252 255 d9248e-d92501 252->255 256 d92483-d9248c 252->256 257 d92507-d92528 255->257 256->257 258 d9252a-d9253c 257->258 259 d9253e-d92567 257->259 260 d9256b-d925f3 258->260 259->260 261 d925ff-d92610 260->261 262 d925f5-d925fd 260->262 263 d92614-d926a4 261->263 262->263 264 d926b3-d926f9 263->264 265 d926a6-d926b1 263->265 266 d926fc-d92748 264->266 265->266 267 d9274a-d9274f 266->267 268 d92751-d92795 266->268 269 d92797-d92810 267->269 268->269 270 d92830-d928bd 269->270 271 d92812-d92815 269->271 274 d928c3-d92965 270->274 272 d9281b-d9282b 271->272 273 d9298f-d929ec 271->273 272->274 276 d929f0-d92a63 273->276 274->273 275 d92967-d9296d 274->275 277 d92973-d9298d 275->277 278 d92a77-d92ab0 275->278 276->278 279 d92a65-d92a6b 276->279 277->276 282 d92ab2-d92b0f 278->282 280 d92b1e-d92b8a 279->280 281 d92a71-d92a75 279->281 284 d92b8d-d92bfe 280->284 281->282 282->280 283 d92b11-d92b1c 282->283 283->284 285 d92c29-d92c50 284->285 286 d92c00-d92c06 284->286 289 d92c54-d92ca8 285->289 287 d92c0c-d92c27 286->287 288 d92cc2-d92cf9 286->288 287->289 291 d92cfd-d92d9c 288->291 289->288 290 d92caa-d92cad 289->290 292 d92cb3-d92cc0 290->292 293 d92db4-d92dd6 290->293 291->293 294 d92d9e-d92da1 291->294 292->291 295 d92dd8-d92df5 293->295 296 d92e0a-d92e66 294->296 297 d92da3-d92db2 294->297 295->296 298 d92df7-d92dfd 295->298 299 d92e69-d92ed7 296->299 297->295 300 d92e03-d92e08 298->300 301 d92ee5-d92f60 298->301 299->301 302 d92ed9-d92ee3 299->302 300->299 303 d92f64-d93002 301->303 302->303 304 d93024-d930c0 303->304 305 d93004-d9301f 303->305 306 d930c6-d93146 304->306 305->306 307 d93148-d9315b 306->307 308 d9315d-d9319f 306->308 309 d931a1-d93210 307->309 308->309 310 d93238-d9323c 309->310 311 d93212-d93218 309->311 314 d93240-d9325b 310->314 312 d9321a-d93236 311->312 313 d9327d-d932ac 311->313 312->314 316 d932ae-d932e7 313->316 314->313 315 d9325d-d93262 314->315 317 d93268-d9327b 315->317 318 d932f5-d93374 315->318 316->318 319 d932e9-d932f0 316->319 317->316 320 d93378-d93402 318->320 319->320 321 d9340b-d9348e 320->321 322 d93404-d93406 320->322 323 d93491-d9351b 321->323 322->323 324 d93528-d9352e 323->324 325 d9351d-d93526 323->325 326 d93530-d93599 324->326 325->326 327 d935a0-d935a5 326->327 327->327 328 d935a7-d935d7 call d94380 327->328 331 d935d9 328->331 332 d9361c-d93627 328->332 333 d935e0-d93614 call d91110 331->333 334 d93629-d9362c 332->334 335 d93643-d9364e 332->335 346 d93616-d93619 333->346 337 d9363a-d93641 334->337 338 d9362e-d93631 334->338 339 d93650-d93667 335->339 337->335 338->339 343 d93633-d93637 338->343 340 d93669-d93673 339->340 341 d936b2-d936d7 339->341 344 d936a0-d936aa 340->344 345 d93675-d93680 340->345 341->251 347 d936d9-d936e4 341->347 343->337 344->252 350 d936b0 344->350 348 d93682-d93690 345->348 349 d93696-d9369d call d97451 345->349 346->332 351 d936f6-d936fd call d97451 347->351 352 d936e6-d936f4 347->352 348->349 353 d93717-d9371f call d9df74 348->353 349->344 350->251 351->251 352->351 352->353
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: %x and %p$.exe$open$shell32.dll
                                                                                                                                                                                                                                                  • API String ID: 0-2309511592
                                                                                                                                                                                                                                                  • Opcode ID: 6afe50544ad475e9f4ded8c6616bcb1b6cc9142ccbe408ce104f4dd8fd12ebbb
                                                                                                                                                                                                                                                  • Instruction ID: cadeb7c33b5aab390ef52d8c1540a277a77739203767ac852c63fa594d6fe27d
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6afe50544ad475e9f4ded8c6616bcb1b6cc9142ccbe408ce104f4dd8fd12ebbb
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E92B117A30D1F06E30C643D8D562E5A98AD7EA730F869337BD76DB3F4D36A49428284
                                                                                                                                                                                                                                                  Function 00DAFE9D Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                    • Part of subcall function 00DAFB56: CreateFileW.KERNELBASE(?,00000000,?,00DAFF46,?,?,00000000,?,00DAFF46,?,0000000C), ref: 00DAFB73
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00DAFFB1
                                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00DAFFB8
                                                                                                                                                                                                                                                  • GetFileType.KERNELBASE(00000000), ref: 00DAFFC4
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00DAFFCE
                                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00DAFFD7
                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00DAFFF7
                                                                                                                                                                                                                                                  • CloseHandle.KERNEL32(00DA3F21), ref: 00DB0144
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00DB0176
                                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00DB017D
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                                                                                                  • String ID: H
                                                                                                                                                                                                                                                  • API String ID: 4237864984-2852464175
                                                                                                                                                                                                                                                  • Opcode ID: 5bf72d00baf39117700c6e1f0717fd4e912ad6739ba2322c2a23448e1726fc93
                                                                                                                                                                                                                                                  • Instruction ID: 3b573416f95ec13f87f911c2f176674462b98230609d97755ebed99e08dbc4c8
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5bf72d00baf39117700c6e1f0717fd4e912ad6739ba2322c2a23448e1726fc93
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 90A10532A142159FCF19AF68DC91BAE3BA1EB06310F180299F816DB391DB359946CB71
                                                                                                                                                                                                                                                  Function 00D938B0 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 401libraryCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 69 d938b0-d9397c call d97421 call d97451 LoadLibraryW call d92310 call d91fd0 * 2 81 d93980-d93985 69->81 81->81 82 d93987-d939d0 call d94380 call d93720 call d94290 81->82 90 d939d2 82->90 91 d939d4-d93aaf call d984b0 82->91 90->91 97 d93adc-d93ae3 91->97 98 d93ab1-d93abc 91->98 101 d93b12-d93b2e 97->101 102 d93ae5-d93af2 97->102 99 d93abe-d93acc 98->99 100 d93ad2-d93ad9 call d97451 98->100 99->100 100->97 103 d93b5d-d93bc4 call d9ba1a call d9dcea call d9bd89 101->103 104 d93b30-d93b3d 101->104 106 d93b08-d93b0f call d97451 102->106 107 d93af4-d93b02 102->107 121 d93bc7-d93bcc 103->121 108 d93b3f-d93b4d 104->108 109 d93b53-d93b5a call d97451 104->109 106->101 107->106 108->109 109->103 121->121 122 d93bce-d93c14 call d94380 call d93720 call d94290 121->122 130 d93c18-d93cdf call d984b0 122->130 131 d93c16 122->131 137 d93d0c-d93d13 130->137 138 d93ce1-d93cec 130->138 131->130 139 d93d42-d93d5e 137->139 140 d93d15-d93d22 137->140 141 d93cee-d93cfc 138->141 142 d93d02-d93d09 call d97451 138->142 146 d93d8d-d93e28 call d9ba1a call d9dcea call d9bd89 call d92310 ShellExecuteA * 2 139->146 147 d93d60-d93d6d 139->147 144 d93d38-d93d3f call d97451 140->144 145 d93d24-d93d32 140->145 141->142 142->137 144->139 145->144 163 d93e2a-d93e37 146->163 164 d93e57-d93e7c 146->164 151 d93d6f-d93d7d 147->151 152 d93d83-d93d8a call d97451 147->152 151->152 152->146 165 d93e39-d93e47 163->165 166 d93e4d-d93e54 call d97451 163->166 167 d93eaa-d93ebd call d97413 164->167 168 d93e7e-d93e8e 164->168 165->166 166->164 171 d93ea0-d93ea7 call d97451 168->171 172 d93e90-d93e9e 168->172 171->167 172->171
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • LoadLibraryW.KERNELBASE(shell32.dll), ref: 00D938FA
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                                                                                                  • String ID: .exe$open$shell32.dll
                                                                                                                                                                                                                                                  • API String ID: 1029625771-3690275032
                                                                                                                                                                                                                                                  • Opcode ID: 163edcbf2ec7d8c1dc4b38919948fe18749d8a7cb1b592490e5463dbc0767f93
                                                                                                                                                                                                                                                  • Instruction ID: 698509a204ac13280b7742956a8d7fa4b71b62c013e9f783d672e4431e48c3a6
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 163edcbf2ec7d8c1dc4b38919948fe18749d8a7cb1b592490e5463dbc0767f93
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E9E1C1712083409FEB28DB28C855BAEB7E5FF85304F144A1CF5899B292D771DA458B72
                                                                                                                                                                                                                                                  Function 00DA8EA1 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 177 da8ea1-da8eba 178 da8ebc-da8ecc call da075b 177->178 179 da8ed0-da8ed5 177->179 178->179 185 da8ece 178->185 181 da8ed7-da8ee1 179->181 182 da8ee4-da8f0a call daafff 179->182 181->182 187 da907d-da908e call d97413 182->187 188 da8f10-da8f1b 182->188 185->179 190 da9070 188->190 191 da8f21-da8f26 188->191 192 da9072 190->192 194 da8f3b-da8f46 call da5416 191->194 195 da8f28-da8f31 call d977a0 191->195 198 da9074-da907b call d9715f 192->198 203 da8f51-da8f55 194->203 204 da8f48 194->204 202 da8f33-da8f39 195->202 195->203 198->187 206 da8f4e 202->206 203->192 207 da8f5b-da8f72 call daafff 203->207 204->206 206->203 207->192 210 da8f78-da8f8a call da478b 207->210 212 da8f8f-da8f93 210->212 213 da8fae-da8fb0 212->213 214 da8f95-da8f9d 212->214 213->192 215 da8f9f-da8fa4 214->215 216 da8fd7-da8fe3 214->216 217 da8faa-da8fac 215->217 218 da9056-da9058 215->218 219 da9062 216->219 220 da8fe5-da8fe7 216->220 217->213 222 da8fb5-da8fcf call da478b 217->222 218->198 221 da9064-da906b call d9715f 219->221 223 da8fe9-da8ff2 call d977a0 220->223 224 da8ffc-da9007 call da5416 220->224 221->213 222->218 234 da8fd5 222->234 223->221 235 da8ff4-da8ffa 223->235 224->221 233 da9009 224->233 236 da900f-da9014 233->236 234->213 235->236 236->221 237 da9016-da902e call da478b 236->237 237->221 240 da9030-da9037 237->240 241 da905a-da9060 240->241 242 da9039-da903a 240->242 243 da903b-da904d call dab07b 241->243 242->243 243->221 246 da904f-da9055 call d9715f 243->246 246->218
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00DA8F28
                                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00DA8FE9
                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00DA9050
                                                                                                                                                                                                                                                    • Part of subcall function 00DA5416: HeapAlloc.KERNEL32(00000000,?,?,?,00D9743B,?,?,00D938D3,0000000C), ref: 00DA5448
                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00DA9065
                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00DA9075
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1096550386-0
                                                                                                                                                                                                                                                  • Opcode ID: 77a0fec094520955faf0a1b7cab21316074c4da2afdf54bc0aebdd96e8a6cd2e
                                                                                                                                                                                                                                                  • Instruction ID: 45bac0de4fceb863184f910d010fa8410690bc5548696b3a00c5934d4983de84
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 77a0fec094520955faf0a1b7cab21316074c4da2afdf54bc0aebdd96e8a6cd2e
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E51C172610206AFEF259F64CC81EBBB7AAEF46790B190128FE08D7150EB71CC509774
                                                                                                                                                                                                                                                  Function 00DA1422 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetCurrentProcess.KERNEL32(?,?,00DA141C,00000016,00D9BD88,?,?,EEE5288E,00D9BD88,?), ref: 00DA1433
                                                                                                                                                                                                                                                  • TerminateProcess.KERNEL32(00000000,?,00DA141C,00000016,00D9BD88,?,?,EEE5288E,00D9BD88,?), ref: 00DA143A
                                                                                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 00DA144C
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1703294689-0
                                                                                                                                                                                                                                                  • Opcode ID: 41cb29cba9965b61089956cc0f33c4c3d0f0b71a038f8c81ac2359e1af3348e7
                                                                                                                                                                                                                                                  • Instruction ID: 7f24605f891e04f9ceb189ed9cd8088690e7f31b0436a1a5d0320a91bc64b8b5
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 41cb29cba9965b61089956cc0f33c4c3d0f0b71a038f8c81ac2359e1af3348e7
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F6D09E35000608EBCF013F66DC0D95D3F2AEF45341F448110B90586231CB7AD9529A71
                                                                                                                                                                                                                                                  Function 00DA6D9F Relevance: 3.2, APIs: 2, Instructions: 191fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 367 da6d9f-da6dbe 368 da6f98 367->368 369 da6dc4-da6dc6 367->369 372 da6f9a-da6f9e 368->372 370 da6dc8-da6de7 call d9dee7 369->370 371 da6df2-da6e18 369->371 380 da6dea-da6ded 370->380 373 da6e1a-da6e1c 371->373 374 da6e1e-da6e24 371->374 373->374 376 da6e26-da6e30 373->376 374->370 374->376 378 da6e32-da6e3d call da8ae3 376->378 379 da6e40-da6e4b call da68ec 376->379 378->379 385 da6e8d-da6e9f 379->385 386 da6e4d-da6e52 379->386 380->372 387 da6ef0-da6f10 WriteFile 385->387 388 da6ea1-da6ea7 385->388 389 da6e77-da6e8b call da64b2 386->389 390 da6e54-da6e58 386->390 391 da6f1b 387->391 392 da6f12-da6f18 GetLastError 387->392 394 da6ea9-da6eac 388->394 395 da6ede-da6eee call da696a 388->395 406 da6e70-da6e72 389->406 396 da6e5e-da6e6d call da6884 390->396 397 da6f60-da6f72 390->397 399 da6f1e-da6f29 391->399 392->391 400 da6eae-da6eb1 394->400 401 da6ecc-da6edc call da6b2e 394->401 417 da6ec7-da6eca 395->417 396->406 402 da6f7c-da6f8e 397->402 403 da6f74-da6f7a 397->403 407 da6f2b-da6f30 399->407 408 da6f93-da6f96 399->408 400->397 409 da6eb7-da6ec2 call da6a45 400->409 401->417 402->380 403->368 403->402 406->399 413 da6f5e 407->413 414 da6f32-da6f37 407->414 408->372 409->417 413->397 418 da6f39-da6f4b 414->418 419 da6f50-da6f59 call d9e02b 414->419 417->406 418->380 419->380
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                    • Part of subcall function 00DA64B2: GetConsoleOutputCP.KERNEL32(EEE5288E,00000000,00000000,00D9BDA8), ref: 00DA6515
                                                                                                                                                                                                                                                  • WriteFile.KERNELBASE(FFBF5BE8,00000000,?,00D9BC65,00000000,00000000,00000000,00000000,?,?,00D9BC65,?,?,00DC28B8,00000010,00D9BDA8), ref: 00DA6F08
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00D9BC65,?,?,00DC28B8,00000010,00D9BDA8,?,?,00000000,?), ref: 00DA6F12
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ConsoleErrorFileLastOutputWrite
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2915228174-0
                                                                                                                                                                                                                                                  • Opcode ID: 7e2fed57c492d683c0d40b4acb7da164b8d2521240b84b4cb8af60cbca531298
                                                                                                                                                                                                                                                  • Instruction ID: d1d34dbabdec4e554b6044286f987073ac0330e920e1ff1b9b56369915a91860
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7e2fed57c492d683c0d40b4acb7da164b8d2521240b84b4cb8af60cbca531298
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A9618F75D04249EFDF118FA8C884AEEBBB9EF0A304F1C4055F854A7252D335DA458B70
                                                                                                                                                                                                                                                  Function 00DAC186 Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 422 dac186-dac1ae call dabcb6 425 dac376-dac377 call dabd27 422->425 426 dac1b4-dac1ba 422->426 431 dac37c-dac37e 425->431 427 dac1bd-dac1c3 426->427 429 dac1c9-dac1d5 427->429 430 dac2c5-dac2e4 call d98a30 427->430 429->427 433 dac1d7-dac1dd 429->433 441 dac2e7-dac2ec 430->441 432 dac37f-dac38d call d97413 431->432 436 dac2bd-dac2c0 433->436 437 dac1e3-dac1ef IsValidCodePage 433->437 436->432 437->436 440 dac1f5-dac1fc 437->440 442 dac1fe-dac20a 440->442 443 dac224-dac231 GetCPInfo 440->443 444 dac329-dac333 441->444 445 dac2ee-dac2f3 441->445 448 dac20e-dac21a call dabd8a 442->448 450 dac233-dac252 call d98a30 443->450 451 dac2b1-dac2b7 443->451 444->441 449 dac335-dac35f call dabc78 444->449 446 dac326 445->446 447 dac2f5-dac2fd 445->447 446->444 452 dac31e-dac324 447->452 453 dac2ff-dac302 447->453 458 dac21f 448->458 462 dac360-dac36f 449->462 450->448 463 dac254-dac25b 450->463 451->425 451->436 452->445 452->446 457 dac304-dac30a 453->457 457->452 461 dac30c-dac31c 457->461 458->431 461->452 461->457 462->462 464 dac371 462->464 465 dac25d-dac262 463->465 466 dac287-dac28a 463->466 464->425 465->466 467 dac264-dac26c 465->467 468 dac28f-dac296 466->468 469 dac26e-dac275 467->469 470 dac27f-dac285 467->470 468->468 471 dac298-dac2ac call dabc78 468->471 472 dac276-dac27d 469->472 470->465 470->466 471->448 472->470 472->472
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                    • Part of subcall function 00DABCB6: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 00DABCE1
                                                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00DABFCD,?,00000000,?,00000000,?), ref: 00DAC1E7
                                                                                                                                                                                                                                                  • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00DABFCD,?,00000000,?,00000000,?), ref: 00DAC229
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: CodeInfoPageValid
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 546120528-0
                                                                                                                                                                                                                                                  • Opcode ID: ae1acade06e8c8f90b4e72b18f803a95e78d8cdd0bb17ed7ec82d017f6a77ea4
                                                                                                                                                                                                                                                  • Instruction ID: 42cd3f1bbf2bb0745e54541ef013452d410c266539a2a4b18eedfbae563df37d
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ae1acade06e8c8f90b4e72b18f803a95e78d8cdd0bb17ed7ec82d017f6a77ea4
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A8510170A103459EDF20CFB5C880BAABBF4EF53320F18946ED0928B252D7759941CBB4
                                                                                                                                                                                                                                                  Function 00DA478B Relevance: 3.0, APIs: 2, Instructions: 34COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 475 da478b-da479a call da42bd 478 da479c-da47c1 LCMapStringEx 475->478 479 da47c3-da47dd call da47e8 LCMapStringW 475->479 483 da47e3-da47e5 478->483 479->483
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • LCMapStringEx.KERNELBASE(?,00DA8F8F,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00DA47BF
                                                                                                                                                                                                                                                  • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00DA8F8F,?,?,00000000,?,00000000), ref: 00DA47DD
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: String
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2568140703-0
                                                                                                                                                                                                                                                  • Opcode ID: 84dd1a05b286b6dd191659eee8899f0c6fd13268e6c33cb2eb8a353552cdb61d
                                                                                                                                                                                                                                                  • Instruction ID: 7e28de6d7f94cf1f2748f3f9816e1a55e511e8acfc0b7f226108f801bf61f9ae
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 84dd1a05b286b6dd191659eee8899f0c6fd13268e6c33cb2eb8a353552cdb61d
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5EF09D3640025AFBCF126F91DC05DDE3F66FF897A0F058210FA1866120CB76C931ABA1
                                                                                                                                                                                                                                                  Function 00D93ED0 Relevance: 3.0, APIs: 2, Instructions: 22synchronizationthreadCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 484 d93ed0-d93f0d CreateThread WaitForSingleObject call d97413 486 d93f12-d93f15 484->486
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • CreateThread.KERNELBASE(00000000,00000000,00D938B0,00000000,00000000,EEE5288E), ref: 00D93EF6
                                                                                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00D93EFF
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: CreateObjectSingleThreadWait
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1891408510-0
                                                                                                                                                                                                                                                  • Opcode ID: 7be281b7f66b8bd925038f8d42fb3d48fd6a0d450149ada5c12dd3973af79055
                                                                                                                                                                                                                                                  • Instruction ID: b2b75dd859c19b8ccf068e4d49da737fa7f16a3047febde740b6286bbbb406a5
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7be281b7f66b8bd925038f8d42fb3d48fd6a0d450149ada5c12dd3973af79055
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6AE08670658300EBDB10BB24DC07F1A37E4BB08B01F500A19F595D63D0D674A4089A76
                                                                                                                                                                                                                                                  Function 00DA4D4D Relevance: 2.6, APIs: 2, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 515 da4d4d-da4d61 call dacc1f 518 da4d63-da4d65 515->518 519 da4d67-da4d6f 515->519 520 da4db5-da4dd5 call dacb8e 518->520 521 da4d7a-da4d7d 519->521 522 da4d71-da4d78 519->522 530 da4de7 520->530 531 da4dd7-da4de5 call d9e02b 520->531 524 da4d9b-da4dab call dacc1f CloseHandle 521->524 525 da4d7f-da4d83 521->525 522->521 523 da4d85-da4d99 call dacc1f * 2 522->523 523->518 523->524 524->518 537 da4dad-da4db3 GetLastError 524->537 525->523 525->524 535 da4de9-da4dec 530->535 531->535 537->520
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • CloseHandle.KERNELBASE(00000000,00000000,CF830579,?,00DA4C34,00000000,CF830579,00DC2C48,0000000C,00DA4CF0,00D9BCFB,?), ref: 00DA4DA3
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00DA4C34,00000000,CF830579,00DC2C48,0000000C,00DA4CF0,00D9BCFB,?), ref: 00DA4DAD
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: CloseErrorHandleLast
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 918212764-0
                                                                                                                                                                                                                                                  • Opcode ID: db4772324150a0a40981f67a7a8bdbdb7f50f3998db0e03aa936cac3bf999b7c
                                                                                                                                                                                                                                                  • Instruction ID: f2feb62f9f94126ce2366aeaec05f2a8c4e7f8d9da96789bd08e5ddcb05e6015
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: db4772324150a0a40981f67a7a8bdbdb7f50f3998db0e03aa936cac3bf999b7c
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 511126336142205ADF246735A846B7E6789DBC3B34F2D0649F918CB2C2DBB5ECC142B0
                                                                                                                                                                                                                                                  Function 00DABD8A Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 540 dabd8a-dabdac 541 dabdb2-dabdc4 GetCPInfo 540->541 542 dabec5-dabeeb 540->542 541->542 543 dabdca-dabdd1 541->543 544 dabef0-dabef5 542->544 545 dabdd3-dabddd 543->545 546 dabeff-dabf05 544->546 547 dabef7-dabefd 544->547 545->545 550 dabddf-dabdf2 545->550 548 dabf11 546->548 549 dabf07-dabf0a 546->549 551 dabf0d-dabf0f 547->551 552 dabf13-dabf25 548->552 549->551 553 dabe13-dabe15 550->553 551->552 552->544 554 dabf27-dabf35 call d97413 552->554 555 dabe17-dabe4e call da8d98 call da908f 553->555 556 dabdf4-dabdfb 553->556 566 dabe53-dabe88 call da908f 555->566 558 dabe0a-dabe0c 556->558 562 dabe0e-dabe11 558->562 563 dabdfd-dabdff 558->563 562->553 563->562 565 dabe01-dabe09 563->565 565->558 569 dabe8a-dabe94 566->569 570 dabea2-dabea4 569->570 571 dabe96-dabea0 569->571 573 dabeb2 570->573 574 dabea6-dabeb0 570->574 572 dabeb4-dabec1 571->572 572->569 575 dabec3 572->575 573->572 574->572 575->554
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetCPInfo.KERNEL32(E8458D00,?,00DABFD9,00DABFCD,00000000), ref: 00DABDBC
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: Info
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1807457897-0
                                                                                                                                                                                                                                                  • Opcode ID: 099061666cfa4ce1b1b13723ea891017737dc6ea4c986653edf68d72fce0dd7b
                                                                                                                                                                                                                                                  • Instruction ID: 3382f9b7f11f475b0e89a19b1cd62976821f1f47491dc3405b380e4e4118f7e5
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 099061666cfa4ce1b1b13723ea891017737dc6ea4c986653edf68d72fce0dd7b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B5139715082589EDB218A28CC80BE67BF8EB56314F2805AAE5DAC7143C3359E46DF70
                                                                                                                                                                                                                                                  Function 00DA43BC Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 576 da43bc-da43e4 577 da43ea-da43ec 576->577 578 da43e6-da43e8 576->578 580 da43ee-da43f0 577->580 581 da43f2-da4402 call da42f1 577->581 579 da443b-da443e 578->579 580->579 584 da4421-da4438 581->584 585 da4404-da4412 GetProcAddress 581->585 587 da443a 584->587 585->584 586 da4414-da441f call da0ba3 585->586 586->587 587->579
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 8aa6095233be04d4fee0bc96f5d998663a6251435a76e8591e22ff5c60341267
                                                                                                                                                                                                                                                  • Instruction ID: 871042a78fa5e1e1c1d9e9e2332adb771cb7fc9b6286ef9af58b492deeb2b726
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8aa6095233be04d4fee0bc96f5d998663a6251435a76e8591e22ff5c60341267
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CD01F9332402169B9F15CE6DEC50B5A33A6EBCA7203548520F510DB544DAF0D801A770
                                                                                                                                                                                                                                                  Function 00DA3EE2 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 590 da3ee2-da3f08 call da3cb8 593 da3f0a-da3f1c call dafe7d 590->593 594 da3f61-da3f64 590->594 596 da3f21-da3f26 593->596 596->594 597 da3f28-da3f60 596->597
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: __wsopen_s
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3347428461-0
                                                                                                                                                                                                                                                  • Opcode ID: abe816b2a82f3f36d0e54a9807a4715c7e58657dc7ee289f1bb8435e62687d5a
                                                                                                                                                                                                                                                  • Instruction ID: b9607a835fcb76db9021fdc291e8ae16a7bf937e4c0b53ed4b1b9127e1e06f25
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: abe816b2a82f3f36d0e54a9807a4715c7e58657dc7ee289f1bb8435e62687d5a
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A4111571A0420AAFCF05DF58E94199E7BF9EF49304F0440A9F809EB351D730EA25CBA4
                                                                                                                                                                                                                                                  Function 00DA4084 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 598 da4084-da408f 599 da409d-da40a3 598->599 600 da4091-da409b 598->600 602 da40bc-da40cd RtlAllocateHeap 599->602 603 da40a5-da40a6 599->603 600->599 601 da40d1-da40dc call d9e062 600->601 608 da40de-da40e0 601->608 604 da40a8-da40af call da2e3d 602->604 605 da40cf 602->605 603->602 604->601 611 da40b1-da40ba call da2e88 604->611 605->608 611->601 611->602
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000008,0000000C,?,?,00DA52C9,00000001,00000364,?,00000002,000000FF,?,?,00D9E067,00DA5459), ref: 00DA40C5
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                                                                                  • Opcode ID: 16f2421144d181008660d97fc8d58e77a3c4e0dff2df01a91e34ddfe1fc1b716
                                                                                                                                                                                                                                                  • Instruction ID: 989e4448839b802bb2e83f3b14249cf1a29ccdd73583906aa2bc6b7165b09bb6
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 16f2421144d181008660d97fc8d58e77a3c4e0dff2df01a91e34ddfe1fc1b716
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DAF02432100225EA9B206A269C01B1A3788AFC3760F198115B908DA190CEB0D844A2B8
                                                                                                                                                                                                                                                  Function 00DAFB56 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • CreateFileW.KERNELBASE(?,00000000,?,00DAFF46,?,?,00000000,?,00DAFF46,?,0000000C), ref: 00DAFB73
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: CreateFile
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 823142352-0
                                                                                                                                                                                                                                                  • Opcode ID: b0b3fbf7097eb88f392f3922b7a067f0a3ce8fc9e48226b1f5b2b0eb5eb59dfa
                                                                                                                                                                                                                                                  • Instruction ID: 0d4941f94b4c90fa02fa1ffb385e0829901f95f8ab77d68a62c0c6d2ca5bacac
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b0b3fbf7097eb88f392f3922b7a067f0a3ce8fc9e48226b1f5b2b0eb5eb59dfa
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DCD06C3200020DFBDF028F84DC06EDA3FAAFB4C754F018100FA5896121C736E821AB90

                                                                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                                                                  Function 00DB045E Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: __floor_pentium4
                                                                                                                                                                                                                                                  • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                                                  • API String ID: 4168288129-2761157908
                                                                                                                                                                                                                                                  • Opcode ID: 6b1925f0e1941a96c393e7eaccb7ca63016eaa37916caa184a5f6572679c5ef0
                                                                                                                                                                                                                                                  • Instruction ID: 3cd642e78a8627c51d8c4cf7c8427539fc6024a10d89b8c05022d2f3d3c0b62d
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6b1925f0e1941a96c393e7eaccb7ca63016eaa37916caa184a5f6572679c5ef0
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C0D21775E08228CFDB65CE28CD507EAB7B5EB45304F5841EAD44EE7240EB74AE818F60
                                                                                                                                                                                                                                                  Function 00DAEB91 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(3FC00000,2000000B,00DAEEAF,00000002,00000000,?,?,?,00DAEEAF,?,00000000), ref: 00DAEC2A
                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(3FC00000,20001004,00DAEEAF,00000002,00000000,?,?,?,00DAEEAF,?,00000000), ref: 00DAEC53
                                                                                                                                                                                                                                                  • GetACP.KERNEL32(?,?,00DAEEAF,?,00000000), ref: 00DAEC68
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                                                                  • String ID: ACP$OCP
                                                                                                                                                                                                                                                  • API String ID: 2299586839-711371036
                                                                                                                                                                                                                                                  • Opcode ID: f0b48ae7a6ca906859506aed15e92f1a2985fc5fa778da8fd621730bf3d40aa2
                                                                                                                                                                                                                                                  • Instruction ID: 0760446264265ab32da6ac2f6f597c13d4b099baff13549cc248f58a9786c3dd
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f0b48ae7a6ca906859506aed15e92f1a2985fc5fa778da8fd621730bf3d40aa2
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A5218E32A00204EADB34DF15C945BAB73A6AB52B74B5E8524F94BD7244FB32DE40C7B0
                                                                                                                                                                                                                                                  Function 00DAED66 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                    • Part of subcall function 00DA512B: GetLastError.KERNEL32(?,00000008,00DA76AA), ref: 00DA512F
                                                                                                                                                                                                                                                    • Part of subcall function 00DA512B: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 00DA51D1
                                                                                                                                                                                                                                                  • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00DAEE72
                                                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(00000000), ref: 00DAEEBB
                                                                                                                                                                                                                                                  • IsValidLocale.KERNEL32(?,00000001), ref: 00DAEECA
                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00DAEF12
                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00DAEF31
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 415426439-0
                                                                                                                                                                                                                                                  • Opcode ID: a6f5264e8c57b09b633c4d58a31759ec9ac5976c7be1790bd025e06afda0db7a
                                                                                                                                                                                                                                                  • Instruction ID: bbff48a7d9709bd2ca4bf07576098d430b60a22aae87de5674b3cd8317f495cb
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a6f5264e8c57b09b633c4d58a31759ec9ac5976c7be1790bd025e06afda0db7a
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 41515D72A00205EFDF20EFA5CC45AAA77B8EF1A700F184529F915E7191E770DA04CB71
                                                                                                                                                                                                                                                  Function 00DAE402 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                    • Part of subcall function 00DA512B: GetLastError.KERNEL32(?,00000008,00DA76AA), ref: 00DA512F
                                                                                                                                                                                                                                                    • Part of subcall function 00DA512B: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 00DA51D1
                                                                                                                                                                                                                                                  • GetACP.KERNEL32(?,?,?,?,?,?,00DA1ED1,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00DAE4C3
                                                                                                                                                                                                                                                  • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00DA1ED1,?,?,?,00000055,?,-00000050,?,?), ref: 00DAE4EE
                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00DAE651
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ErrorLast$CodeInfoLocalePageValid
                                                                                                                                                                                                                                                  • String ID: utf8
                                                                                                                                                                                                                                                  • API String ID: 607553120-905460609
                                                                                                                                                                                                                                                  • Opcode ID: 318511b86db943267d4f6f2ef3aba705cfdc2840d757e3cadf8557e0ea5d3c20
                                                                                                                                                                                                                                                  • Instruction ID: 5930c29f431f7c230bfdc998a9d4a0b9326afc0ca6e07bd134ac395bd73cee25
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 318511b86db943267d4f6f2ef3aba705cfdc2840d757e3cadf8557e0ea5d3c20
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B71F331A00306AADB24AB75DC46BBA73ACEF4A714F18482AF506D7181FBB4ED40C771
                                                                                                                                                                                                                                                  Function 00DA5625 Relevance: 6.3, APIs: 4, Instructions: 337COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: _strrchr
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3213747228-0
                                                                                                                                                                                                                                                  • Opcode ID: d8f824a3a597dbe048be884bb3e91045552750dfa5ffe6b567c0d7537b351b3d
                                                                                                                                                                                                                                                  • Instruction ID: 6f824d045497789229dd2397589a994a98e3f1b2c5865028d93d9a2179ccf201
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d8f824a3a597dbe048be884bb3e91045552750dfa5ffe6b567c0d7537b351b3d
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1CB15932900645DFDB11CF68D8817EEBBF5EF5A320F19416AE945AB245D238DD01CB70
                                                                                                                                                                                                                                                  Function 00D97AF1 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00D97AFD
                                                                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32 ref: 00D97BC9
                                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00D97BE9
                                                                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?), ref: 00D97BF3
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 254469556-0
                                                                                                                                                                                                                                                  • Opcode ID: 3785b56a825ff7b9cab569948f8df164529336fe38b6eaed272ce81a66e442ba
                                                                                                                                                                                                                                                  • Instruction ID: 93f61aa51b8339035045dd1762a24ab4e631a1a5f81c5ba8b1fa67ff7a49c10d
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3785b56a825ff7b9cab569948f8df164529336fe38b6eaed272ce81a66e442ba
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A5311675D15318DBDF11EFA4D9897CDBBB8AF08300F1041AAE40DAB250EB759A85CF64
                                                                                                                                                                                                                                                  Function 00DAE815 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                    • Part of subcall function 00DA512B: GetLastError.KERNEL32(?,00000008,00DA76AA), ref: 00DA512F
                                                                                                                                                                                                                                                    • Part of subcall function 00DA512B: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 00DA51D1
                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00DAE869
                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00DAE8B3
                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00DAE979
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: InfoLocale$ErrorLast
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 661929714-0
                                                                                                                                                                                                                                                  • Opcode ID: 5f383ea7842e8a74c925c5d93082ff8104737a425a2ccaa452f63edf0a0f5e46
                                                                                                                                                                                                                                                  • Instruction ID: 229372571a216f56b90ad2c4beb7faab0f8d72e9193f71bb6529d79fd4c6d21a
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5f383ea7842e8a74c925c5d93082ff8104737a425a2ccaa452f63edf0a0f5e46
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 64618D719402179FEB689F28CD82BBA77A8FF46310F184279E905C6685F738D981CB70
                                                                                                                                                                                                                                                  Function 00D9DD68 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000001), ref: 00D9DE60
                                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000001), ref: 00D9DE6A
                                                                                                                                                                                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000001), ref: 00D9DE77
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3906539128-0
                                                                                                                                                                                                                                                  • Opcode ID: 0bb588cfd2b518c770dcf30a6771716f154f6ae8a7eac03f1dad643c33ac45cd
                                                                                                                                                                                                                                                  • Instruction ID: ab1154a18445a8d28de08ebfa9a37b00044b5f1a01dd62795408d16365ebf715
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0bb588cfd2b518c770dcf30a6771716f154f6ae8a7eac03f1dad643c33ac45cd
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AF31B3749113289BCF21DF64D98978DBBB4BF18310F5041EAE41CA7251E7749F818F64
                                                                                                                                                                                                                                                  Function 00D9FCE0 Relevance: 3.4, APIs: 2, Instructions: 449COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: ddea241b9222524aa140a82a6791fc6d0ddcc5cf7be7707f7ebfe0d02a874e92
                                                                                                                                                                                                                                                  • Instruction ID: b67cf81cf2cc0ae11ff564c2aa20af5db8a0a4c7b480afb02652b20cb1a692e5
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ddea241b9222524aa140a82a6791fc6d0ddcc5cf7be7707f7ebfe0d02a874e92
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 28F13071E002199FDF14CF68D8806ADBBB1FF89314F198269E919EB391D730AD45CBA4
                                                                                                                                                                                                                                                  Function 00DA950B Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • RaiseException.KERNEL32(C000000D,00000000,00000001,3FC00000,?,00000008,?,?,00DA9506,3FC00000,?,00000008,?,?,00DB2FE5,00000000), ref: 00DA9738
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ExceptionRaise
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3997070919-0
                                                                                                                                                                                                                                                  • Opcode ID: ff0a76df23b2fd46eda2800e5fc980655e250c004fd4e426601d783fd7e43aac
                                                                                                                                                                                                                                                  • Instruction ID: 8366e5b822a269af2784bd7b7737a5a5186d9cdf545e83da8425effca89929c6
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ff0a76df23b2fd46eda2800e5fc980655e250c004fd4e426601d783fd7e43aac
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 20B15F75620604CFD719CF28C496BA5BBE0FF46364F298658E8DACF2A1C335E981CB50
                                                                                                                                                                                                                                                  Function 00D977D0 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00D977E6
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2325560087-0
                                                                                                                                                                                                                                                  • Opcode ID: 11ee1dbb78a9af2ebeb37700b69be91f81c7578b4748c22c38cd5e59d5e9fee6
                                                                                                                                                                                                                                                  • Instruction ID: ae5a929f6cccfc31ac3e9126f7f9ded3fbc8d54681097479706c9841a3d5a255
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 11ee1dbb78a9af2ebeb37700b69be91f81c7578b4748c22c38cd5e59d5e9fee6
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A6515BB1E247068FEB29CF54E885BAAB7F0FB48311F18852AD505EB351D374A940CF60
                                                                                                                                                                                                                                                  Function 00DAB6DA Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 75f1cc2265684f6af20d380a982041d4d23eb116ddb155b131381876b3aee273
                                                                                                                                                                                                                                                  • Instruction ID: d4d353870eb3eea72983294171014498b8e7d53b24e4d0e23764bcfffb4823a5
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 75f1cc2265684f6af20d380a982041d4d23eb116ddb155b131381876b3aee273
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 81418275804219AFDB20DF69CC89AAABBB9EF45314F1442DAE458D3202DB359E458F60
                                                                                                                                                                                                                                                  Function 00DAEA68 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                    • Part of subcall function 00DA512B: GetLastError.KERNEL32(?,00000008,00DA76AA), ref: 00DA512F
                                                                                                                                                                                                                                                    • Part of subcall function 00DA512B: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 00DA51D1
                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00DAEABC
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3736152602-0
                                                                                                                                                                                                                                                  • Opcode ID: 261d02fb3a50d2a8e070616352b4e63712ba7ed11a102eab9ed64ad9cca3194e
                                                                                                                                                                                                                                                  • Instruction ID: a2bc814c0ab87159ebc4a9f80b9ac90e8ee0ae38eb82af55728c060bc7dd13c6
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 261d02fb3a50d2a8e070616352b4e63712ba7ed11a102eab9ed64ad9cca3194e
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42218E32611206ABDB28AE29DC46EBA77A8EF46314F14407AF912C6142EB74ED00DA71
                                                                                                                                                                                                                                                  Function 00D9CF7F Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                                                                                  • API String ID: 0-4108050209
                                                                                                                                                                                                                                                  • Opcode ID: 955c9d0540e0b044c4acba97c6c03c2655a33a53cf9ae253b600edb460336820
                                                                                                                                                                                                                                                  • Instruction ID: fd3c29eef2bc9941717e8500213fd136c934b50bb2b2a18cb8d41ed79bcb71a3
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 955c9d0540e0b044c4acba97c6c03c2655a33a53cf9ae253b600edb460336820
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CEB1B171A0070A8BCF24CF68C551ABEB7B3EF45304F28061AD596EB291D735E942CB75
                                                                                                                                                                                                                                                  Function 00DAE6EF Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                    • Part of subcall function 00DA512B: GetLastError.KERNEL32(?,00000008,00DA76AA), ref: 00DA512F
                                                                                                                                                                                                                                                    • Part of subcall function 00DA512B: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 00DA51D1
                                                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(00DAE815,00000001,00000000,?,-00000050,?,00DAEE46,00000000,?,?,?,00000055,?), ref: 00DAE761
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2417226690-0
                                                                                                                                                                                                                                                  • Opcode ID: 5a7204565496c5bb3040ca66d124089eeb33385173f53dc203c21daf6a92a367
                                                                                                                                                                                                                                                  • Instruction ID: 4e778c9b33c0e1e771664a8d4a3ca6c5e69225727a7affe42b4b21af668d3690
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5a7204565496c5bb3040ca66d124089eeb33385173f53dc203c21daf6a92a367
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3111E53B2007019FDB18AF39D8916BAB792FF81358B19452DE98687A40E775B942C760
                                                                                                                                                                                                                                                  Function 00DAEC97 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                    • Part of subcall function 00DA512B: GetLastError.KERNEL32(?,00000008,00DA76AA), ref: 00DA512F
                                                                                                                                                                                                                                                    • Part of subcall function 00DA512B: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 00DA51D1
                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00DAEB12,00000000,00000000,?), ref: 00DAECC3
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3736152602-0
                                                                                                                                                                                                                                                  • Opcode ID: 40e1d9f52d85f4b24738128f33cca3b69e7820375c2e214e96627aa945ad24cf
                                                                                                                                                                                                                                                  • Instruction ID: b8fd0f14c5986a406a626c294ebae6b3ce9567382cf14a90c1273249c8f47b7e
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 40e1d9f52d85f4b24738128f33cca3b69e7820375c2e214e96627aa945ad24cf
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 07F0CD36600225BFDF245B25CC45BBAB764EB41764F194429ED07A3140DA74FE41C6B0
                                                                                                                                                                                                                                                  Function 00DAE5FD Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                    • Part of subcall function 00DA512B: GetLastError.KERNEL32(?,00000008,00DA76AA), ref: 00DA512F
                                                                                                                                                                                                                                                    • Part of subcall function 00DA512B: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 00DA51D1
                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00DAE651
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                                                  • String ID: utf8
                                                                                                                                                                                                                                                  • API String ID: 3736152602-905460609
                                                                                                                                                                                                                                                  • Opcode ID: 69ff7f1f69f72d3b1a9581856d4b2be1c4a6e0a558ef599efff21a00d093bd98
                                                                                                                                                                                                                                                  • Instruction ID: 5cf3a489e59229f684119f4a728732e2f8c3ea09e331a49b3b7bc54401cf968e
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 69ff7f1f69f72d3b1a9581856d4b2be1c4a6e0a558ef599efff21a00d093bd98
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 48F0A432650209ABCB14AB24EC5AEBA37A8DB49310F140979B602D7241DA78AD059770
                                                                                                                                                                                                                                                  Function 00DAE78A Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                    • Part of subcall function 00DA512B: GetLastError.KERNEL32(?,00000008,00DA76AA), ref: 00DA512F
                                                                                                                                                                                                                                                    • Part of subcall function 00DA512B: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 00DA51D1
                                                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(00DAEA68,00000001,45F1B473,?,-00000050,?,00DAEE0A,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 00DAE7D4
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2417226690-0
                                                                                                                                                                                                                                                  • Opcode ID: ab9a5531cbcfef4fdb40683cc0dda25ec6f0a54b10fcbfb0672a1ea580b4d041
                                                                                                                                                                                                                                                  • Instruction ID: fc066ab6f6cfa418f68bdd6bb7d3f00b97a9dfb94d0a9fb7326c05837ad5f317
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ab9a5531cbcfef4fdb40683cc0dda25ec6f0a54b10fcbfb0672a1ea580b4d041
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9FF0F6362003045FDB146F35DCC1A7A7B95FF82768F09842DF9068B680D6719C02C730
                                                                                                                                                                                                                                                  Function 00DA4128 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                    • Part of subcall function 00D9E0B6: EnterCriticalSection.KERNEL32(?,?,00DA2ECC,00000000,00DC2B68,0000000C,00DA2E93,0000000C,?,00DA40B7,0000000C,?,00DA52C9,00000001,00000364,?), ref: 00D9E0C5
                                                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(00DA411B,00000001,00DC2BE8,0000000C,00DA454A,00000000), ref: 00DA4160
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1272433827-0
                                                                                                                                                                                                                                                  • Opcode ID: 4588495ac8ab9efcd0f5860d3ae4d400bf6ece12534f5316d9774e3f8858206b
                                                                                                                                                                                                                                                  • Instruction ID: 92111bb7ad3bb278f4377ad127ee88b6e6d877773f34b803c4116bf99ee1afc0
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4588495ac8ab9efcd0f5860d3ae4d400bf6ece12534f5316d9774e3f8858206b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34F03772A00306DFDB10EF99E842B9C77B0FB45721F00422AF811DB3A1CBB5A9408BB0
                                                                                                                                                                                                                                                  Function 00DAE6A4 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                    • Part of subcall function 00DA512B: GetLastError.KERNEL32(?,00000008,00DA76AA), ref: 00DA512F
                                                                                                                                                                                                                                                    • Part of subcall function 00DA512B: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 00DA51D1
                                                                                                                                                                                                                                                  • EnumSystemLocalesW.KERNEL32(00DAE5FD,00000001,45F1B473,?,?,00DAEE68,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 00DAE6DB
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2417226690-0
                                                                                                                                                                                                                                                  • Opcode ID: 41551de69705c77d4d511474078c7ce79c48d0ece718d65fcb6caba539cdbde4
                                                                                                                                                                                                                                                  • Instruction ID: 36a143869145a0c53999e8b502fae4355c609be1ab9c4f8aea1dec11ca5cd942
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 41551de69705c77d4d511474078c7ce79c48d0ece718d65fcb6caba539cdbde4
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 20F0E5363002459BCB14AF3AE88576ABF95EFC2714B0A4459FE068B690C675D843C770
                                                                                                                                                                                                                                                  Function 00DA464E Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00DA2A37,?,20001004,00000000,00000002,?,?,00DA2039), ref: 00DA4682
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: InfoLocale
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2299586839-0
                                                                                                                                                                                                                                                  • Opcode ID: 35cbe26f47ef39d8f27f2235de258301dd5296f665dee1cd4edf18924003eadd
                                                                                                                                                                                                                                                  • Instruction ID: 8f5dceb7e0ca09c3c13634902cb528fef2051a4c40c1801cac8c008bb91d1fef
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 35cbe26f47ef39d8f27f2235de258301dd5296f665dee1cd4edf18924003eadd
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C4E04F31540228FBCF122F61DC05AEE3F29FF96752F094111FC0566221CBB6D920AAF4
                                                                                                                                                                                                                                                  Function 00D97C53 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00007C5F,00D9727A), ref: 00D97C58
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3192549508-0
                                                                                                                                                                                                                                                  • Opcode ID: 4ae10c815ddeaed7a3ab4228248a2c5dfffb3875eda665f86ec1f9ec73478c61
                                                                                                                                                                                                                                                  • Instruction ID: bcb19c514f3e7c7f2bf3e44c13caef9fdc8e2f6dc93a81a597cf962ea4cc367b
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4ae10c815ddeaed7a3ab4228248a2c5dfffb3875eda665f86ec1f9ec73478c61
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                                                                                                  Function 00DAEFC8 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: HeapProcess
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 54951025-0
                                                                                                                                                                                                                                                  • Opcode ID: ffba79f54c2bdc1eed3fa57e0397b496e6a54db28a7e155acf718d1553496cae
                                                                                                                                                                                                                                                  • Instruction ID: 3a5071a14688b0872236f438076e63eaa773e91e9ff1671ab0e7163a51800982
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ffba79f54c2bdc1eed3fa57e0397b496e6a54db28a7e155acf718d1553496cae
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 20A01230100302CF43404F357908A0C3AA456041D070440155001C4230D634C0805F20
                                                                                                                                                                                                                                                  Function 00DCC545 Relevance: .9, Instructions: 939COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 80ef825bed60522a5f1ba7064d14fea23896d018c6525e115e4b9f00a6570c2b
                                                                                                                                                                                                                                                  • Instruction ID: 14ff2cbed5299207c8e0bb9288b0f30030a6a508187d3d4cf6889e5c676800fa
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 80ef825bed60522a5f1ba7064d14fea23896d018c6525e115e4b9f00a6570c2b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2772246144F3C29FD7238B749D749E27FB0AE6721431E08DBD4C18B0A3E2191A6AD776
                                                                                                                                                                                                                                                  Function 00DA9D09 Relevance: .6, Instructions: 637COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 58d9f00108badca56e599b914b7a8c2a16a0a665df85df5db27f65153e5ebeca
                                                                                                                                                                                                                                                  • Instruction ID: b393e5b0df54591af294998279238ab942f181c1332743906556d7d60d83d997
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 58d9f00108badca56e599b914b7a8c2a16a0a665df85df5db27f65153e5ebeca
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DC320722D69F018DD763963CC826335A28DAFB73C4F15D727F81AB5EA5EB29C4834112
                                                                                                                                                                                                                                                  Function 00DCBDC0 Relevance: .6, Instructions: 556COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 95ef58f28ea0c76652245fec5e1d10a7203a1f0de95f43864c518d064f206729
                                                                                                                                                                                                                                                  • Instruction ID: d6cb887e97fddb343e555d7d339d14245016dfed5c0d22f80ab2b5f503f297df
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 95ef58f28ea0c76652245fec5e1d10a7203a1f0de95f43864c518d064f206729
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C022026144E3C29FC7138B749CB56D17FB0AE6722471E05DBD8C0CF4A3E2291A5ADB62
                                                                                                                                                                                                                                                  Function 00D950B0 Relevance: .2, Instructions: 165COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 93b451423774f390a84f535dcfe3ba546839b42ee0b499e0766b2c7a98dc649c
                                                                                                                                                                                                                                                  • Instruction ID: d2df761081a9e6c4654cf3538d19cbd3a1e97614268a10721a71fc409bf358a3
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 93b451423774f390a84f535dcfe3ba546839b42ee0b499e0766b2c7a98dc649c
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3951B531711A168FD708CF39C895A66F7E2FB98310F188779E429CB285EB35E914CB94
                                                                                                                                                                                                                                                  Function 00D94EF0 Relevance: .1, Instructions: 140COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 8c71e8a4d4c822c2af38b7bb403b9e2aeae5574d6a876ff0dc428173de2df168
                                                                                                                                                                                                                                                  • Instruction ID: 301096cfdf92f6d7665c44c42b4acdda183eb469152616bde22d35fe706d1674
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c71e8a4d4c822c2af38b7bb403b9e2aeae5574d6a876ff0dc428173de2df168
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B75193317116128FD70CCF39C895A66B7E1FB98314F088769E42ACB2D6DB34A9158B94
                                                                                                                                                                                                                                                  Function 00DA913C Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: fa0ba1e5d9a22f7c6db1b863d068fd7604d8ca8b2c2046f773a74d09f23aaf89
                                                                                                                                                                                                                                                  • Instruction ID: 3491a2f5bb15c261130f54046202b7c6618af9f5182e2ac02f3b7fb15a1d0bee
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fa0ba1e5d9a22f7c6db1b863d068fd7604d8ca8b2c2046f773a74d09f23aaf89
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0FE0EC72911278EBCB25DB98C95898AF3ECEB4AF54B55449AB605D3111C6B4DE00C7E0
                                                                                                                                                                                                                                                  Function 00DA1496 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: eafc9afbd71d0c63c25bd700d152b00fba6a1b79f89aedc9458559ba3c3e83a7
                                                                                                                                                                                                                                                  • Instruction ID: d2c1fb0732fcd40301db5856699716e810ec8bcbab686e3f1b8557beeac4b8e1
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: eafc9afbd71d0c63c25bd700d152b00fba6a1b79f89aedc9458559ba3c3e83a7
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 92C08C38001A0046CE29CD1882713A5B364E397782F88058CC8020F742C95E9C82EA70
                                                                                                                                                                                                                                                  Function 00D94B10 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 191COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00D94B3C
                                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00D94B59
                                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00D94B7D
                                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00D94BA8
                                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00D94C1A
                                                                                                                                                                                                                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D94C6F
                                                                                                                                                                                                                                                  • __Getctype.LIBCPMT ref: 00D94C86
                                                                                                                                                                                                                                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00D94CC6
                                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00D94D68
                                                                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 00D94D6E
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_GetctypeLocinfo_ctorLocinfo_dtorRegister
                                                                                                                                                                                                                                                  • String ID: bad locale name
                                                                                                                                                                                                                                                  • API String ID: 103145292-1405518554
                                                                                                                                                                                                                                                  • Opcode ID: 6363518b53882d60af40e51b5f140b59bbd4ca663b0f1d576ce0d3b5cafcdd2e
                                                                                                                                                                                                                                                  • Instruction ID: 1388cf2f5c7274980f281f65bc368b26c89d35a64a5561d70dea2073414a9b3c
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6363518b53882d60af40e51b5f140b59bbd4ca663b0f1d576ce0d3b5cafcdd2e
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3A616CB59087418FDB21DF64D981B5BB7E4EF94304F08492CE98997352EB30E949CBB2
                                                                                                                                                                                                                                                  Function 00D9717D Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00D97183
                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00D97191
                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00D971A2
                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00D971B3
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: AddressProc$HandleModule
                                                                                                                                                                                                                                                  • String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
                                                                                                                                                                                                                                                  • API String ID: 667068680-1247241052
                                                                                                                                                                                                                                                  • Opcode ID: e9a8d5ee27558ffd88cb6ba3b1ec2bd916798490a6bcbdca1d9e803e0b44072c
                                                                                                                                                                                                                                                  • Instruction ID: 8412b763f6092df2b06cad7976639d4a4050c0301848a9acf1cc79b7c3a91c14
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e9a8d5ee27558ffd88cb6ba3b1ec2bd916798490a6bcbdca1d9e803e0b44072c
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6BE04675509722EF83106F79BC09CC97AA8EB49B403010651B806E2320D2BC80888AB4
                                                                                                                                                                                                                                                  Function 00D9A988 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • type_info::operator==.LIBVCRUNTIME ref: 00D9AAA7
                                                                                                                                                                                                                                                  • ___TypeMatch.LIBVCRUNTIME ref: 00D9ABB5
                                                                                                                                                                                                                                                  • _UnwindNestedFrames.LIBCMT ref: 00D9AD07
                                                                                                                                                                                                                                                  • CallUnexpected.LIBVCRUNTIME ref: 00D9AD22
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                                                                                                                                  • String ID: csm$csm$csm
                                                                                                                                                                                                                                                  • API String ID: 2751267872-393685449
                                                                                                                                                                                                                                                  • Opcode ID: 3532f95dbcf3d657a07c7b269cf9b9d8b1c4e3b44a85d89d59fa9a602f573941
                                                                                                                                                                                                                                                  • Instruction ID: b66109307621465d32d658a4285f76b5f15d471d7c19915a1cf8f5e8050bf267
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3532f95dbcf3d657a07c7b269cf9b9d8b1c4e3b44a85d89d59fa9a602f573941
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 93B16976800219EFCF25EFA8C9819AEBBB5FF54310B19415AE8116B212D731DA51CFF2
                                                                                                                                                                                                                                                  Function 00DB4315 Relevance: 12.2, APIs: 8, Instructions: 248COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetCPInfo.KERNEL32(00C105D8,00C105D8,?,7FFFFFFF,?,00DB45E5,00C105D8,00C105D8,?,00C105D8,?,?,?,?,00C105D8,?), ref: 00DB43BB
                                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00DB4476
                                                                                                                                                                                                                                                  • __alloca_probe_16.LIBCMT ref: 00DB4505
                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00DB4550
                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00DB4556
                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00DB458C
                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00DB4592
                                                                                                                                                                                                                                                  • __freea.LIBCMT ref: 00DB45A2
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: __freea$__alloca_probe_16$Info
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 127012223-0
                                                                                                                                                                                                                                                  • Opcode ID: 3e462527654b3fb3ffb88e0c07329af420f36db92a218664b59e7f1bbfdc5f6e
                                                                                                                                                                                                                                                  • Instruction ID: 1608d9740a6f7a4d223f0f53a77de4804d7b53f2b6d9161602368deb53c87f72
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e462527654b3fb3ffb88e0c07329af420f36db92a218664b59e7f1bbfdc5f6e
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9271B072900609EBDF21DA988C41BEE77F9DF49714F2C0059E956A7283E775DC048770
                                                                                                                                                                                                                                                  Function 00DA42F1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,EEE5288E,?,00DA43FE,00D938D3,?,?,00000000), ref: 00DA43B2
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: FreeLibrary
                                                                                                                                                                                                                                                  • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                  • API String ID: 3664257935-537541572
                                                                                                                                                                                                                                                  • Opcode ID: 7911862b6067bbc61afb1a0661bb4e0660e126d73b77fe8345a0f646ab6951b8
                                                                                                                                                                                                                                                  • Instruction ID: dd57579a0d4954b1b935149af083d1ac3fa514de068969c5601403818b9c8cc1
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7911862b6067bbc61afb1a0661bb4e0660e126d73b77fe8345a0f646ab6951b8
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5421A531A41311EBCF21AB65EC41E5E7759AF82764B190210F956E73D1DBB0ED04CAF0
                                                                                                                                                                                                                                                  Function 00DB2220 Relevance: 9.3, APIs: 6, Instructions: 298COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: c09d526323aef1f6bfbc367e594b3b4c83034d511ed7d4eaf2b6f861d1ff39e6
                                                                                                                                                                                                                                                  • Instruction ID: 08229a27d8d89968ff730bda4d239344e4796a5d777fbd9d7d2180533016d50c
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c09d526323aef1f6bfbc367e594b3b4c83034d511ed7d4eaf2b6f861d1ff39e6
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FBB1CE72A00246DBDB15DF99C881BFE7BB1BF59300F188258E4469B292D775AD41CB70
                                                                                                                                                                                                                                                  Function 00D9A61A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00D9A611,00D98D4A,00D97CA3), ref: 00D9A628
                                                                                                                                                                                                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00D9A636
                                                                                                                                                                                                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00D9A64F
                                                                                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,00D9A611,00D98D4A,00D97CA3), ref: 00D9A6A1
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3852720340-0
                                                                                                                                                                                                                                                  • Opcode ID: abf6d19c4662c396a5a61b45b12889566dda324ea9323ed12b02fd3ccf96726a
                                                                                                                                                                                                                                                  • Instruction ID: d924e691f7e7bc648280174d17e6ac00796a205ef8eb5cbeffb8c3f756dfa9ca
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: abf6d19c4662c396a5a61b45b12889566dda324ea9323ed12b02fd3ccf96726a
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FE01D433109B135EEF242BB8FC96A262768EB11375729133AF614D61E0EF964C00A1F5
                                                                                                                                                                                                                                                  Function 00DA14B8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,EEE5288E,?,?,00000000,00DB533E,000000FF,?,00DA1448,?,?,00DA141C,00000016), ref: 00DA14ED
                                                                                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00DA14FF
                                                                                                                                                                                                                                                  • FreeLibrary.KERNEL32(00000000,?,00000000,00DB533E,000000FF,?,00DA1448,?,?,00DA141C,00000016), ref: 00DA1521
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                  • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                  • Opcode ID: 7dded08c803037614b96f45477f8f16df6cfe93e27d93387487fdaa44b15b818
                                                                                                                                                                                                                                                  • Instruction ID: 0290b208ec16eedc767ed0eaad46c21e7160080cda9cb428da5dd12dcc1f6273
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7dded08c803037614b96f45477f8f16df6cfe93e27d93387487fdaa44b15b818
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9801A236940725EFCB219B54DC09FAEBBB8FB44B51F040625F812E23D0DB789900DAB0
                                                                                                                                                                                                                                                  Function 00D95A19 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • __EH_prolog3.LIBCMT ref: 00D95A20
                                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00D95A2A
                                                                                                                                                                                                                                                    • Part of subcall function 00D91980: std::_Lockit::_Lockit.LIBCPMT ref: 00D9199C
                                                                                                                                                                                                                                                    • Part of subcall function 00D91980: std::_Lockit::~_Lockit.LIBCPMT ref: 00D919B9
                                                                                                                                                                                                                                                  • codecvt.LIBCPMT ref: 00D95A64
                                                                                                                                                                                                                                                  • std::_Facet_Register.LIBCPMT ref: 00D95A7B
                                                                                                                                                                                                                                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00D95A9B
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 712880209-0
                                                                                                                                                                                                                                                  • Opcode ID: 37a87cdb28850234de622557e92ff127d2d0246249dc2e8379543994a4c8e01f
                                                                                                                                                                                                                                                  • Instruction ID: ff3f00056bf054fabd5eca5976deda773e38bd7d7cee3eda3bd40f3e5e1b6911
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 37a87cdb28850234de622557e92ff127d2d0246249dc2e8379543994a4c8e01f
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1C01D235900A17CBCF02EBA4E891AAE7761EF80720F280118E411AB395CF34AE418BF4
                                                                                                                                                                                                                                                  Function 00D91F00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00D91F9D
                                                                                                                                                                                                                                                    • Part of subcall function 00D98080: RaiseException.KERNEL32(E06D7363,00000001,00000003,00D97F9B,?,?,?,?,00D97F9B,0000000C,00DC2FA4,0000000C), ref: 00D980E0
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ExceptionRaise___std_exception_copy
                                                                                                                                                                                                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                                                                                                                                                                                  • API String ID: 3109751735-1866435925
                                                                                                                                                                                                                                                  • Opcode ID: 2e5315a7acc53bf23e565a9c9275e0a87485c36ad4f597f9ca34e156096aae62
                                                                                                                                                                                                                                                  • Instruction ID: e73701780c4b20208507e6533823b0988b4a6ed7b01c81f3681ebc6be1fa82e1
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2e5315a7acc53bf23e565a9c9275e0a87485c36ad4f597f9ca34e156096aae62
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: ED11E4B791471AABCB10DF58C801B96B3E8EF05310F18852AF958D7241F770E854CBB1
                                                                                                                                                                                                                                                  Function 00D9B762 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,00D9B713,00000000,00000001,00DC568C,?,?,?,00D9B8B6,00000004,InitializeCriticalSectionEx,00DB7C38,InitializeCriticalSectionEx), ref: 00D9B76F
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00D9B713,00000000,00000001,00DC568C,?,?,?,00D9B8B6,00000004,InitializeCriticalSectionEx,00DB7C38,InitializeCriticalSectionEx,00000000,?,00D9B66D), ref: 00D9B779
                                                                                                                                                                                                                                                  • LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,00D9A583), ref: 00D9B7A1
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                                                  • String ID: api-ms-
                                                                                                                                                                                                                                                  • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                                                  • Opcode ID: 1b4913a3204af3700cff58327daf8f122158473fcb697b413f65913c1a222b35
                                                                                                                                                                                                                                                  • Instruction ID: 14071e0843a465a69ecd07249442392e2c720eefda5e8daaec2332b0d50b5bbc
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1b4913a3204af3700cff58327daf8f122158473fcb697b413f65913c1a222b35
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F0E04F30280308FFEF502FA2EC0AF693E65AB40B94F144131F90EE81E1D765D92089B4
                                                                                                                                                                                                                                                  Function 00DA64B2 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetConsoleOutputCP.KERNEL32(EEE5288E,00000000,00000000,00D9BDA8), ref: 00DA6515
                                                                                                                                                                                                                                                    • Part of subcall function 00DAB07B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00DA9046,?,00000000,-00000008), ref: 00DAB127
                                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00DA6770
                                                                                                                                                                                                                                                  • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00DA67B8
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00DA685B
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2112829910-0
                                                                                                                                                                                                                                                  • Opcode ID: 8b42bfe34d4007ff18b004eef2aece8f8318e7033b63a7fab5c4ebc4a9ff5242
                                                                                                                                                                                                                                                  • Instruction ID: 933c559116add17de8ac9a751c402136a60f620a6993b0137e7d89f78956a346
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b42bfe34d4007ff18b004eef2aece8f8318e7033b63a7fab5c4ebc4a9ff5242
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D1D148B5D00259DFCF15CFA9D880AADBBB9FF09304F18412AE956E7391D634E942CB60
                                                                                                                                                                                                                                                  Function 00D9A731 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: AdjustPointer
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1740715915-0
                                                                                                                                                                                                                                                  • Opcode ID: d8acc0bd71963c0e1861eefb29da152289ec1bd80e2ef4d7cfef7a6a5e9d3770
                                                                                                                                                                                                                                                  • Instruction ID: 9edf18a0f28618279716a3c2030dcb9ca01558b0fa0d535f588873dcab7412c5
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d8acc0bd71963c0e1861eefb29da152289ec1bd80e2ef4d7cfef7a6a5e9d3770
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3151BE73A00206AFEF299F59D841B7A77A4EF44710F18442DE80587291E731EC42DBF2
                                                                                                                                                                                                                                                  Function 00DAB497 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                    • Part of subcall function 00DAB07B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00DA9046,?,00000000,-00000008), ref: 00DAB127
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00DAB4FB
                                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00DAB502
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?), ref: 00DAB53C
                                                                                                                                                                                                                                                  • __dosmaperr.LIBCMT ref: 00DAB543
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1913693674-0
                                                                                                                                                                                                                                                  • Opcode ID: 4ac1638ec0d9add04617bd955d24d0290706c18b047969d580e39ee6f390319b
                                                                                                                                                                                                                                                  • Instruction ID: 99b2c1fbeabaac8eac283317ffe9b4c12303f2f6f725224f7849bfbee396d8b9
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4ac1638ec0d9add04617bd955d24d0290706c18b047969d580e39ee6f390319b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0121C271A00605AF9F20AF65888196BB7A8FF06374714862AF959D7253D775EC018BB0
                                                                                                                                                                                                                                                  Function 00DA0892 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 06e6fee2d2d09b88455f9209d8f4b9d39cf499d83d6b992ad39b84e803214fdd
                                                                                                                                                                                                                                                  • Instruction ID: 8c8f2e368518b0d9961266331bc57e981ab1e3fa39e8adbb85f8e03dbf617c4e
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 06e6fee2d2d09b88455f9209d8f4b9d39cf499d83d6b992ad39b84e803214fdd
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D21C03120020AAFAB20AF718C91A6B7BACFF463647188615F959D7152E771EC10CBB0
                                                                                                                                                                                                                                                  Function 00DAC42D Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 00DAC435
                                                                                                                                                                                                                                                    • Part of subcall function 00DAB07B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00DA9046,?,00000000,-00000008), ref: 00DAB127
                                                                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00DAC46D
                                                                                                                                                                                                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00DAC48D
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 158306478-0
                                                                                                                                                                                                                                                  • Opcode ID: d10721220a742ed0caeadfe206afc56333e6c3d6245146bbb65e3d299fc384f5
                                                                                                                                                                                                                                                  • Instruction ID: dfe81176f0aec59a0328aa1ff537eec345c0fb2caab3cb6c06d49ad13ed4585e
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d10721220a742ed0caeadfe206afc56333e6c3d6245146bbb65e3d299fc384f5
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B51122B6915715FFA72127B69C8ACBF696CDE9B3F43104025F902D1202EBB8ED4181B8
                                                                                                                                                                                                                                                  Function 00DB41D9 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00DB1C32,00000000,00000001,00000000,00D9BDA8,?,00DA68AF,00D9BDA8,00000000,00000000), ref: 00DB41F0
                                                                                                                                                                                                                                                  • GetLastError.KERNEL32(?,00DB1C32,00000000,00000001,00000000,00D9BDA8,?,00DA68AF,00D9BDA8,00000000,00000000,00D9BDA8,00D9BDA8,?,00DA6E6D,?), ref: 00DB41FC
                                                                                                                                                                                                                                                    • Part of subcall function 00DB41C2: CloseHandle.KERNEL32(FFFFFFFE,00DB420C,?,00DB1C32,00000000,00000001,00000000,00D9BDA8,?,00DA68AF,00D9BDA8,00000000,00000000,00D9BDA8,00D9BDA8), ref: 00DB41D2
                                                                                                                                                                                                                                                  • ___initconout.LIBCMT ref: 00DB420C
                                                                                                                                                                                                                                                    • Part of subcall function 00DB4184: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00DB41B3,00DB1C1F,00D9BDA8,?,00DA68AF,00D9BDA8,00000000,00000000,00D9BDA8), ref: 00DB4197
                                                                                                                                                                                                                                                  • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00DB1C32,00000000,00000001,00000000,00D9BDA8,?,00DA68AF,00D9BDA8,00000000,00000000,00D9BDA8), ref: 00DB4221
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2744216297-0
                                                                                                                                                                                                                                                  • Opcode ID: 68cbb11e4b74b61b5a25b431da2a3475260587753178d510c92817949be105c7
                                                                                                                                                                                                                                                  • Instruction ID: 00dbb0e6c3ba42cd0da00142bba83285602af828a88d41cc0f0e7491879203ad
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 68cbb11e4b74b61b5a25b431da2a3475260587753178d510c92817949be105c7
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 37F01C36900719FBCF226F99EC05DC93F26FB097A1F044110FA1BD5222CA32C860ABB4
                                                                                                                                                                                                                                                  Function 00D91E50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00D91F9D
                                                                                                                                                                                                                                                    • Part of subcall function 00D98080: RaiseException.KERNEL32(E06D7363,00000001,00000003,00D97F9B,?,?,?,?,00D97F9B,0000000C,00DC2FA4,0000000C), ref: 00D980E0
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: ExceptionRaise___std_exception_copy
                                                                                                                                                                                                                                                  • String ID: ios_base::badbit set$ios_base::failbit set
                                                                                                                                                                                                                                                  • API String ID: 3109751735-1240500531
                                                                                                                                                                                                                                                  • Opcode ID: 7dc241616880f5d09615edccbf17a47d735093c67ac3f6cd1383608cd5734b0e
                                                                                                                                                                                                                                                  • Instruction ID: 184ca551b0aba9a20fb9672807331ffa093cdb4fec3bea4945c8473152594ff4
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7dc241616880f5d09615edccbf17a47d735093c67ac3f6cd1383608cd5734b0e
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DA4126B6504306AFCB04DF28C841AAAF7E9EF85310F188A1DF95987741E770E945CBB1
                                                                                                                                                                                                                                                  Function 00D9A420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00D9A45F
                                                                                                                                                                                                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00D9A513
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                  • String ID: csm
                                                                                                                                                                                                                                                  • API String ID: 3480331319-1018135373
                                                                                                                                                                                                                                                  • Opcode ID: de58883fe63a7e23d8a9022e9be9fb35c2aeac01818f2866b32b8f5c226cf9cd
                                                                                                                                                                                                                                                  • Instruction ID: 5d71160c48c7994ff3e9ed0c6f3a13c5685bea8a378601282f1fd3c03e367c6b
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: de58883fe63a7e23d8a9022e9be9fb35c2aeac01818f2866b32b8f5c226cf9cd
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0841B331A00209EBCF10DF6CD884A9E7BB5EF45324F188155E8199B352D775E915CBF2
                                                                                                                                                                                                                                                  Function 00D9AD2D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • EncodePointer.KERNEL32(00000000,?), ref: 00D9AD52
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: EncodePointer
                                                                                                                                                                                                                                                  • String ID: MOC$RCC
                                                                                                                                                                                                                                                  • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                                                  • Opcode ID: 30e462aeafd16864a8918ad5a973161002de7abbdd8c06e2f23c050c2698baee
                                                                                                                                                                                                                                                  • Instruction ID: 97b79fbfe1455f8e9d34f4539cddf9ade6664b15e6cfcfa131578b9f2c9dc493
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 30e462aeafd16864a8918ad5a973161002de7abbdd8c06e2f23c050c2698baee
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 78416C72A00209EFCF16DF98CC81AEE7BB5FF48304F198059F90467211D3359950DBA2
                                                                                                                                                                                                                                                  Function 00D91870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00D91875
                                                                                                                                                                                                                                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D918BA
                                                                                                                                                                                                                                                    • Part of subcall function 00D9589A: _Yarn.LIBCPMT ref: 00D958B9
                                                                                                                                                                                                                                                    • Part of subcall function 00D9589A: _Yarn.LIBCPMT ref: 00D958DD
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                                                                                                                                                                                  • String ID: bad locale name
                                                                                                                                                                                                                                                  • API String ID: 1908188788-1405518554
                                                                                                                                                                                                                                                  • Opcode ID: 9ca80b90f560a49b7cc70dec92b2c64de5a026bec2bb4d3ea08d5d25fb441f0f
                                                                                                                                                                                                                                                  • Instruction ID: df5193784c009ab6d74caf0e4883e1bebcf8868cfd1e0c54039bf9040591328f
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ca80b90f560a49b7cc70dec92b2c64de5a026bec2bb4d3ea08d5d25fb441f0f
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 03F01760505B519ED371DF3A9404743BEE0AF2A714F048E2EE4CAC7A52E775E508CBB6
                                                                                                                                                                                                                                                  Function 00D912D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 00D912D5
                                                                                                                                                                                                                                                    • Part of subcall function 00D955CE: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00D955DA
                                                                                                                                                                                                                                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00D912FC
                                                                                                                                                                                                                                                  Strings
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000000.00000002.2121258711.0000000000D91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D90000, based on PE: true
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121176907.0000000000D90000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121316317.0000000000DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DC4000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000DFA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121335262.0000000000E09000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  • Associated: 00000000.00000002.2121426204.0000000000E8D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_d90000_file.jbxd
                                                                                                                                                                                                                                                  Yara matches
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: Xinvalid_argument___std_exception_copystd::_std::invalid_argument::invalid_argument
                                                                                                                                                                                                                                                  • String ID: string too long
                                                                                                                                                                                                                                                  • API String ID: 1846318660-2556327735
                                                                                                                                                                                                                                                  • Opcode ID: 6df7c8f25c5d3541322afbfd9feffc911e7507478026ce4e2faf6a2cfaad35c5
                                                                                                                                                                                                                                                  • Instruction ID: c89fd083673db13fec1f832717430e122c9d66a4c4d2651b798043884e826911
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6df7c8f25c5d3541322afbfd9feffc911e7507478026ce4e2faf6a2cfaad35c5
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DEE0C2729343119BDB00AF949801986B2D8DF56310310CA2AF044B7201F7B0D8848774

                                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                                  Execution Coverage:10.3%
                                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:99.3%
                                                                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                                                                  Total number of Nodes:535
                                                                                                                                                                                                                                                  Total number of Limit Nodes:33
                                                                                                                                                                                                                                                  execution_graph 39854 2f546f0 39855 2f54702 39854->39855 39856 2f5470a 39855->39856 39880 2f54829 39855->39880 39863 2f5428c 39856->39863 39864 2f54297 39863->39864 39885 2f57150 39864->39885 39866 2f58988 39889 5577ce8 39866->39889 39901 5577cf8 39866->39901 39913 5577d28 39866->39913 39867 2f5473e 39871 566b958 39867->39871 39875 566b949 39867->39875 39872 566b96a 39871->39872 40191 566a64c 39872->40191 40236 566beb0 39875->40236 39877 566b94e 39878 566a64c 4 API calls 39877->39878 39879 2f54747 39878->39879 39881 2f5484d 39880->39881 40242 2f54938 39881->40242 40246 2f54928 39881->40246 39886 2f5715b 39885->39886 39926 2f57160 39886->39926 39888 2f58a55 39888->39866 39890 5577cf8 39889->39890 39897 5577d20 39890->39897 39999 5579a07 39890->39999 40004 5579928 39890->40004 40009 5579918 39890->40009 40014 5579999 39890->40014 40019 557d6fe 39890->40019 40024 5579c4e 39890->40024 40029 55799e1 39890->40029 40034 5579ac2 39890->40034 40039 55799d3 39890->40039 39897->39867 39902 5577d0d 39901->39902 39903 5579a07 5 API calls 39902->39903 39904 5577d20 39902->39904 39905 55799d3 5 API calls 39902->39905 39906 5579ac2 2 API calls 39902->39906 39907 55799e1 5 API calls 39902->39907 39908 5579c4e 5 API calls 39902->39908 39909 557d6fe 2 API calls 39902->39909 39910 5579999 5 API calls 39902->39910 39911 5579918 5 API calls 39902->39911 39912 5579928 5 API calls 39902->39912 39903->39904 39904->39867 39905->39904 39906->39904 39907->39904 39908->39904 39909->39904 39910->39904 39911->39904 39912->39904 39914 5577d36 39913->39914 39915 5577ce6 39913->39915 39916 5579a07 5 API calls 39915->39916 39917 5577d20 39915->39917 39918 55799d3 5 API calls 39915->39918 39919 5579ac2 2 API calls 39915->39919 39920 55799e1 5 API calls 39915->39920 39921 5579c4e 5 API calls 39915->39921 39922 557d6fe 2 API calls 39915->39922 39923 5579999 5 API calls 39915->39923 39924 5579918 5 API calls 39915->39924 39925 5579928 5 API calls 39915->39925 39916->39917 39917->39867 39918->39917 39919->39917 39920->39917 39921->39917 39922->39917 39923->39917 39924->39917 39925->39917 39927 2f5716b 39926->39927 39930 2f57190 39927->39930 39929 2f58b3a 39929->39888 39931 2f5719b 39930->39931 39934 2f571c0 39931->39934 39933 2f58c2d 39933->39929 39935 2f571cb 39934->39935 39937 2f59db3 39935->39937 39941 2f5c458 39935->39941 39936 2f59df1 39936->39933 39937->39936 39945 2f5e540 39937->39945 39950 2f5e550 39937->39950 39955 2f5c481 39941->39955 39960 2f5c490 39941->39960 39942 2f5c46e 39942->39937 39946 2f5e550 39945->39946 39947 2f5e595 39946->39947 39968 2f5e820 39946->39968 39972 2f5e810 39946->39972 39947->39936 39951 2f5e571 39950->39951 39952 2f5e595 39951->39952 39953 2f5e820 5 API calls 39951->39953 39954 2f5e810 5 API calls 39951->39954 39952->39936 39953->39952 39954->39952 39956 2f5c43c 39955->39956 39957 2f5c48a 39955->39957 39956->39942 39963 2f5c577 39957->39963 39958 2f5c49f 39958->39942 39962 2f5c577 GetModuleHandleW 39960->39962 39961 2f5c49f 39961->39942 39962->39961 39964 2f5c5bc 39963->39964 39965 2f5c599 39963->39965 39964->39958 39965->39964 39966 2f5c7c0 GetModuleHandleW 39965->39966 39967 2f5c7ed 39966->39967 39967->39958 39971 2f5e82d 39968->39971 39969 2f5e867 39969->39947 39971->39969 39976 2f5cb20 39971->39976 39973 2f5e82d 39972->39973 39974 2f5e867 39973->39974 39975 2f5cb20 5 API calls 39973->39975 39974->39947 39975->39974 39977 2f5cb2b 39976->39977 39979 2f5f580 39977->39979 39980 2f5ef6c 39977->39980 39979->39979 39981 2f5ef77 39980->39981 39982 2f571c0 5 API calls 39981->39982 39983 2f5f5ef 39982->39983 39984 2f5f5fe 39983->39984 39987 2f5f668 39983->39987 39993 2f5f658 39983->39993 39984->39979 39988 2f5f696 39987->39988 39991 2f5f767 39988->39991 39992 5575bc0 CreateWindowExW PostMessageW 39988->39992 39989 2f5f70e 39990 2f5f762 KiUserCallbackDispatcher 39989->39990 39990->39991 39992->39989 39995 2f5f696 39993->39995 39994 2f5f767 39995->39994 39998 5575bc0 CreateWindowExW PostMessageW 39995->39998 39996 2f5f70e 39997 2f5f762 KiUserCallbackDispatcher 39996->39997 39997->39994 39998->39996 40001 5579966 39999->40001 40002 5579b04 40001->40002 40044 5579514 40001->40044 40048 5579584 40001->40048 40006 557994c 40004->40006 40005 5579514 5 API calls 40005->40006 40006->40005 40007 5579584 2 API calls 40006->40007 40008 5579b04 40006->40008 40007->40006 40011 5579928 40009->40011 40010 5579b04 40011->40010 40012 5579514 5 API calls 40011->40012 40013 5579584 2 API calls 40011->40013 40012->40011 40013->40011 40016 5579966 40014->40016 40015 5579b04 40016->40015 40017 5579514 5 API calls 40016->40017 40018 5579584 2 API calls 40016->40018 40017->40016 40018->40016 40020 557d703 40019->40020 40021 557d70b 40020->40021 40160 557d838 40020->40160 40021->39897 40022 557d79e 40022->39897 40026 5579966 40024->40026 40025 5579514 5 API calls 40025->40026 40026->40024 40026->40025 40027 5579584 2 API calls 40026->40027 40028 5579b04 40026->40028 40027->40026 40031 5579966 40029->40031 40030 5579514 5 API calls 40030->40031 40031->40030 40032 5579584 2 API calls 40031->40032 40033 5579b04 40031->40033 40032->40031 40035 5579aca 40034->40035 40165 557e8e2 40035->40165 40176 557e908 40035->40176 40036 5579ae1 40041 5579966 40039->40041 40040 5579514 5 API calls 40040->40041 40041->40040 40042 5579584 2 API calls 40041->40042 40043 5579b04 40041->40043 40042->40041 40045 557951f 40044->40045 40052 55795a4 40045->40052 40047 5579cef 40047->40001 40049 557958f 40048->40049 40064 5579744 40049->40064 40051 557c4ef 40051->40001 40053 55795af 40052->40053 40056 2f571c0 5 API calls 40053->40056 40057 2f59af0 40053->40057 40054 5579d74 40054->40047 40056->40054 40059 2f59b2b 40057->40059 40058 2f59df1 40058->40054 40060 2f59db3 40059->40060 40063 2f5c458 GetModuleHandleW 40059->40063 40060->40058 40061 2f5e550 5 API calls 40060->40061 40062 2f5e540 5 API calls 40060->40062 40061->40058 40062->40058 40063->40060 40065 557974f 40064->40065 40066 557a110 40065->40066 40072 557a121 40065->40072 40076 557dc80 40065->40076 40084 557dc90 40065->40084 40092 557a130 40065->40092 40066->40051 40067 557a0da 40067->40051 40073 557a12a 40072->40073 40074 557a1e6 40073->40074 40096 5575bc0 40073->40096 40080 557dcb7 40076->40080 40077 557def6 40078 557a130 2 API calls 40077->40078 40079 557df09 40078->40079 40079->40067 40080->40077 40081 557ded5 40080->40081 40082 557a130 2 API calls 40081->40082 40083 557deec 40082->40083 40083->40067 40088 557dcb7 40084->40088 40085 557def6 40086 557a130 2 API calls 40085->40086 40087 557df09 40086->40087 40087->40067 40088->40085 40089 557ded5 40088->40089 40090 557a130 2 API calls 40089->40090 40091 557deec 40090->40091 40091->40067 40093 557a15f 40092->40093 40094 557a1e6 40093->40094 40095 5575bc0 2 API calls 40093->40095 40095->40094 40097 5575bd0 40096->40097 40098 5575c0d 40097->40098 40101 566c700 40097->40101 40113 566c6f0 40097->40113 40098->40074 40105 566c739 40101->40105 40125 566bfb8 40105->40125 40106 566c84d 40108 566c950 40106->40108 40137 566bfe8 40106->40137 40109 566c914 40109->40108 40110 566bfe8 CreateWindowExW 40109->40110 40111 566c93f 40110->40111 40111->40108 40112 566bfe8 CreateWindowExW 40111->40112 40112->40108 40114 566c700 40113->40114 40115 566bfb8 CreateWindowExW 40114->40115 40116 566c843 40115->40116 40117 5665714 PostMessageW 40116->40117 40118 566c84d 40117->40118 40119 566bfe8 CreateWindowExW 40118->40119 40120 566c950 40118->40120 40121 566c914 40119->40121 40121->40120 40122 566bfe8 CreateWindowExW 40121->40122 40123 566c93f 40122->40123 40123->40120 40124 566bfe8 CreateWindowExW 40123->40124 40124->40120 40126 566bfc3 40125->40126 40127 566bfe8 CreateWindowExW 40126->40127 40128 566c843 40126->40128 40127->40128 40129 5665714 40128->40129 40130 566571f 40129->40130 40132 5666be6 40130->40132 40142 566f350 40130->40142 40146 566f3a0 40130->40146 40131 5666c87 40135 566f350 PostMessageW 40131->40135 40136 566f3a0 PostMessageW 40131->40136 40132->40106 40135->40132 40136->40132 40138 566bff3 40137->40138 40139 566f32b 40138->40139 40150 55723f0 40138->40150 40155 55723df 40138->40155 40139->40109 40143 566f354 40142->40143 40144 566bf7c PostMessageW 40143->40144 40145 566f3c1 40144->40145 40145->40131 40147 566f3a1 40146->40147 40148 566bf7c PostMessageW 40147->40148 40149 566f3c1 40148->40149 40149->40131 40151 557241b 40150->40151 40152 55724ca 40151->40152 40153 55732c0 CreateWindowExW 40151->40153 40154 5573290 CreateWindowExW 40151->40154 40153->40152 40154->40152 40156 55723f0 40155->40156 40157 55724ca 40156->40157 40158 55732c0 CreateWindowExW 40156->40158 40159 5573290 CreateWindowExW 40156->40159 40158->40157 40159->40157 40161 557d83b 40160->40161 40164 557d89d 40160->40164 40162 5579584 2 API calls 40161->40162 40163 557d87a 40162->40163 40163->40022 40164->40022 40167 557e91d 40165->40167 40166 557e9a3 40174 557e8e2 2 API calls 40166->40174 40175 557e908 2 API calls 40166->40175 40167->40166 40169 557e9d8 40167->40169 40168 557e9ad 40168->40036 40173 557eadc 40169->40173 40187 557ce84 40169->40187 40172 557ce84 2 API calls 40172->40173 40173->40036 40174->40168 40175->40168 40178 557e91d 40176->40178 40177 557e9a3 40185 557e8e2 2 API calls 40177->40185 40186 557e908 2 API calls 40177->40186 40178->40177 40180 557e9d8 40178->40180 40179 557e9ad 40179->40036 40181 557ce84 2 API calls 40180->40181 40184 557eadc 40180->40184 40182 557eb00 40181->40182 40183 557ce84 2 API calls 40182->40183 40183->40184 40184->40036 40185->40179 40186->40179 40189 557ce8f 40187->40189 40188 557eb00 40188->40172 40189->40188 40190 5575bc0 2 API calls 40189->40190 40190->40188 40193 566a657 40191->40193 40195 566a68c 40193->40195 40194 566ba9c 40194->40194 40196 566a697 40195->40196 40201 566bbae 40196->40201 40202 566bd09 40196->40202 40205 566a8d4 40196->40205 40197 566a8d4 4 API calls 40197->40202 40199 566bf44 40199->40194 40200 566bec7 40200->40194 40201->40197 40201->40202 40202->40200 40210 566c338 40202->40210 40221 566c360 40202->40221 40206 566a8df 40205->40206 40207 566bf44 40206->40207 40208 566c360 4 API calls 40206->40208 40209 566c338 4 API calls 40206->40209 40207->40201 40208->40207 40209->40207 40213 566c33d 40210->40213 40211 566c39a 40211->40199 40212 566c477 40216 566c485 40212->40216 40219 2f5f668 3 API calls 40212->40219 40220 2f5f658 3 API calls 40212->40220 40213->40211 40213->40212 40214 566c4da 40213->40214 40215 566c4d5 40214->40215 40218 5665714 PostMessageW 40214->40218 40215->40199 40216->40215 40232 566bf7c 40216->40232 40218->40215 40219->40216 40220->40216 40224 566c386 40221->40224 40222 566c39a 40222->40199 40223 566c477 40225 566c485 40223->40225 40230 2f5f668 3 API calls 40223->40230 40231 2f5f658 3 API calls 40223->40231 40224->40222 40224->40223 40228 566c4da 40224->40228 40226 566bf7c PostMessageW 40225->40226 40227 566c4d5 40225->40227 40226->40227 40227->40199 40228->40227 40229 5665714 PostMessageW 40228->40229 40229->40227 40230->40225 40231->40225 40233 566f7e0 PostMessageW 40232->40233 40235 566f84c 40233->40235 40235->40215 40237 566bf2c 40236->40237 40239 566bec7 40236->40239 40240 566c360 4 API calls 40237->40240 40241 566c338 4 API calls 40237->40241 40238 566bf44 40238->39877 40239->39877 40240->40238 40241->40238 40243 2f5495f 40242->40243 40244 2f54a3c 40243->40244 40250 2f5459c 40243->40250 40248 2f54938 40246->40248 40247 2f54a3c 40247->40247 40248->40247 40249 2f5459c CreateActCtxA 40248->40249 40249->40247 40251 2f559c8 CreateActCtxA 40250->40251 40253 2f55a8b 40251->40253 40269 557a040 40270 5579744 2 API calls 40269->40270 40271 557a056 40270->40271 40475 12bd01c 40476 12bd034 40475->40476 40477 12bd08e 40476->40477 40478 55711b4 3 API calls 40476->40478 40482 55734c8 40476->40482 40486 5574229 40476->40486 40495 55734b8 40476->40495 40478->40477 40483 55734ee 40482->40483 40484 55711b4 3 API calls 40483->40484 40485 557350f 40484->40485 40485->40477 40489 5574265 40486->40489 40487 5574299 40488 55712dc 3 API calls 40487->40488 40491 5574297 40487->40491 40488->40491 40489->40487 40490 5574289 40489->40490 40492 55743c0 3 API calls 40490->40492 40493 55743b0 3 API calls 40490->40493 40494 557448c 3 API calls 40490->40494 40492->40491 40493->40491 40494->40491 40496 55734c8 40495->40496 40497 55711b4 3 API calls 40496->40497 40498 557350f 40497->40498 40498->40477 40452 557373d 40453 5573747 40452->40453 40454 5573896 40453->40454 40456 5573528 40453->40456 40454->40454 40459 55711c4 40456->40459 40460 5573558 SetWindowLongW 40459->40460 40461 5573540 40460->40461 40461->40454 40254 2f5e938 40255 2f5e97e 40254->40255 40256 2f5ea6b 40255->40256 40259 2f5eb12 40255->40259 40263 2f5eb18 40255->40263 40260 2f5eb18 40259->40260 40266 2f5cbe8 40260->40266 40264 2f5cbe8 DuplicateHandle 40263->40264 40265 2f5eb46 40264->40265 40265->40256 40267 2f5eb80 DuplicateHandle 40266->40267 40268 2f5eb46 40267->40268 40268->40256 40272 566e0b8 40274 566e0d2 40272->40274 40273 566e15c 40277 566d068 40274->40277 40283 566d058 40274->40283 40278 566d0ae 40277->40278 40279 566d0d1 40278->40279 40289 55758d1 40278->40289 40296 55712dc 40278->40296 40303 55712af 40278->40303 40279->40273 40283->40283 40284 566d062 40283->40284 40285 566d0d1 40284->40285 40286 55758d1 3 API calls 40284->40286 40287 55712af 3 API calls 40284->40287 40288 55712dc 3 API calls 40284->40288 40285->40273 40286->40285 40287->40285 40288->40285 40290 55758e0 40289->40290 40291 5575922 40290->40291 40292 55759cc 40290->40292 40294 557597a CallWindowProcW 40291->40294 40295 5575929 40291->40295 40310 55711b4 40292->40310 40294->40295 40295->40279 40297 55712e7 40296->40297 40298 5575922 40297->40298 40299 55759cc 40297->40299 40301 557597a CallWindowProcW 40298->40301 40302 5575929 40298->40302 40300 55711b4 2 API calls 40299->40300 40300->40302 40301->40302 40302->40279 40304 55712a6 40303->40304 40304->40303 40305 5575922 40304->40305 40306 55759cc 40304->40306 40308 557597a CallWindowProcW 40305->40308 40309 5575929 40305->40309 40307 55711b4 2 API calls 40306->40307 40307->40309 40308->40309 40309->40279 40311 55711bf 40310->40311 40312 5574299 40311->40312 40314 5574289 40311->40314 40313 55712dc 3 API calls 40312->40313 40315 5574297 40312->40315 40313->40315 40319 55743c0 40314->40319 40324 557448c 40314->40324 40330 55743b0 40314->40330 40321 55743d4 40319->40321 40320 5574460 40320->40315 40335 5574478 40321->40335 40341 5574468 40321->40341 40325 557444a 40324->40325 40326 557449a 40324->40326 40328 5574478 3 API calls 40325->40328 40329 5574468 3 API calls 40325->40329 40327 5574460 40327->40315 40328->40327 40329->40327 40332 55743c0 40330->40332 40331 5574460 40331->40315 40333 5574478 3 API calls 40332->40333 40334 5574468 3 API calls 40332->40334 40333->40331 40334->40331 40336 5574489 40335->40336 40348 566c9e7 40335->40348 40363 566c9f8 40335->40363 40378 55758b1 40335->40378 40381 5575831 40335->40381 40336->40320 40342 5574478 40341->40342 40343 5574489 40342->40343 40344 566c9e7 3 API calls 40342->40344 40345 5575831 3 API calls 40342->40345 40346 55758b1 3 API calls 40342->40346 40347 566c9f8 3 API calls 40342->40347 40343->40320 40344->40343 40345->40343 40346->40343 40347->40343 40349 566c9f8 40348->40349 40350 566ca16 40349->40350 40351 566ca58 40349->40351 40352 566ca2d 40349->40352 40350->40352 40353 566ca24 40350->40353 40354 566cc42 40350->40354 40351->40352 40355 566cce4 40351->40355 40360 566cb5e 40352->40360 40394 566cfc8 40352->40394 40399 566cfb8 40352->40399 40353->40352 40358 566ccba 40353->40358 40386 566c0f0 40354->40386 40390 566c1a0 40355->40390 40404 566c170 CallWindowProcW CallWindowProcW CallWindowProcW 40358->40404 40360->40336 40364 566ca11 40363->40364 40372 566ca2d 40363->40372 40365 566ca16 40364->40365 40366 566ca58 40364->40366 40367 566ca24 40365->40367 40368 566cc42 40365->40368 40365->40372 40369 566cce4 40366->40369 40366->40372 40367->40372 40373 566ccba 40367->40373 40370 566c0f0 3 API calls 40368->40370 40371 566c1a0 3 API calls 40369->40371 40374 566cb5e 40370->40374 40371->40374 40372->40374 40376 566cfc8 3 API calls 40372->40376 40377 566cfb8 3 API calls 40372->40377 40421 566c170 CallWindowProcW CallWindowProcW CallWindowProcW 40373->40421 40374->40336 40376->40374 40377->40374 40379 55758ca 40378->40379 40380 55712dc 3 API calls 40378->40380 40379->40336 40380->40379 40382 5575866 40381->40382 40383 55758b5 40381->40383 40382->40336 40384 55712dc 3 API calls 40383->40384 40385 55758ca 40384->40385 40385->40336 40387 566c0fb 40386->40387 40388 566cfc8 3 API calls 40387->40388 40389 566d1de 40388->40389 40389->40360 40391 566c1ab 40390->40391 40392 566cfc8 3 API calls 40391->40392 40393 566e191 40392->40393 40393->40360 40395 566cfd3 40394->40395 40396 566cfda 40394->40396 40395->40360 40405 566cfe8 40396->40405 40397 566cfe0 40397->40360 40400 566cfda 40399->40400 40401 566cfd3 40399->40401 40403 566cfe8 3 API calls 40400->40403 40401->40360 40402 566cfe0 40402->40360 40403->40402 40404->40360 40406 566d006 40405->40406 40408 566d028 40405->40408 40407 566d014 40406->40407 40411 5574c98 40406->40411 40416 5574ca8 40406->40416 40407->40397 40408->40397 40413 5574ca8 40411->40413 40412 5574d45 40412->40407 40413->40412 40414 566d068 3 API calls 40413->40414 40415 566d058 3 API calls 40413->40415 40414->40412 40415->40412 40418 5574cf4 40416->40418 40417 5574d45 40417->40407 40418->40417 40419 566d068 3 API calls 40418->40419 40420 566d058 3 API calls 40418->40420 40419->40417 40420->40417 40421->40374 40499 566dd58 40500 566dda0 SetWindowTextW 40499->40500 40501 566dd9a 40499->40501 40502 566ddd1 40500->40502 40501->40500 40422 55779c8 40423 55779d5 40422->40423 40424 5575bc0 2 API calls 40423->40424 40425 5577a0b 40423->40425 40424->40425 40426 5575a48 40427 5575a58 40426->40427 40432 557746c 40427->40432 40438 566dc98 40427->40438 40444 566dca8 40427->40444 40428 5575a81 40433 5577475 40432->40433 40435 5577493 40432->40435 40434 5575bc0 2 API calls 40433->40434 40433->40435 40434->40435 40436 5575bc0 2 API calls 40435->40436 40437 55775cc 40435->40437 40436->40437 40437->40428 40439 566dc9f 40438->40439 40443 557746c 2 API calls 40439->40443 40440 566dd32 40450 5665698 PostMessageW 40440->40450 40442 566dd39 40442->40428 40443->40440 40445 566dcdd 40444->40445 40449 557746c 2 API calls 40445->40449 40446 566dd32 40451 5665698 PostMessageW 40446->40451 40448 566dd39 40448->40428 40449->40446 40450->40442 40451->40448 40462 557d738 40466 557d6fe 2 API calls 40462->40466 40467 557d752 40462->40467 40471 557d760 40462->40471 40463 557d74c 40466->40463 40468 557d75a 40467->40468 40469 557d79e 40467->40469 40470 557d838 2 API calls 40468->40470 40469->40463 40470->40469 40472 557d76d 40471->40472 40474 557d838 2 API calls 40472->40474 40473 557d79e 40473->40463 40474->40473

                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                  Function 02F5C577 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 02F5C7DE
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2141014809.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2f50000_IDVNp0HKaI.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                                                                                                                  • Opcode ID: d3c0d3c24846b22d6fc3f5a85ca89dcfcb3683fa26bbb3d010258220fa1e0ab1
                                                                                                                                                                                                                                                  • Instruction ID: 4b62b49f20540c4ccb653c0d81c4e4051a92934b9104b97f83ca8c0c4dfe4d00
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d3c0d3c24846b22d6fc3f5a85ca89dcfcb3683fa26bbb3d010258220fa1e0ab1
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0D812470A00B158FD724DF2AD48479ABBF1FF88344F00892EDA8A97A50DB75E945CF91
                                                                                                                                                                                                                                                  Function 05571188 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 60 5571188-5573376 62 5573381-5573388 60->62 63 5573378-557337e 60->63 64 5573393-5573432 CreateWindowExW 62->64 65 557338a-5573390 62->65 63->62 67 5573434-557343a 64->67 68 557343b-5573473 64->68 65->64 67->68 72 5573475-5573478 68->72 73 5573480 68->73 72->73 74 5573481 73->74 74->74
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05573422
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2145568846.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_5570000_IDVNp0HKaI.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: CreateWindow
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 716092398-0
                                                                                                                                                                                                                                                  • Opcode ID: 785b60adfc37ee0d062477447670b7f2d2c7090eebf7068338c5dcb8b6b301d7
                                                                                                                                                                                                                                                  • Instruction ID: 14d1b3a19cb831c9ce40d12d5e2aef042b6336d77cd17233eca0c47eb1307bc8
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 785b60adfc37ee0d062477447670b7f2d2c7090eebf7068338c5dcb8b6b301d7
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6851BFB1D0034D9FDB14CF9AD884ADEBBB6BF48310F25862AE819AB210D7759945CF90
                                                                                                                                                                                                                                                  Function 05573304 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 75 5573304-5573376 76 5573381-5573388 75->76 77 5573378-557337e 75->77 78 5573393-55733cb 76->78 79 557338a-5573390 76->79 77->76 80 55733d3-5573432 CreateWindowExW 78->80 79->78 81 5573434-557343a 80->81 82 557343b-5573473 80->82 81->82 86 5573475-5573478 82->86 87 5573480 82->87 86->87 88 5573481 87->88 88->88
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05573422
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2145568846.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_5570000_IDVNp0HKaI.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: CreateWindow
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 716092398-0
                                                                                                                                                                                                                                                  • Opcode ID: ecca922aec37154c7139c94dc4dc2befd7fc07657a55580741c68a751f6ea8c4
                                                                                                                                                                                                                                                  • Instruction ID: 55c4571b12520ffe5a32c98d2c89ccb7d01fafa218634478e7af696c5914c23d
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ecca922aec37154c7139c94dc4dc2befd7fc07657a55580741c68a751f6ea8c4
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D951D0B1D00309DFDB14CFA9D884ADEBBB6FF48314F25862AE819AB210D7759945CF90
                                                                                                                                                                                                                                                  Function 055712DC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 89 55712dc-557591c 92 5575922-5575927 89->92 93 55759cc-55759ec call 55711b4 89->93 95 557597a-55759b2 CallWindowProcW 92->95 96 5575929-5575960 92->96 100 55759ef-55759fc 93->100 98 55759b4-55759ba 95->98 99 55759bb-55759ca 95->99 102 5575962-5575968 96->102 103 5575969-5575978 96->103 98->99 99->100 102->103 103->100
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 055759A1
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2145568846.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_5570000_IDVNp0HKaI.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: CallProcWindow
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2714655100-0
                                                                                                                                                                                                                                                  • Opcode ID: 611f2d46ca0e9d099ae91c9300b9846c1ad76aa266a1b96b0024b0f29236eadc
                                                                                                                                                                                                                                                  • Instruction ID: 9aaf3da9cfbb5e7b52bfd92d37214b079d43a333af69a7ba04ceade22f6d39e9
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 611f2d46ca0e9d099ae91c9300b9846c1ad76aa266a1b96b0024b0f29236eadc
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8441F8B5900309DFDB14CF59D489AAABBF5FF88324F248459E519AB321E774A841CFA0
                                                                                                                                                                                                                                                  Function 02F5459C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 106 2f5459c-2f55a89 CreateActCtxA 109 2f55a92-2f55aec 106->109 110 2f55a8b-2f55a91 106->110 117 2f55aee-2f55af1 109->117 118 2f55afb-2f55aff 109->118 110->109 117->118 119 2f55b01-2f55b0d 118->119 120 2f55b10 118->120 119->120 122 2f55b11 120->122 122->122
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 02F55A79
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2141014809.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2f50000_IDVNp0HKaI.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: Create
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                                                                                                                  • Opcode ID: 8009e2091c1cbc73c4285bb8c69b897fd90be4fc0e3c6d347fff5134d6e75e0c
                                                                                                                                                                                                                                                  • Instruction ID: dd7e4c635b5a956e5cb1e77e3cea31234185c97f7a98ce09876b8ef1c004f019
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8009e2091c1cbc73c4285bb8c69b897fd90be4fc0e3c6d347fff5134d6e75e0c
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0041E3B0D0072DCBDB24DFA9C9847DEBBB5BF48304F60816AD608AB251DB756949CF90
                                                                                                                                                                                                                                                  Function 02F559BD Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 123 2f559bd-2f55a89 CreateActCtxA 125 2f55a92-2f55aec 123->125 126 2f55a8b-2f55a91 123->126 133 2f55aee-2f55af1 125->133 134 2f55afb-2f55aff 125->134 126->125 133->134 135 2f55b01-2f55b0d 134->135 136 2f55b10 134->136 135->136 138 2f55b11 136->138 138->138
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 02F55A79
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2141014809.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2f50000_IDVNp0HKaI.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: Create
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                                                                                                                  • Opcode ID: f4ecd898c80d84023fcdd2cedfa04a99597d1336f473d5d730b3b8aa5d5ba0a4
                                                                                                                                                                                                                                                  • Instruction ID: 999399b1b3e927a31b916294d0bd0708b968ee32e288eda73a2022fe7fc94388
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f4ecd898c80d84023fcdd2cedfa04a99597d1336f473d5d730b3b8aa5d5ba0a4
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F741DFB0C0072DCBEB24CFA9C9847DEBBB1BF48304F60855AD508AB251DB75694ACF90
                                                                                                                                                                                                                                                  Function 02F5CBE8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 139 2f5cbe8-2f5ec14 DuplicateHandle 141 2f5ec16-2f5ec1c 139->141 142 2f5ec1d-2f5ec3a 139->142 141->142
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F5EB46,?,?,?,?,?), ref: 02F5EC07
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2141014809.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2f50000_IDVNp0HKaI.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                                                                                                                  • Opcode ID: 3bb85c7470488b14d64c21655189d6ff62801fec31ddc4a520a16bed87bd9977
                                                                                                                                                                                                                                                  • Instruction ID: bb3b37bf7069f1dd85474e9c2f665ed4ad907a7c41287ae84b32641425ee82a9
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3bb85c7470488b14d64c21655189d6ff62801fec31ddc4a520a16bed87bd9977
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F821E6B5900219DFDB10CF9AD584ADEBFF4FB48320F14841AEA14A7310D375A954CFA4
                                                                                                                                                                                                                                                  Function 02F5EB7A Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 145 2f5eb7a-2f5eb7b 146 2f5eb80-2f5ec14 DuplicateHandle 145->146 147 2f5ec16-2f5ec1c 146->147 148 2f5ec1d-2f5ec3a 146->148 147->148
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F5EB46,?,?,?,?,?), ref: 02F5EC07
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2141014809.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2f50000_IDVNp0HKaI.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                                                                                                                  • Opcode ID: b5ad25c330035b6e180d149fe7c7f5f430719380d00aa346b231eddeb2a4755c
                                                                                                                                                                                                                                                  • Instruction ID: cc8e8f2a495836d662447dac6a08890523d1ab8d31d8ad7b48a8b1991166cfe9
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b5ad25c330035b6e180d149fe7c7f5f430719380d00aa346b231eddeb2a4755c
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F21E4B5901219EFDB10CF9AD984ADEBFF4FB48324F14801AE918A7350D374A950CFA4
                                                                                                                                                                                                                                                  Function 0566DD50 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 151 566dd50-566dd98 152 566dda0-566ddcf SetWindowTextW 151->152 153 566dd9a-566dd9d 151->153 154 566ddd1-566ddd7 152->154 155 566ddd8-566ddf9 152->155 153->152 154->155
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 0566DDC2
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2145744529.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_5660000_IDVNp0HKaI.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: TextWindow
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 530164218-0
                                                                                                                                                                                                                                                  • Opcode ID: 3881956a6aadc30b3c88857c141782d6fba0c1d78910353d3e893cf81d21305e
                                                                                                                                                                                                                                                  • Instruction ID: 68b94309b7e7dc9b2d5197eef7c33751815d00f982b816c74461cfd710964a65
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3881956a6aadc30b3c88857c141782d6fba0c1d78910353d3e893cf81d21305e
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D81100B69006098FDB14CF9AC544BEEBBF4BF88320F14842AD859A3640D378A645CFA1
                                                                                                                                                                                                                                                  Function 0566DD58 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 157 566dd58-566dd98 158 566dda0-566ddcf SetWindowTextW 157->158 159 566dd9a-566dd9d 157->159 160 566ddd1-566ddd7 158->160 161 566ddd8-566ddf9 158->161 159->158 160->161
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 0566DDC2
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2145744529.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_5660000_IDVNp0HKaI.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: TextWindow
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 530164218-0
                                                                                                                                                                                                                                                  • Opcode ID: 34fcac91cb799fa3540a6bf7b76e2840797aa780e16797112840a2a7971409bf
                                                                                                                                                                                                                                                  • Instruction ID: 07617bd829c103be1f4669b524344b47754d3fdcd5f8222630f93c8e5220cfda
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 34fcac91cb799fa3540a6bf7b76e2840797aa780e16797112840a2a7971409bf
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CB1123B29006498FDB14DF9AC444BDEFBF4FF88320F14842AD859A3640D778A545CFA1
                                                                                                                                                                                                                                                  Function 0566F7D9 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 185 566f7d9-566f7da 186 566f7e1-566f84a PostMessageW 185->186 187 566f7dc-566f7de 185->187 188 566f853-566f867 186->188 189 566f84c-566f852 186->189 187->186 189->188
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000018,00000001,?), ref: 0566F83D
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2145744529.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_5660000_IDVNp0HKaI.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 410705778-0
                                                                                                                                                                                                                                                  • Opcode ID: b3df2f52c050fe238fa69fb734cb964c1b256e3bde6472e67e96238ad43ecae0
                                                                                                                                                                                                                                                  • Instruction ID: 6df5e1d32a724a64ae5d008f517b17ec60e325719ad3597455f8e09fd6d2d0c7
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b3df2f52c050fe238fa69fb734cb964c1b256e3bde6472e67e96238ad43ecae0
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 281113B58003498FDB10CF9AD985BDEBFF4FB48324F10845AE918A7210C3B9A944CFA1
                                                                                                                                                                                                                                                  Function 0566BF7C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 179 566bf7c-566f84a PostMessageW 182 566f853-566f867 179->182 183 566f84c-566f852 179->183 183->182
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • PostMessageW.USER32(?,00000018,00000001,?), ref: 0566F83D
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2145744529.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_5660000_IDVNp0HKaI.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: MessagePost
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 410705778-0
                                                                                                                                                                                                                                                  • Opcode ID: 7b5f7c13472e08b4bb16c297745ce1d6f3e5a5aec7cc3d733fa6b3f25d7a1f5f
                                                                                                                                                                                                                                                  • Instruction ID: 3ab557bda78fb3cb76aecb7e9f205b920482655e163bd9b57f0430d9ed989e86
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7b5f7c13472e08b4bb16c297745ce1d6f3e5a5aec7cc3d733fa6b3f25d7a1f5f
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1D11F2B58003499FDB50DF9AD485BDEFBF8FB48324F10845AE919A7200C3B5A984CFA5
                                                                                                                                                                                                                                                  Function 02F5C778 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 163 2f5c778-2f5c7b8 164 2f5c7c0-2f5c7eb GetModuleHandleW 163->164 165 2f5c7ba-2f5c7bd 163->165 166 2f5c7f4-2f5c808 164->166 167 2f5c7ed-2f5c7f3 164->167 165->164 167->166
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 02F5C7DE
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2141014809.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F50000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_2f50000_IDVNp0HKaI.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                                                                                                                  • Opcode ID: a6d5644a1f976675c5d78f7c96df37b437d33f2c579d6106e33caa4e25294d6e
                                                                                                                                                                                                                                                  • Instruction ID: 51367290b1eb87be7c0626e7bc770523eb18a6796df25ef86e3b8ad02a298efc
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a6d5644a1f976675c5d78f7c96df37b437d33f2c579d6106e33caa4e25294d6e
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 611102B6C007498FDB10CF9AD444BDEFBF4AB88224F10841AD919A7600C379A545CFA1
                                                                                                                                                                                                                                                  Function 05573551 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 174 5573551-5573553 175 5573558-55735c2 SetWindowLongW 174->175 176 55735c4-55735ca 175->176 177 55735cb-55735df 175->177 176->177
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,05573540,?,?,?,?), ref: 055735B5
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2145568846.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_5570000_IDVNp0HKaI.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: LongWindow
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1378638983-0
                                                                                                                                                                                                                                                  • Opcode ID: bf1555dcd68a2b2d6aad684aa7fd4f34d89f6a4286431ea8e1e91247af43dbef
                                                                                                                                                                                                                                                  • Instruction ID: 420c9ac478800f63d04969c8aa18d5a38674e3e9c61e30c9e2ad78662de300c8
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: bf1555dcd68a2b2d6aad684aa7fd4f34d89f6a4286431ea8e1e91247af43dbef
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FB1103B58002499FDB10CF9AD985BDEBFF8FB48324F20841AD918A7340C3B5A944CFA5
                                                                                                                                                                                                                                                  Function 055711C4 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 169 55711c4-55735c2 SetWindowLongW 171 55735c4-55735ca 169->171 172 55735cb-55735df 169->172 171->172
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,05573540,?,?,?,?), ref: 055735B5
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2145568846.0000000005570000.00000040.00000800.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_5570000_IDVNp0HKaI.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: LongWindow
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 1378638983-0
                                                                                                                                                                                                                                                  • Opcode ID: 311abc868fd63339f4d99733d43f319f8d1513dc54900d70a8f383f322840f5e
                                                                                                                                                                                                                                                  • Instruction ID: ca5c4865c6917b3b79997b7a2bf25955a827ec1d00110866ef5ab0a1d3743712
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 311abc868fd63339f4d99733d43f319f8d1513dc54900d70a8f383f322840f5e
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D611F5B590024D9FDB10CF9AD584BDEBBF8FB48324F10841AD919A7300C3B4A944CFA5
                                                                                                                                                                                                                                                  Function 012AD4D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2138713581.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_12ad000_IDVNp0HKaI.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 04975bb3c3fca988d6c5e683394ed5d74dd229cbb7de7f52f76595dbfe82d23a
                                                                                                                                                                                                                                                  • Instruction ID: 69cbc1daa3a192100de5c4bf1fbb414d5fcd6c696c83cdd15e92602ff64a3145
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 04975bb3c3fca988d6c5e683394ed5d74dd229cbb7de7f52f76595dbfe82d23a
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4021AC76110308DFCB05DF44E9C0F26BF61FB88318F60816CDA490B616C376D406CBA1
                                                                                                                                                                                                                                                  Function 012BD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2138760755.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_12bd000_IDVNp0HKaI.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 0456dfa74ad0b3fc1f4653b0ac6c6f92daaa03927114b4808930f00eb7fca94b
                                                                                                                                                                                                                                                  • Instruction ID: e9d129aa6d9049754263bdfbc7b7144ebc2d18ea42f7b5c0a944afd08fe79236
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0456dfa74ad0b3fc1f4653b0ac6c6f92daaa03927114b4808930f00eb7fca94b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: FE212575514208DFDB15DF54D5C0BA6BF61FB84398F24C96DDA0A0B252C37AD407CA61
                                                                                                                                                                                                                                                  Function 012BD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2138760755.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_12bd000_IDVNp0HKaI.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 3a6825ec57a14e3ebc33c5fafafc23621e0473d4caeda580e3cdbf2f46b84497
                                                                                                                                                                                                                                                  • Instruction ID: 8e36f686896e644e9bfc6c42f73f9186d08a9c26e47f44fc0b30302094bb255c
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3a6825ec57a14e3ebc33c5fafafc23621e0473d4caeda580e3cdbf2f46b84497
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EA214675524388EFDB05DF94D9C0BA6BBA1FB84328F20C56DEA094B253C376D806CB61
                                                                                                                                                                                                                                                  Function 012BD006 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2138760755.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_12bd000_IDVNp0HKaI.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 95720e7f6eb0dd15adb1d057807895d52c5e1fc28633b34c0f5cccd6ff5a3504
                                                                                                                                                                                                                                                  • Instruction ID: 1b5869b288da62a887a8dcbf49ad6aab6f7030d66946add05e22b8a11b077e8a
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 95720e7f6eb0dd15adb1d057807895d52c5e1fc28633b34c0f5cccd6ff5a3504
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5E217F755083849FCB02CF64D994B51BF71EB46318F28C5DAD9498B2A7C33A981ACB62
                                                                                                                                                                                                                                                  Function 012AD4D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2138713581.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_12ad000_IDVNp0HKaI.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                                                                                                  • Instruction ID: 15a2285e85b56ff87b8f61161e4bc93891dd255e7ac5c55f0b35c5addb697cc0
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A01126B6404284CFCB12CF44D5C4B16BF71FB84318F24C6A9D9490B667C33AD45ACBA1
                                                                                                                                                                                                                                                  Function 012BD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000002.00000002.2138760755.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_2_2_12bd000_IDVNp0HKaI.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                                                                                                                                                                                                  • Instruction ID: 2462c5a6c90795739fd10bd89ae8526abc2ccb3cec99b415f7d9f8087e05b669
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7511BB75504284DFDB02CF54C5C0B95BFA1FB84328F24C6A9D9494B2A7C33AD40ACB61

                                                                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                                                                  Execution Coverage:7.4%
                                                                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                                                                  Total number of Nodes:52
                                                                                                                                                                                                                                                  Total number of Limit Nodes:8
                                                                                                                                                                                                                                                  execution_graph 29809 232ad38 29813 232ae30 29809->29813 29823 232ae20 29809->29823 29810 232ad47 29814 232ae41 29813->29814 29818 232ae64 29813->29818 29833 2329838 29814->29833 29817 232ae5c 29817->29818 29819 232b068 GetModuleHandleW 29817->29819 29818->29810 29820 232b095 29819->29820 29820->29810 29824 232ae41 29823->29824 29827 232ae64 29823->29827 29825 2329838 GetModuleHandleW 29824->29825 29826 232ae4c 29825->29826 29826->29827 29831 232b0b8 GetModuleHandleW 29826->29831 29832 232b0c8 GetModuleHandleW 29826->29832 29827->29810 29828 232ae5c 29828->29827 29829 232b068 GetModuleHandleW 29828->29829 29830 232b095 29829->29830 29830->29810 29831->29828 29832->29828 29834 232b020 GetModuleHandleW 29833->29834 29836 232ae4c 29834->29836 29836->29818 29837 232b0c8 29836->29837 29840 232b0b8 29836->29840 29838 2329838 GetModuleHandleW 29837->29838 29839 232b0dc 29837->29839 29838->29839 29839->29817 29841 2329838 GetModuleHandleW 29840->29841 29842 232b0dc 29841->29842 29842->29817 29843 232d0b8 29844 232d0fe 29843->29844 29848 232d298 29844->29848 29851 232d289 29844->29851 29845 232d1eb 29854 232c9a0 29848->29854 29852 232d2c6 29851->29852 29853 232c9a0 DuplicateHandle 29851->29853 29852->29845 29853->29852 29855 232d300 DuplicateHandle 29854->29855 29856 232d2c6 29855->29856 29856->29845 29857 2324668 29858 2324684 29857->29858 29859 2324696 29858->29859 29861 23247a0 29858->29861 29862 23247c5 29861->29862 29866 23248b0 29862->29866 29870 23248a1 29862->29870 29867 23248d7 29866->29867 29869 23249b4 29867->29869 29874 2324248 29867->29874 29872 23248d7 29870->29872 29871 23249b4 29871->29871 29872->29871 29873 2324248 CreateActCtxA 29872->29873 29873->29871 29875 2325940 CreateActCtxA 29874->29875 29877 2325a03 29875->29877

                                                                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                                                                  Function 05C467D8 Relevance: .6, Instructions: 559COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 1439 5c467d8-5c467f0 1441 5c467f2-5c467fb 1439->1441 1442 5c4682a-5c46849 1439->1442 1443 5c4684c-5c468cd 1441->1443 1444 5c467fd-5c4680d 1441->1444 1454 5c46ae0-5c46b04 1443->1454 1455 5c468d3-5c468df 1443->1455 1446 5c46815-5c46817 1444->1446 1448 5c46821-5c46827 1446->1448 1449 5c46819-5c4681e 1446->1449 1448->1442 1461 5c46c31-5c46c35 1454->1461 1462 5c46b0a-5c46b0e 1454->1462 1456 5c468e5-5c468fc 1455->1456 1457 5c46c6f-5c46c79 1455->1457 1456->1454 1465 5c46902-5c46946 1456->1465 1466 5c46c40-5c46c45 1457->1466 1467 5c46c7b-5c46c81 1457->1467 1463 5c46c37-5c46c3b 1461->1463 1464 5c46c63-5c46c6c 1461->1464 1468 5c46b14-5c46b1a 1462->1468 1469 5c46bcc-5c46bd2 1462->1469 1463->1464 1470 5c46c3d 1463->1470 1500 5c46956 1465->1500 1501 5c46948-5c46954 call 5c43c88 1465->1501 1471 5c46c48-5c46c5e 1466->1471 1467->1471 1474 5c46c83-5c46c96 1467->1474 1475 5c46b33-5c46bbc 1468->1475 1476 5c46b1c-5c46b20 1468->1476 1472 5c46bd4-5c46c1a 1469->1472 1473 5c46c25-5c46c2e 1469->1473 1470->1466 1471->1464 1483 5c46c60 1471->1483 1472->1473 1482 5c46ca0-5c46caa 1474->1482 1475->1473 1533 5c46bbe-5c46bca 1475->1533 1476->1469 1478 5c46b26-5c46b2d 1476->1478 1478->1469 1478->1475 1485 5c46cc4-5c46cd9 1482->1485 1486 5c46cac-5c46cc3 1482->1486 1483->1464 1485->1482 1493 5c46cdb-5c46cf1 1485->1493 1495 5c46d67-5c46d6f 1493->1495 1496 5c46cf3-5c46d0f 1493->1496 1507 5c46d70-5c46dc5 1496->1507 1508 5c46d11-5c46d16 1496->1508 1502 5c46958-5c46968 1500->1502 1501->1502 1512 5c469a7-5c469eb 1502->1512 1513 5c4696a-5c46971 1502->1513 1535 5c46e60-5c46e66 1507->1535 1536 5c46dcb-5c46dd1 1507->1536 1508->1495 1510 5c46d18 1508->1510 1515 5c46d1b-5c46d1e 1510->1515 1549 5c469ed-5c469f9 call 5c43c88 1512->1549 1550 5c469fb 1512->1550 1516 5c46973-5c46989 1513->1516 1517 5c4698b-5c46992 1513->1517 1515->1507 1518 5c46d20-5c46d2c 1515->1518 1520 5c46995-5c46997 1516->1520 1517->1520 1522 5c46d51-5c46d57 1518->1522 1523 5c46d2e-5c46d43 1518->1523 1520->1512 1526 5c46999-5c4699d 1520->1526 1522->1507 1527 5c46d59-5c46d65 1522->1527 1523->1522 1534 5c46d45-5c46d50 1523->1534 1526->1512 1530 5c4699f-5c469a2 1526->1530 1527->1495 1527->1515 1537 5c46ad6-5c46ada 1530->1537 1533->1473 1539 5c46dd3-5c46de7 call 5c46ce0 1536->1539 1540 5c46de9-5c46dee 1536->1540 1537->1454 1537->1455 1543 5c46df1-5c46df3 1539->1543 1540->1543 1546 5c46df5-5c46e03 1543->1546 1547 5c46e3b-5c46e5a 1543->1547 1546->1547 1548 5c46e05-5c46e0b 1546->1548 1547->1535 1547->1536 1551 5c46e21-5c46e23 1548->1551 1552 5c46e0d-5c46e13 1548->1552 1554 5c469fd-5c46a0d 1549->1554 1550->1554 1557 5c46e25-5c46e2f 1551->1557 1558 5c46e31-5c46e39 1551->1558 1552->1547 1556 5c46e15-5c46e1f 1552->1556 1564 5c46a13-5c46a19 1554->1564 1565 5c46a0f-5c46a11 1554->1565 1556->1547 1557->1535 1558->1535 1558->1547 1567 5c46a21-5c46a23 1564->1567 1565->1567 1568 5c46ad3 1567->1568 1569 5c46a29-5c46a2f 1567->1569 1568->1537 1570 5c46a35-5c46ab9 1569->1570 1571 5c46ac7-5c46ad0 1569->1571 1570->1571 1580 5c46abb-5c46abe 1570->1580 1580->1571
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 38bcf112742e6c4613e6cba9f888ec31d3ce70e69acaceef86c6ec7653402b2c
                                                                                                                                                                                                                                                  • Instruction ID: 9ae592873d7aa20ada59cf700c605ac9df61f969860cc58dfc7904b620d33c93
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 38bcf112742e6c4613e6cba9f888ec31d3ce70e69acaceef86c6ec7653402b2c
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E222DF70A002059FDB15DFA8D880F9EBBF2FF85314F148969E505AB265DB70ED86CB90
                                                                                                                                                                                                                                                  Function 05C43F50 Relevance: .5, Instructions: 529COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 1581 5c43f50-5c43f84 1584 5c43f86-5c43f8f 1581->1584 1585 5c43f92-5c43fa5 1581->1585 1584->1585 1586 5c44215-5c44219 1585->1586 1587 5c43fab-5c43fae 1585->1587 1589 5c4422e-5c44238 1586->1589 1590 5c4421b-5c4422b 1586->1590 1591 5c43fb0-5c43fb5 1587->1591 1592 5c43fbd-5c43fc9 1587->1592 1590->1589 1591->1592 1593 5c44253-5c44299 1592->1593 1594 5c43fcf-5c43fe1 1592->1594 1601 5c442a8-5c442d0 1593->1601 1602 5c4429b-5c442a5 1593->1602 1599 5c43fe7-5c4403a 1594->1599 1600 5c4414d-5c4415b 1594->1600 1631 5c4403c-5c44048 call 5c43c88 1599->1631 1632 5c4404a 1599->1632 1607 5c441e0-5c441e2 1600->1607 1608 5c44161-5c4416f 1600->1608 1623 5c44425-5c44443 1601->1623 1624 5c442d6-5c442ef 1601->1624 1602->1601 1611 5c441e4-5c441ea 1607->1611 1612 5c441f0-5c441fc 1607->1612 1609 5c44171-5c44176 1608->1609 1610 5c4417e-5c4418a 1608->1610 1609->1610 1610->1593 1616 5c44190-5c441bf 1610->1616 1614 5c441ec 1611->1614 1615 5c441ee 1611->1615 1622 5c441fe-5c4420f 1612->1622 1614->1612 1615->1612 1634 5c441d0-5c441de 1616->1634 1635 5c441c1-5c441ce 1616->1635 1622->1586 1622->1587 1639 5c44445-5c44467 1623->1639 1640 5c444ae-5c444b8 1623->1640 1641 5c442f5-5c4430b 1624->1641 1642 5c44406-5c4441f 1624->1642 1638 5c4404c-5c4405c 1631->1638 1632->1638 1634->1586 1635->1634 1647 5c44077-5c44079 1638->1647 1648 5c4405e-5c44075 1638->1648 1661 5c444b9-5c4450a 1639->1661 1662 5c44469-5c44485 1639->1662 1641->1642 1660 5c44311-5c4435f 1641->1660 1642->1623 1642->1624 1652 5c440c2-5c440c4 1647->1652 1653 5c4407b-5c44089 1647->1653 1648->1647 1655 5c440c6-5c440d0 1652->1655 1656 5c440d2-5c440e2 1652->1656 1653->1652 1667 5c4408b-5c4409d 1653->1667 1655->1656 1670 5c4411b-5c44127 1655->1670 1672 5c440e4-5c440f2 1656->1672 1673 5c4410d-5c44110 1656->1673 1709 5c44361-5c44387 1660->1709 1710 5c44389-5c443ad 1660->1710 1698 5c4450c-5c44528 1661->1698 1699 5c4452a-5c44568 1661->1699 1675 5c444a9-5c444ac 1662->1675 1682 5c440a3-5c440a7 1667->1682 1683 5c4409f-5c440a1 1667->1683 1670->1622 1684 5c4412d-5c44148 1670->1684 1687 5c440f4-5c44103 1672->1687 1688 5c44105-5c44108 1672->1688 1730 5c44113 call 5c448a8 1673->1730 1731 5c44113 call 5c448b8 1673->1731 1675->1640 1680 5c44493-5c44496 1675->1680 1677 5c44119 1677->1670 1680->1661 1685 5c44498-5c444a8 1680->1685 1689 5c440ad-5c440bc 1682->1689 1683->1689 1684->1586 1685->1675 1687->1670 1688->1586 1689->1652 1696 5c44239-5c4424c 1689->1696 1696->1593 1698->1699 1709->1710 1719 5c443df-5c443f8 1710->1719 1720 5c443af-5c443c6 1710->1720 1722 5c44403-5c44404 1719->1722 1723 5c443fa 1719->1723 1727 5c443d2-5c443dd 1720->1727 1728 5c443c8-5c443cb 1720->1728 1722->1642 1723->1722 1727->1719 1727->1720 1728->1727 1730->1677 1731->1677
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 820798522b7a7ac3bd6f955501efb5004b49617533f7c6a75bb6a93f775b60a0
                                                                                                                                                                                                                                                  • Instruction ID: d9bb6e128023789d82c193a35fe9c1fed9aa76d9f225be25a3c2785f73541ad0
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 820798522b7a7ac3bd6f955501efb5004b49617533f7c6a75bb6a93f775b60a0
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 10126F34B002158FDB18DF69C584AAEBBF2FF88710B258569D906EB365DB70ED41CB90
                                                                                                                                                                                                                                                  Function 05C4A3D8 Relevance: .3, Instructions: 296COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 9d2cfc04c210faf0ac2695ad8d03a43bfed1f78d0beffc755d05c43836cf8812
                                                                                                                                                                                                                                                  • Instruction ID: 3c0fdd45d8195da8abac99f0a04ab1db203f107a14a0ab605db827faeddff717
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9d2cfc04c210faf0ac2695ad8d03a43bfed1f78d0beffc755d05c43836cf8812
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 24D1F534E00218CFCB19EFB4D854A9DBBB2FF8A301F1095A9D50AAB254DB359986CF10
                                                                                                                                                                                                                                                  Function 05C4A3E8 Relevance: .3, Instructions: 289COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 1d9eeffad29f226a77d01bdcd11057374b5a0d557c2a4aef58c7cf0ccc476081
                                                                                                                                                                                                                                                  • Instruction ID: 787047ceec95eca13c863ff58f6210f025f893495612ea659663283237726696
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1d9eeffad29f226a77d01bdcd11057374b5a0d557c2a4aef58c7cf0ccc476081
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EFD1D374E00218CFCB18EFB4D854A9DBBB2FF8A301F1095A9D50AAB254DF359986CF51
                                                                                                                                                                                                                                                  Function 0232AE30 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2282794133.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02320000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2320000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                                                                                                                  • Opcode ID: 6d8ffb26a7432ba35c9e5e09d168c8779294d27aa220921bebd4ed7cf3cd8f58
                                                                                                                                                                                                                                                  • Instruction ID: 2f635c1d04216db833c5eac77fa4c598168db4926410fb7d03f92fd0b87877aa
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6d8ffb26a7432ba35c9e5e09d168c8779294d27aa220921bebd4ed7cf3cd8f58
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 757123B0A00B159FD724DF6AD44075ABBF2FF88704F00892DD48AD7A40DB78E94ACB90
                                                                                                                                                                                                                                                  Function 02325935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 59 2325935-232593b 60 2325944-2325a01 CreateActCtxA 59->60 62 2325a03-2325a09 60->62 63 2325a0a-2325a64 60->63 62->63 70 2325a73-2325a77 63->70 71 2325a66-2325a69 63->71 72 2325a88 70->72 73 2325a79-2325a85 70->73 71->70 75 2325a89 72->75 73->72 75->75
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 023259F1
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2282794133.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02320000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2320000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: Create
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                                                                                                                  • Opcode ID: 8b56368ddb7145ee972ad49829e18b0139532b5ab265902e2796e7e3881acf2c
                                                                                                                                                                                                                                                  • Instruction ID: 1f86af6209f5d214ce92a55f6d9be9c20447ebc695f0a36875068424251c4097
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b56368ddb7145ee972ad49829e18b0139532b5ab265902e2796e7e3881acf2c
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EC41D170C00729CBEB25DFA9C98578DBBB5FF88704F20816AD408AB251DB75694ACF51
                                                                                                                                                                                                                                                  Function 02324248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 76 2324248-2325a01 CreateActCtxA 79 2325a03-2325a09 76->79 80 2325a0a-2325a64 76->80 79->80 87 2325a73-2325a77 80->87 88 2325a66-2325a69 80->88 89 2325a88 87->89 90 2325a79-2325a85 87->90 88->87 92 2325a89 89->92 90->89 92->92
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 023259F1
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2282794133.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02320000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2320000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: Create
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 2289755597-0
                                                                                                                                                                                                                                                  • Opcode ID: 143b6c6ab6135c8c97be99b11975d9f747f10580ce92aaacab91ac9bf3fca03c
                                                                                                                                                                                                                                                  • Instruction ID: eb9747d89acef45c553ba0ce28907577e9cd088845cb3e00b83d43750ca0c42c
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 143b6c6ab6135c8c97be99b11975d9f747f10580ce92aaacab91ac9bf3fca03c
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3341C170C0072DCBEB25CFA9C984B9DBBB5FF48304F60806AD508AB251DB756949CF91
                                                                                                                                                                                                                                                  Function 0232C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 93 232c9a0-232d394 DuplicateHandle 95 232d396-232d39c 93->95 96 232d39d-232d3ba 93->96 95->96
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0232D2C6,?,?,?,?,?), ref: 0232D387
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2282794133.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02320000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2320000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                                                                                                                  • Opcode ID: fbe5704bf71d1e20cb03dfef29bab049e23742131887d92352792e21b1927505
                                                                                                                                                                                                                                                  • Instruction ID: e70fc3506b461b187913024594a3d4976def5e8590e1a99eb63a0e080f75e027
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fbe5704bf71d1e20cb03dfef29bab049e23742131887d92352792e21b1927505
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2021E3B5900359DFDB10CF9AD984ADEBBF8EB48320F14845AE918A3310D374A954CFA5
                                                                                                                                                                                                                                                  Function 0232D2F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 99 232d2f9-232d394 DuplicateHandle 100 232d396-232d39c 99->100 101 232d39d-232d3ba 99->101 100->101
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0232D2C6,?,?,?,?,?), ref: 0232D387
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2282794133.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02320000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2320000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: DuplicateHandle
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 3793708945-0
                                                                                                                                                                                                                                                  • Opcode ID: 49dab86842e5eebaf812641a40b2e790212b0e7f36165ce70210afe13b38a103
                                                                                                                                                                                                                                                  • Instruction ID: 34f6f7334c45ac290486702504aa38db1854afa5553a0a1496ac81685d4d6fcf
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 49dab86842e5eebaf812641a40b2e790212b0e7f36165ce70210afe13b38a103
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8621E3B5900259DFDB10CFAAD984ADEBFF4EB48324F14842AE918A7210D374A954CFA4
                                                                                                                                                                                                                                                  Function 02329838 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 104 2329838-232b060 106 232b062-232b065 104->106 107 232b068-232b093 GetModuleHandleW 104->107 106->107 108 232b095-232b09b 107->108 109 232b09c-232b0b0 107->109 108->109
                                                                                                                                                                                                                                                  APIs
                                                                                                                                                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0232AE4C), ref: 0232B086
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2282794133.0000000002320000.00000040.00000800.00020000.00000000.sdmp, Offset: 02320000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_2320000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID: HandleModule
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID: 4139908857-0
                                                                                                                                                                                                                                                  • Opcode ID: 604106d9ba181af9195314a39024e8fa425c090c72b312767a067378da4b4c62
                                                                                                                                                                                                                                                  • Instruction ID: 6f66c117f18e4025b81945ad0f975a2a12947eec3f54da1ad7d98260b5e0f39b
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 604106d9ba181af9195314a39024e8fa425c090c72b312767a067378da4b4c62
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE1120B5C007598BDB20CF9AC444B9EFBF5FF88228F10846AD428B7200D375A509CFA5
                                                                                                                                                                                                                                                  Function 05C31BA0 Relevance: 1.3, Instructions: 1348COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 111 5c31ba0-5c31bc3 112 5c31bd1-5c31c2d 111->112 113 5c31bc5-5c31bc7 111->113 118 5c31c33-5c31c69 112->118 119 5c32056-5c3209e 112->119 113->112 118->119 131 5c31c6f-5c31ca5 118->131 122 5c320a0-5c320a6 119->122 123 5c320b6-5c32119 119->123 124 5c320aa-5c320b4 122->124 125 5c320a8 122->125 140 5c32ea1-5c32eb6 123->140 141 5c3211f-5c32139 123->141 124->123 125->123 131->119 138 5c31cab-5c31ce2 131->138 138->119 149 5c31ce8-5c31d1e 138->149 141->140 146 5c3213f-5c3216f 141->146 154 5c32171-5c32187 146->154 155 5c32189-5c321d5 146->155 149->119 157 5c31d24-5c31d5a 149->157 163 5c321dc-5c321f9 154->163 155->163 157->119 170 5c31d60-5c31d9e 157->170 163->140 169 5c321ff-5c32235 163->169 176 5c32237-5c3224d 169->176 177 5c3224f-5c3229b 169->177 170->119 179 5c31da4-5c31ded 170->179 186 5c322a2-5c322bf 176->186 177->186 179->119 195 5c31df3-5c31e29 179->195 186->140 191 5c322c5-5c322fb 186->191 199 5c32315-5c32361 191->199 200 5c322fd-5c32313 191->200 195->119 205 5c31e2f-5c31e65 195->205 208 5c32368-5c32385 199->208 200->208 205->119 217 5c31e6b-5c31ea1 205->217 208->140 212 5c3238b-5c323c1 208->212 221 5c323c3-5c323d9 212->221 222 5c323db-5c32427 212->222 217->119 227 5c31ea7-5c31edd 217->227 231 5c3242e-5c3244b 221->231 222->231 227->119 238 5c31ee3-5c31efa 227->238 231->140 236 5c32451-5c32487 231->236 244 5c324a1-5c324f9 236->244 245 5c32489-5c3249f 236->245 238->119 242 5c31f00-5c31f32 238->242 254 5c31f34-5c31f5a 242->254 255 5c31f5c-5c31f9e 242->255 253 5c32500-5c3251d 244->253 245->253 253->140 260 5c32523-5c32559 253->260 267 5c31fce-5c32001 254->267 272 5c31fa0-5c31fb6 255->272 273 5c31fbc-5c31fc8 255->273 274 5c32573-5c325d1 260->274 275 5c3255b-5c32571 260->275 267->119 281 5c32003-5c32039 267->281 272->273 273->267 283 5c325d8-5c325f5 274->283 275->283 281->119 292 5c3203b-5c32053 281->292 283->140 289 5c325fb-5c32631 283->289 296 5c32633-5c32649 289->296 297 5c3264b-5c326a9 289->297 302 5c326b0-5c326cd 296->302 297->302 302->140 306 5c326d3-5c32709 302->306 310 5c32723-5c32781 306->310 311 5c3270b-5c32721 306->311 316 5c32788-5c327a5 310->316 311->316 316->140 320 5c327ab-5c327c5 316->320 320->140 322 5c327cb-5c327fb 320->322 326 5c32815-5c32873 322->326 327 5c327fd-5c32813 322->327 332 5c3287a-5c32897 326->332 327->332 332->140 336 5c3289d-5c328b7 332->336 336->140 338 5c328bd-5c328ed 336->338 342 5c32907-5c32965 338->342 343 5c328ef-5c32905 338->343 348 5c3296c-5c32989 342->348 343->348 348->140 352 5c3298f-5c329a9 348->352 352->140 354 5c329af-5c329df 352->354 358 5c329e1-5c329f7 354->358 359 5c329f9-5c32a57 354->359 364 5c32a5e-5c32a7b 358->364 359->364 364->140 367 5c32a81-5c32ab7 364->367 372 5c32ad1-5c32b2f 367->372 373 5c32ab9-5c32acf 367->373 378 5c32b36-5c32b53 372->378 373->378 378->140 382 5c32b59-5c32b8f 378->382 386 5c32b91-5c32ba7 382->386 387 5c32ba9-5c32c07 382->387 392 5c32c0e-5c32c2b 386->392 387->392 392->140 395 5c32c31-5c32c67 392->395 400 5c32c81-5c32cdf 395->400 401 5c32c69-5c32c7f 395->401 406 5c32ce6-5c32d03 400->406 401->406 406->140 410 5c32d09-5c32d3f 406->410 414 5c32d41-5c32d57 410->414 415 5c32d59-5c32db7 410->415 420 5c32dbe-5c32ddb 414->420 415->420 420->140 424 5c32de1-5c32e13 420->424 428 5c32e15-5c32e2b 424->428 429 5c32e2d-5c32e82 424->429 434 5c32e89-5c32e9e 428->434 429->434
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291020924.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c30000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 9c2b006bb30c29073424644987af85f98a8125b98929284b5d8c3fbd9c981706
                                                                                                                                                                                                                                                  • Instruction ID: 49172d2db2257e7bb19f3a079c97b24e2918ee6ce16da86dc0be0af3cd818b2a
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9c2b006bb30c29073424644987af85f98a8125b98929284b5d8c3fbd9c981706
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 64C24A74B002189FDB15DF64C855AAEBBB2FF89700F118099E606AB3A1DB71EE41CF51
                                                                                                                                                                                                                                                  Function 05C300D8 Relevance: .7, Instructions: 676COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 742 5c300d8-5c300fc 744 5c30114-5c30135 742->744 745 5c300fe-5c30104 742->745 750 5c30138-5c30145 744->750 746 5c30106 745->746 747 5c30108-5c3010a 745->747 746->744 747->744 752 5c3014b-5c30160 750->752 753 5c3076a-5c30774 750->753 752->750 756 5c30162 752->756 757 5c30422-5c30445 756->757 758 5c30512-5c30535 756->758 759 5c30251-5c3027f 756->759 760 5c30337-5c3035d 756->760 761 5c302c4-5c302f2 756->761 762 5c303aa-5c303cd 756->762 763 5c3049a-5c304bd 756->763 764 5c30169-5c3018c 756->764 765 5c301de-5c30204 756->765 814 5c308bb-5c308ea 757->814 815 5c3044b-5c3044f 757->815 816 5c3053b-5c3053f 758->816 817 5c309ff-5c30a2e 758->817 786 5c30281-5c30287 759->786 787 5c30297-5c302bf 759->787 782 5c30363-5c30365 760->782 784 5c302f4-5c302fa 761->784 785 5c3030a-5c30332 761->785 807 5c303d3-5c303d7 762->807 808 5c30819-5c30848 762->808 809 5c304c3-5c304c7 763->809 810 5c3095d-5c3098c 763->810 811 5c30192-5c30196 764->811 812 5c30777-5c307a6 764->812 781 5c3020a-5c3020c 765->781 788 5c30224-5c3024c 781->788 789 5c3020e-5c30214 781->789 790 5c30367-5c3036d 782->790 791 5c3037d-5c303a5 782->791 797 5c302fe-5c30300 784->797 798 5c302fc 784->798 785->750 792 5c3028b-5c3028d 786->792 793 5c30289 786->793 787->750 788->750 801 5c30216 789->801 802 5c30218-5c3021a 789->802 803 5c30371-5c30373 790->803 804 5c3036f 790->804 791->750 792->787 793->787 797->785 798->785 801->788 802->788 803->791 804->791 819 5c30885-5c308b4 807->819 820 5c303dd-5c303e7 807->820 832 5c3084f-5c3087e 808->832 821 5c309c9-5c309f8 809->821 822 5c304cd-5c304d7 809->822 834 5c30993-5c309c2 810->834 823 5c307e3-5c30812 811->823 824 5c3019c-5c301a6 811->824 836 5c307ad-5c307dc 812->836 842 5c308f1-5c30920 814->842 825 5c30927-5c30956 815->825 826 5c30455-5c3045f 815->826 827 5c30545-5c3054f 816->827 828 5c30a6b-5c30d2e 816->828 844 5c30a35-5c30a64 817->844 819->814 820->832 833 5c303ed-5c3041d 820->833 821->817 822->834 835 5c304dd-5c3050d 822->835 823->808 824->836 837 5c301ac-5c301d9 824->837 825->810 826->842 843 5c30465-5c30495 826->843 827->844 845 5c30555-5c30585 827->845 832->819 833->750 834->821 835->750 836->823 837->750 842->825 843->750 844->828 845->750
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291020924.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c30000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: ff750343ca3ce87d8c93639fb01ca6b1bada18951f670fbed53945beeabb2fec
                                                                                                                                                                                                                                                  • Instruction ID: 57e8d4e6b9beb67310f59d2118ba9b2288cefcdaf57739bb81b5a9f75591b612
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ff750343ca3ce87d8c93639fb01ca6b1bada18951f670fbed53945beeabb2fec
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 074268307107199FDB69AB68C494A2E7AF2FBC6704B00495DD503AF394CFBAED058B85
                                                                                                                                                                                                                                                  Function 05C33838 Relevance: .6, Instructions: 639COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 952 5c33838-5c3385e 953 5c33860-5c33866 952->953 954 5c33876-5c338cf 952->954 955 5c3386a-5c33874 953->955 956 5c33868 953->956 962 5c33e77-5c33f08 954->962 963 5c338d5-5c33914 954->963 955->954 956->954 981 5c33fd9-5c33fe0 962->981 982 5c33f0e-5c33f2a 962->982 963->962 970 5c3391a-5c33936 963->970 970->962 974 5c3393c-5c33973 970->974 983 5c33975-5c33999 974->983 984 5c3399e-5c33a05 974->984 990 5c33f52-5c33f90 982->990 991 5c33f2c-5c33f50 982->991 997 5c33a3b-5c33a55 983->997 1002 5c33a27-5c33a35 984->1002 1003 5c33a07-5c33a21 984->1003 1010 5c33f92-5c33fa5 990->1010 1011 5c33fab-5c33fb4 990->1011 1007 5c33fba-5c33fd3 991->1007 997->962 1004 5c33a5b-5c33a92 997->1004 1002->997 1003->1002 1016 5c33a94-5c33ab8 1004->1016 1017 5c33abd-5c33b20 1004->1017 1007->981 1007->982 1010->1011 1011->1007 1024 5c33b56-5c33b70 1016->1024 1027 5c33b42-5c33b50 1017->1027 1028 5c33b22-5c33b3c 1017->1028 1024->962 1029 5c33b76-5c33bad 1024->1029 1027->1024 1028->1027 1033 5c33bd8-5c33c3b 1029->1033 1034 5c33baf-5c33bd3 1029->1034 1043 5c33c5d-5c33c6b 1033->1043 1044 5c33c3d-5c33c57 1033->1044 1041 5c33c71-5c33c8b 1034->1041 1041->962 1046 5c33c91-5c33cc8 1041->1046 1043->1041 1044->1043 1050 5c33cf3-5c33d56 1046->1050 1051 5c33cca-5c33cee 1046->1051 1060 5c33d78-5c33d86 1050->1060 1061 5c33d58-5c33d72 1050->1061 1058 5c33d8c-5c33da6 1051->1058 1058->962 1063 5c33dac-5c33de0 1058->1063 1060->1058 1061->1060 1067 5c33de2-5c33e06 1063->1067 1068 5c33e08-5c33e58 1063->1068 1075 5c33e5f-5c33e74 1067->1075 1068->1075
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291020924.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c30000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 72bee1b6fd3828b894a42e355a02be662a69009d353be0962305e28b96cf8fd0
                                                                                                                                                                                                                                                  • Instruction ID: b828c49d39bf32f2a161b6acc4e028ee2e2cc9cb6e5545fad6a870af3b520e4a
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 72bee1b6fd3828b894a42e355a02be662a69009d353be0962305e28b96cf8fd0
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8242F334B402188FCB44DF69C994EAABBF6BF89704F118499E606DB3A1DB71ED40CB50
                                                                                                                                                                                                                                                  Function 05C30D80 Relevance: .6, Instructions: 614COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 1078 5c30d80-5c30dcb 1083 5c30dd1-5c30dd3 1078->1083 1084 5c30efd-5c30f10 1078->1084 1085 5c30dd6-5c30de5 1083->1085 1088 5c31006-5c31011 1084->1088 1089 5c30f16-5c30f25 1084->1089 1090 5c30deb-5c30e1d 1085->1090 1091 5c30e9d-5c30ea1 1085->1091 1093 5c31019-5c31022 1088->1093 1098 5c30fd1-5c30fd5 1089->1098 1099 5c30f2b-5c30f51 1089->1099 1126 5c30e26-5c30e2d 1090->1126 1127 5c30e1f-5c30e24 1090->1127 1094 5c30ea3-5c30eae 1091->1094 1095 5c30eb0 1091->1095 1096 5c30eb5-5c30eb8 1094->1096 1095->1096 1096->1093 1100 5c30ebe-5c30ec2 1096->1100 1101 5c30fd7-5c30fe2 1098->1101 1102 5c30fe4 1098->1102 1128 5c30f53-5c30f58 1099->1128 1129 5c30f5a-5c30f61 1099->1129 1104 5c30ed1 1100->1104 1105 5c30ec4-5c30ecf 1100->1105 1107 5c30fe6-5c30fe8 1101->1107 1102->1107 1112 5c30ed3-5c30ed5 1104->1112 1105->1112 1110 5c30fea-5c30ff4 1107->1110 1111 5c31039-5c310b5 1107->1111 1121 5c30ff7-5c31000 1110->1121 1160 5c310bb-5c310bd 1111->1160 1161 5c31189-5c3119c 1111->1161 1116 5c31025-5c31032 1112->1116 1117 5c30edb-5c30ee5 1112->1117 1116->1111 1130 5c30ee8-5c30ef2 1117->1130 1121->1088 1121->1089 1132 5c30e52-5c30e76 1126->1132 1133 5c30e2f-5c30e50 1126->1133 1131 5c30e91-5c30e9b 1127->1131 1134 5c30fc5-5c30fcf 1128->1134 1135 5c30f63-5c30f84 1129->1135 1136 5c30f86-5c30faa 1129->1136 1130->1085 1137 5c30ef8 1130->1137 1131->1130 1150 5c30e78-5c30e7e 1132->1150 1151 5c30e8e 1132->1151 1133->1131 1134->1121 1135->1134 1152 5c30fc2 1136->1152 1153 5c30fac-5c30fb2 1136->1153 1137->1093 1155 5c30e82-5c30e84 1150->1155 1156 5c30e80 1150->1156 1151->1131 1152->1134 1157 5c30fb6-5c30fb8 1153->1157 1158 5c30fb4 1153->1158 1155->1151 1156->1151 1157->1152 1158->1152 1162 5c310c0-5c310cf 1160->1162 1164 5c311a2-5c311b1 1161->1164 1165 5c31234-5c3123f 1161->1165 1167 5c310d1-5c310fe 1162->1167 1168 5c31129-5c3112d 1162->1168 1175 5c311b3-5c311dc 1164->1175 1176 5c311ff-5c31203 1164->1176 1170 5c31247-5c31250 1165->1170 1190 5c31104-5c31106 1167->1190 1171 5c3112f-5c3113a 1168->1171 1172 5c3113c 1168->1172 1174 5c31141-5c31144 1171->1174 1172->1174 1174->1170 1180 5c3114a-5c3114e 1174->1180 1199 5c311f4-5c311fd 1175->1199 1200 5c311de-5c311e4 1175->1200 1178 5c31212 1176->1178 1179 5c31205-5c31210 1176->1179 1184 5c31214-5c31216 1178->1184 1179->1184 1182 5c31150-5c3115b 1180->1182 1183 5c3115d 1180->1183 1189 5c3115f-5c31161 1182->1189 1183->1189 1187 5c31267-5c312af 1184->1187 1188 5c31218-5c31222 1184->1188 1214 5c312b1-5c312b7 1187->1214 1215 5c312c7-5c312e9 1187->1215 1203 5c31225-5c3122e 1188->1203 1193 5c31253-5c31260 1189->1193 1194 5c31167-5c31171 1189->1194 1196 5c31108-5c3110e 1190->1196 1197 5c3111e-5c31127 1190->1197 1193->1187 1210 5c31174-5c3117e 1194->1210 1201 5c31112-5c31114 1196->1201 1202 5c31110 1196->1202 1197->1210 1199->1203 1204 5c311e6 1200->1204 1205 5c311e8-5c311ea 1200->1205 1201->1197 1202->1197 1203->1164 1203->1165 1204->1199 1205->1199 1210->1162 1212 5c31184 1210->1212 1212->1170 1216 5c312bb-5c312bd 1214->1216 1217 5c312b9 1214->1217 1220 5c312ec-5c312f0 1215->1220 1216->1215 1217->1215 1221 5c312f2-5c312f7 1220->1221 1222 5c312f9-5c312fe 1220->1222 1223 5c31304-5c31307 1221->1223 1222->1223 1224 5c314f8-5c31500 1223->1224 1225 5c3130d-5c31322 1223->1225 1225->1220 1227 5c31324 1225->1227 1228 5c313e0-5c31405 1227->1228 1229 5c3132b-5c31350 1227->1229 1230 5c31498-5c314b9 1227->1230 1242 5c31407-5c31409 1228->1242 1243 5c3140b-5c3140f 1228->1243 1240 5c31352-5c31354 1229->1240 1241 5c31356-5c3135a 1229->1241 1234 5c314bf-5c314f3 1230->1234 1234->1220 1246 5c313b8-5c313db 1240->1246 1247 5c3137b-5c3139e 1241->1247 1248 5c3135c-5c31379 1241->1248 1250 5c3146d-5c31493 1242->1250 1244 5c31411-5c3142e 1243->1244 1245 5c31430-5c31453 1243->1245 1244->1250 1264 5c31455-5c3145b 1245->1264 1265 5c3146b 1245->1265 1246->1220 1266 5c313a0-5c313a6 1247->1266 1267 5c313b6 1247->1267 1248->1246 1250->1220 1268 5c3145f-5c31461 1264->1268 1269 5c3145d 1264->1269 1265->1250 1270 5c313aa-5c313ac 1266->1270 1271 5c313a8 1266->1271 1267->1246 1268->1265 1269->1265 1270->1267 1271->1267
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291020924.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c30000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 47fed9cbbfcaf97534d3ee0a187c11d3beedeb7ddf5e4d7e67d8997c5a8cfcc5
                                                                                                                                                                                                                                                  • Instruction ID: 208a126d4cab63f3b9101681c118b8e93e3039b42e7a2fd6796c6e5eca47fb49
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 47fed9cbbfcaf97534d3ee0a187c11d3beedeb7ddf5e4d7e67d8997c5a8cfcc5
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 88229C30B042499FDB05DB69C859A7EBBF7BF88210B18885AE506DB3A2CF74DD41CB51
                                                                                                                                                                                                                                                  Function 05C448B8 Relevance: .6, Instructions: 589COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 1272 5c448b8-5c448d2 1273 5c448d9-5c44900 1272->1273 1274 5c448d4 call 5c44650 1272->1274 1277 5c44906-5c4490a 1273->1277 1278 5c44902-5c44904 1273->1278 1274->1273 1279 5c44910-5c44933 1277->1279 1278->1279 1284 5c44935-5c4493a 1279->1284 1285 5c4493f-5c4494b 1279->1285 1286 5c44a1b-5c44a21 1284->1286 1290 5c4494d-5c44979 call 5c43f50 1285->1290 1291 5c4497e-5c4498a 1285->1291 1288 5c44a27-5c44a47 1286->1288 1289 5c44a23 1286->1289 1303 5c44a53-5c44a68 1288->1303 1304 5c44a49-5c44a4e 1288->1304 1289->1288 1290->1286 1297 5c44996-5c449aa 1291->1297 1298 5c4498c-5c44991 1291->1298 1308 5c44a16 1297->1308 1309 5c449ac-5c449ce 1297->1309 1298->1286 1316 5c44a6e-5c44a7e 1303->1316 1317 5c44aeb 1303->1317 1306 5c44af0-5c44afe 1304->1306 1314 5c44b16-5c44b22 1306->1314 1315 5c44b00-5c44b04 1306->1315 1308->1286 1328 5c449f4-5c44a0d 1309->1328 1329 5c449d0-5c449f2 1309->1329 1321 5c44c06-5c44c3a 1314->1321 1322 5c44b28-5c44b44 1314->1322 1318 5c44b0c-5c44b0e 1315->1318 1324 5c44a80-5c44a90 1316->1324 1325 5c44a92-5c44a97 1316->1325 1317->1306 1318->1314 1343 5c44c52-5c44c54 1321->1343 1344 5c44c3c-5c44c50 1321->1344 1337 5c44bf2-5c44c00 1322->1337 1324->1325 1334 5c44a99-5c44aa9 1324->1334 1325->1306 1328->1308 1345 5c44a0f-5c44a14 1328->1345 1329->1308 1329->1328 1348 5c44ab2-5c44ac2 1334->1348 1349 5c44aab-5c44ab0 1334->1349 1337->1321 1340 5c44b49-5c44b52 1337->1340 1346 5c44e11-5c44e38 1340->1346 1347 5c44b58-5c44b6b 1340->1347 1351 5c44c84-5c44cc4 1343->1351 1352 5c44c56-5c44c68 1343->1352 1344->1343 1345->1286 1360 5c44ecc-5c44f1d 1346->1360 1361 5c44e3e-5c44e40 1346->1361 1347->1346 1353 5c44b71-5c44b83 1347->1353 1358 5c44ac4-5c44ac9 1348->1358 1359 5c44acb-5c44adb 1348->1359 1349->1306 1437 5c44cc6 call 5c45508 1351->1437 1438 5c44cc6 call 5c454f8 1351->1438 1352->1351 1366 5c44c6a-5c44c7c 1352->1366 1367 5c44b85-5c44b91 1353->1367 1368 5c44bef 1353->1368 1358->1306 1374 5c44ae4-5c44ae9 1359->1374 1375 5c44add-5c44ae2 1359->1375 1399 5c44f2d-5c44f37 1360->1399 1400 5c44f1f-5c44f2c 1360->1400 1361->1360 1364 5c44e46-5c44e48 1361->1364 1364->1360 1371 5c44e4e-5c44e52 1364->1371 1366->1351 1367->1346 1373 5c44b97-5c44bec 1367->1373 1368->1337 1371->1360 1376 5c44e54-5c44e58 1371->1376 1373->1368 1374->1306 1375->1306 1380 5c44e6a-5c44eac 1376->1380 1381 5c44e5a-5c44e68 1376->1381 1379 5c44ccc-5c44ce0 1394 5c44d27-5c44d74 1379->1394 1395 5c44ce2-5c44cf9 1379->1395 1388 5c44eb4-5c44ec9 1380->1388 1381->1388 1420 5c44d76-5c44d8f 1394->1420 1421 5c44dc8-5c44ddf 1394->1421 1410 5c44d07-5c44d1f call 5c43f50 1395->1410 1411 5c44cfb-5c44d05 1395->1411 1408 5c44f46-5c44f4c 1399->1408 1409 5c44f39-5c44f44 1399->1409 1419 5c44f4e-5c44f94 1408->1419 1409->1419 1410->1394 1411->1410 1427 5c44d91 1420->1427 1428 5c44d99-5c44dc5 1420->1428 1429 5c44e05-5c44e0e 1421->1429 1430 5c44de1-5c44dfc 1421->1430 1427->1428 1428->1421 1430->1429 1437->1379 1438->1379
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: ec8e8a6a20f26d199374c8c99c425a4d1355c3dad447be8ab6e47cb3e9d4e06a
                                                                                                                                                                                                                                                  • Instruction ID: ee989f957007c2367435ce5517588297098717d5eca5864bcf34f056c05e872e
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ec8e8a6a20f26d199374c8c99c425a4d1355c3dad447be8ab6e47cb3e9d4e06a
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 283236787006018FDB18DF29C584E6ABBF2FF89304B2588A9E546DB366DB34ED45CB50
                                                                                                                                                                                                                                                  Function 05C300B9 Relevance: .3, Instructions: 340COMMON
                                                                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                                                                  control_flow_graph 1732 5c300b9-5c300d1 1733 5c300d3-5c300d7 1732->1733 1734 5c30152-5c30160 1732->1734 1735 5c300d8-5c300f3 1733->1735 1737 5c30162 1734->1737 1738 5c30138-5c30145 1734->1738 1739 5c300fa-5c300fc 1735->1739 1740 5c30422-5c30445 1737->1740 1741 5c30512-5c30535 1737->1741 1742 5c30251-5c3027f 1737->1742 1743 5c30337 1737->1743 1744 5c302c4-5c302f2 1737->1744 1745 5c303aa-5c303cd 1737->1745 1746 5c3049a-5c304bd 1737->1746 1747 5c30169-5c3018c 1737->1747 1748 5c301de 1737->1748 1764 5c3014b-5c30151 1738->1764 1765 5c3076a-5c30774 1738->1765 1749 5c30114-5c30135 1739->1749 1750 5c300fe-5c30104 1739->1750 1806 5c308bb-5c308ea 1740->1806 1807 5c3044b-5c3044f 1740->1807 1808 5c3053b-5c3053f 1741->1808 1809 5c309ff-5c30a2e 1741->1809 1776 5c30281-5c30287 1742->1776 1777 5c30297-5c302bf 1742->1777 1763 5c30341-5c3035d 1743->1763 1778 5c302f4-5c302fa 1744->1778 1779 5c3030a-5c30332 1744->1779 1799 5c303d3-5c303d7 1745->1799 1800 5c30819-5c30848 1745->1800 1801 5c304c3-5c304c7 1746->1801 1802 5c3095d-5c3098c 1746->1802 1803 5c30192-5c30196 1747->1803 1804 5c30777-5c307a6 1747->1804 1762 5c301e8-5c30204 1748->1762 1749->1738 1751 5c30106 1750->1751 1752 5c30108-5c3010a 1750->1752 1751->1749 1752->1749 1774 5c3020a-5c3020c 1762->1774 1775 5c30363-5c30365 1763->1775 1764->1734 1780 5c30224-5c3024c 1774->1780 1781 5c3020e-5c30214 1774->1781 1782 5c30367-5c3036d 1775->1782 1783 5c3037d-5c303a5 1775->1783 1784 5c3028b-5c3028d 1776->1784 1785 5c30289 1776->1785 1777->1738 1789 5c302fe-5c30300 1778->1789 1790 5c302fc 1778->1790 1779->1738 1780->1738 1793 5c30216 1781->1793 1794 5c30218-5c3021a 1781->1794 1795 5c30371-5c30373 1782->1795 1796 5c3036f 1782->1796 1783->1738 1784->1777 1785->1777 1789->1779 1790->1779 1793->1780 1794->1780 1795->1783 1796->1783 1811 5c30885-5c308b4 1799->1811 1812 5c303dd-5c303e7 1799->1812 1824 5c3084f-5c3087e 1800->1824 1813 5c309c9-5c309f8 1801->1813 1814 5c304cd-5c304d7 1801->1814 1826 5c30993-5c309c2 1802->1826 1815 5c307e3-5c30812 1803->1815 1816 5c3019c-5c301a6 1803->1816 1828 5c307ad-5c307dc 1804->1828 1834 5c308f1-5c30920 1806->1834 1817 5c30927-5c30956 1807->1817 1818 5c30455-5c3045f 1807->1818 1819 5c30545-5c3054f 1808->1819 1820 5c30a6b-5c30d2e 1808->1820 1836 5c30a35-5c30a64 1809->1836 1811->1806 1812->1824 1825 5c303ed-5c3041d 1812->1825 1813->1809 1814->1826 1827 5c304dd-5c3050d 1814->1827 1815->1800 1816->1828 1829 5c301ac-5c301d9 1816->1829 1817->1802 1818->1834 1835 5c30465-5c30495 1818->1835 1819->1836 1837 5c30555-5c30585 1819->1837 1824->1811 1825->1738 1826->1813 1827->1738 1828->1815 1829->1738 1834->1817 1835->1738 1836->1820 1837->1738
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291020924.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c30000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 760c6b94fbca1133eb9da3eb151cbe0a9f9ff01238ebb240c8881876a99edb18
                                                                                                                                                                                                                                                  • Instruction ID: 28f32746739625977a7547afd4bf6c49728d2f0c9c1605d139085e03ae0e514b
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 760c6b94fbca1133eb9da3eb151cbe0a9f9ff01238ebb240c8881876a99edb18
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8EC16E34700308DFDB459B65C859B7A7BE6FF8AB00F049469E902AB3A2DBB5DD40CB51
                                                                                                                                                                                                                                                  Function 05C31582 Relevance: .3, Instructions: 334COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291020924.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c30000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 4c3f5c15e1de88f53f10880dd6baf0e4b68db2a4dff245a1062cb1e1c7b4e31c
                                                                                                                                                                                                                                                  • Instruction ID: 26bbd39b9b4921b81010af8446088778fbaeab8cd09af116a9e89955f38ec9bf
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4c3f5c15e1de88f53f10880dd6baf0e4b68db2a4dff245a1062cb1e1c7b4e31c
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F9C1AD347003499FDB149BA9C855A3E7BE6FF89704F18486AE6028B392DFB5DD01CB91
                                                                                                                                                                                                                                                  Function 05C30756 Relevance: .3, Instructions: 309COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291020924.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c30000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 658593f55630af964efb1c287103d62bc5c45781b101dcee57996fbc0deafa45
                                                                                                                                                                                                                                                  • Instruction ID: 69e73e21b873dbbb8ae5452cac86588dcd29fb683b12b16e1049d6e106552e89
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 658593f55630af964efb1c287103d62bc5c45781b101dcee57996fbc0deafa45
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 19B14C34700308DFEB449B65C859B397BA6FF8AB04F109469EA02AB3A1CFB5DD41CB51
                                                                                                                                                                                                                                                  Function 05C306DE Relevance: .3, Instructions: 308COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291020924.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c30000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 701489b2cd4eb81a32a6edc715f02e31b6288778b5ded04fd1e4d3043258cced
                                                                                                                                                                                                                                                  • Instruction ID: 06d86b2326fd10bdbc2bfd1dd948abad05a433df88cc87eb177c48f1897d7be6
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 701489b2cd4eb81a32a6edc715f02e31b6288778b5ded04fd1e4d3043258cced
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 06B15D34700308DFEB449B65C859B797BA6FF8AB04F109469EA02AB3A1CFB5DD41CB51
                                                                                                                                                                                                                                                  Function 05C30666 Relevance: .3, Instructions: 308COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291020924.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c30000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: f2ea3c63690ce5a67e26ad4c40a69a103a9068d30715bc247a488ea2b746ae79
                                                                                                                                                                                                                                                  • Instruction ID: fe3b017873ee1e0ba7f6e44dfc0329fd73f4aee191394b6323da4cc66907a457
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f2ea3c63690ce5a67e26ad4c40a69a103a9068d30715bc247a488ea2b746ae79
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F3B15C34700308DFEB449B65C859B397BA6FF8AB04F109469EA02AB3A1CFB5DD41CB51
                                                                                                                                                                                                                                                  Function 05C305EE Relevance: .3, Instructions: 307COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291020924.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c30000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: b1581c373fa32a35d90197aef0cbb16dcd2ad072511f774efa3cc29082948485
                                                                                                                                                                                                                                                  • Instruction ID: e36956259d9d3d76c1aee8e9a7598b7c25e1b777c0f9535c92b27d48c9905e9f
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b1581c373fa32a35d90197aef0cbb16dcd2ad072511f774efa3cc29082948485
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 82B14B34700308DFEB449B65C859B397BA6FF8AB05F109469EA02AB3A1CFB5DD41CB51
                                                                                                                                                                                                                                                  Function 05C448A8 Relevance: .3, Instructions: 278COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: cbc7e08b0af9906a13b008825774dcb1e6b00116c038edb3182bec72c3b53a00
                                                                                                                                                                                                                                                  • Instruction ID: ba579378e7887914ea1c06905f0a45771f2324d5286d8a54cf090fd1f1c89bad
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: cbc7e08b0af9906a13b008825774dcb1e6b00116c038edb3182bec72c3b53a00
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2CB124387006058FCB18DF29D588E6ABBF6FF89205B2544A8E546DB366DB34ED05CF50
                                                                                                                                                                                                                                                  Function 05C47D58 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 06e1a9d9fd4f834b5595c0f736617ee0893fd9e1ad0f323a635f72d216aee777
                                                                                                                                                                                                                                                  • Instruction ID: 355d0e1636c251550180dc7e741b73a84880cd0763ad3c65681fdb85ab82ae1f
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 06e1a9d9fd4f834b5595c0f736617ee0893fd9e1ad0f323a635f72d216aee777
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 87512371E003599FDB18CFA9C984B9EBBF6FF88710F14892AD415AB244DB749946CF80
                                                                                                                                                                                                                                                  Function 05C334D8 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291020924.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c30000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 013745f9553f537e951546d7a23298c34048a9b5bea3be0c3bbda922ed6b440c
                                                                                                                                                                                                                                                  • Instruction ID: 5266d6cbde1e4c7dee033a9b5c4b3426743e1b2aacafc35b7867221503b9cb43
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 013745f9553f537e951546d7a23298c34048a9b5bea3be0c3bbda922ed6b440c
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6A515835B405199FCB04CF69C8849AEBBF2FF88710B118469E906EB361DB30ED05CB50
                                                                                                                                                                                                                                                  Function 05C459C8 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: f7c0cf25f1aee1e4df79f71488772f63523dfaf56a5152c384091b52a8a21f55
                                                                                                                                                                                                                                                  • Instruction ID: 16310e3cc535f53d9a37f7fb1861fe5ddfa563376578b72a55c036f133036a39
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: f7c0cf25f1aee1e4df79f71488772f63523dfaf56a5152c384091b52a8a21f55
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 78516A35A00605DFCB10CF68C880DAABBF2FF89310B198999D5599B361D730F946CF90
                                                                                                                                                                                                                                                  Function 05C47D4C Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: e7b77b4daa1d3d621eb7a4d5d221d216cc113a4613e932240f601ff9816d70b2
                                                                                                                                                                                                                                                  • Instruction ID: 0412dc4b7a28b17fa5300cfa5e58f241a86283ea002fbf65d452bf42bb8d4c23
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: e7b77b4daa1d3d621eb7a4d5d221d216cc113a4613e932240f601ff9816d70b2
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CA5115B1E00259DFDB18CFA9C984B9DBBF2FF48700F148929D415AB294DB749946CF80
                                                                                                                                                                                                                                                  Function 05C43721 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 03c1e33c62b84f2ab21578b860fed197ceb829846c6a7bf1767ef82b793a4391
                                                                                                                                                                                                                                                  • Instruction ID: c8215582bba45d981172b483305f37bb79942ae4c24792e46f690f0c6b3de956
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 03c1e33c62b84f2ab21578b860fed197ceb829846c6a7bf1767ef82b793a4391
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: F4415475A002858FDB14CF58C480E6AFBF2FFC8314B25895AD456AB721DB34E985CF90
                                                                                                                                                                                                                                                  Function 05C43DE0 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 9b12f317348d1747d30bc3398b3bf7d4e3ba60266847c5d38abe6f4127519aca
                                                                                                                                                                                                                                                  • Instruction ID: 2b25fef80f74860101b5ec9741fabf4939cfac0e1ed7ec17a5e2144d54485950
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9b12f317348d1747d30bc3398b3bf7d4e3ba60266847c5d38abe6f4127519aca
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C9310F717053508FD71AAB78A49096E7BE2EFCA21031548AEC40A9B351DE34EC0BCB92
                                                                                                                                                                                                                                                  Function 05C45579 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 3b34abbb23eeb72922973c3d3049a833f97385139d4df55f413819d39c55ee23
                                                                                                                                                                                                                                                  • Instruction ID: a10819af910081f00b78e1214ecea2561afe8a68eea9d38914830034aa936deb
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3b34abbb23eeb72922973c3d3049a833f97385139d4df55f413819d39c55ee23
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: EF314A397012119FDB15DF38D484AAE7BB2FF89341B548869E906CB365DB34ED06CBA0
                                                                                                                                                                                                                                                  Function 05C484D8 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 662b59d3180de6b2a2a7ba91f405f4ff800a8987b36d9e638962cd32e33ea09d
                                                                                                                                                                                                                                                  • Instruction ID: 0fb5b5f5bc6a699a45f33fcc6f9f36bcf2dad6d24f7d271872fb7f9b125a6336
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 662b59d3180de6b2a2a7ba91f405f4ff800a8987b36d9e638962cd32e33ea09d
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CB31AE717002149BDB09AF79A86057E77E7EFC8200B50883AD606DB384EE359E028BD5
                                                                                                                                                                                                                                                  Function 05C45588 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 4d02b1fd91b1540803a15a60bbb7c57e18c6370eba240fa96ad74ff5f7228587
                                                                                                                                                                                                                                                  • Instruction ID: f569c2964a39d5b13c8cb784d5e1f3fb982eff6cc8290c64e31e5c9eca6a6265
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4d02b1fd91b1540803a15a60bbb7c57e18c6370eba240fa96ad74ff5f7228587
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: A53137397012119FDB15DF38D884AAEBBB2FFC9241B508869E9068B355DB35ED05CBA0
                                                                                                                                                                                                                                                  Function 05C487A0 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 605f066286439a49bd85976bf8531a85eb727e5e8bd2164330f9e9f273bdf043
                                                                                                                                                                                                                                                  • Instruction ID: e801f3cc7c93221f3737a50ed206787b0f9970161b4f7c78225c98fb5a932d8f
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 605f066286439a49bd85976bf8531a85eb727e5e8bd2164330f9e9f273bdf043
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9641F0B1D01248DFDB14DFAAD984ADEFBF6AF88310F10842AE415B7250DB75A945CF90
                                                                                                                                                                                                                                                  Function 05C32EB7 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291020924.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c30000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: d3c0e9a83920536deda9939f3aa0821b4271aa5690c2e59e776a83adab8fe6d1
                                                                                                                                                                                                                                                  • Instruction ID: cfaf310d87c47899ddef8b425309eb1989941cc5c09d472b1ce25bbfdd4d04a8
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d3c0e9a83920536deda9939f3aa0821b4271aa5690c2e59e776a83adab8fe6d1
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AF313C39E146199FCB04CFA9D8849DEFBF6FF8D310B15816AE915AB310EB30A905CB50
                                                                                                                                                                                                                                                  Function 05C484C8 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 71800f160c45f671c9be4f58cd76867e4ec5b19a53ab230871279e6c73ca9734
                                                                                                                                                                                                                                                  • Instruction ID: 04d7317d727dc3255434daf157ca91e2ee7d02688e5f98bf798a6d2738793296
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 71800f160c45f671c9be4f58cd76867e4ec5b19a53ab230871279e6c73ca9734
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: E32191747012558BDB09AF78A46063E36D3AFC8201B54487EC206DB384EE74DE069B9A
                                                                                                                                                                                                                                                  Function 05C32EC8 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291020924.0000000005C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C30000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c30000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: ce526bbc821a045c9ab02adfed5cd076322e5a56babe981bbb086ca12a0a2b76
                                                                                                                                                                                                                                                  • Instruction ID: c992066b7fdb33bc607b957d72c28bf4aeff7d7bf4894cc79a653fbd6e82bb8b
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ce526bbc821a045c9ab02adfed5cd076322e5a56babe981bbb086ca12a0a2b76
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C311A39E106199FCB04CFA9D8848DEF7F6FF8D310B11816AE915AB314EB71A905CB50
                                                                                                                                                                                                                                                  Function 05C48795 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 9ef100deafe5cd44a3c04458baa60ca92bedbac8f4541f78ece99aded67d40d9
                                                                                                                                                                                                                                                  • Instruction ID: f32a6cf1d012485ead0830fb33458ecd1cba013649e8ab9aef0443e171262673
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9ef100deafe5cd44a3c04458baa60ca92bedbac8f4541f78ece99aded67d40d9
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E3100B1D016499FDB18DFAAC980BDEBFF6AF88300F14842AD405AB250EB745945CF50
                                                                                                                                                                                                                                                  Function 05C48A98 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: fd8a804a1b5c02037a85dd84552dcb60478fab57039e1fd546c24911e09f38ca
                                                                                                                                                                                                                                                  • Instruction ID: 7052b3399cbdeb7098e14949ae952e6ac5def666714d6c6ee4ac23112172e23a
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fd8a804a1b5c02037a85dd84552dcb60478fab57039e1fd546c24911e09f38ca
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5931E3B1D053589FDB14DFA9D894B9EBBF5BF88310F14842AE405B7240D7B4A946CF90
                                                                                                                                                                                                                                                  Function 0223D110 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2282419751.000000000223D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0223D000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_223d000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 6792dd4c2b4bf25f1454aaf897872c25fb8a3b3664c69a565b83c716ebc9992a
                                                                                                                                                                                                                                                  • Instruction ID: 452d9a4a6ffb9d73615b72176d76c45aa6ac524d9a4355a34c8733f24c5d9250
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6792dd4c2b4bf25f1454aaf897872c25fb8a3b3664c69a565b83c716ebc9992a
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: C42167B2624200DFDB06DF50D9C0B26BF62FB88314F20856CE9490B26AC376D416CBA1
                                                                                                                                                                                                                                                  Function 0223D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2282419751.000000000223D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0223D000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_223d000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 332d5d5ea56051dafeb142b990b4bd09193916137128742c92acff0c8d50c05a
                                                                                                                                                                                                                                                  • Instruction ID: 7226f8c91dccce787c42333573e54c72c9a3072f27471457fa2bfbe1bd24341b
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 332d5d5ea56051dafeb142b990b4bd09193916137128742c92acff0c8d50c05a
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E2128B6524244DFDB0ADF54D9C0B26BF65FB84324F20C16DDA0A0B25AC376E456CBA1
                                                                                                                                                                                                                                                  Function 0224D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2282473546.000000000224D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0224D000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_224d000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: d3c67b8e59765dfd62884b69c5db831031ad4406ee32e50a96d1395e7a9db186
                                                                                                                                                                                                                                                  • Instruction ID: 3f528383590cf027dc23e9d379b14f3197809b9de7749cc3cdcb2b57fa22c736
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d3c67b8e59765dfd62884b69c5db831031ad4406ee32e50a96d1395e7a9db186
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2F213475614300EFDB18DFA4D9C0B26BBA1FB84314F20C56DD90A0B25ACBBBE407CA61
                                                                                                                                                                                                                                                  Function 05C46E72 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 10cf5a22975c1f4c0b339e4c1a6c6bb79e7153fd7869886d3bdf9fad708f7486
                                                                                                                                                                                                                                                  • Instruction ID: aa54b082797c363c7f5398b88b59a083534be52b4acce6eb2a2f12f026553554
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 10cf5a22975c1f4c0b339e4c1a6c6bb79e7153fd7869886d3bdf9fad708f7486
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F113A732081E41FCB124BA9AC508FB3FE9EACA26570944A6FA84C7143C528CD1397B1
                                                                                                                                                                                                                                                  Function 0224D006 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2282473546.000000000224D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0224D000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_224d000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 2a3d35e7b5847258c209fff59478d78a244c3ca9fafe2676e6f3863c4f46b706
                                                                                                                                                                                                                                                  • Instruction ID: e490f0182e807060eab63f364b13d2d2d406555fbefa5e42aaab3d37817a207e
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a3d35e7b5847258c209fff59478d78a244c3ca9fafe2676e6f3863c4f46b706
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 222192755083809FCB06CF64D994711BF71EB46314F28C5DAD8498F2A7C33AD80ACB62
                                                                                                                                                                                                                                                  Function 05C48A8C Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 9175d2f0729b139f26fdc501b02e091e6bf3a8e7e1870daabc3375975e708a00
                                                                                                                                                                                                                                                  • Instruction ID: 69b1b708e45c589f42e87c7058a6434b84c180daccee3ba1e4026fd1b8d3f8af
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9175d2f0729b139f26fdc501b02e091e6bf3a8e7e1870daabc3375975e708a00
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 392110B1D00359DFDB14CFA9C890B9EBBF5AF48310F24882AE405A7290DBB49946CF50
                                                                                                                                                                                                                                                  Function 05C4BC5F Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 0d458f6bc666157e6acd305b400bbde6ce6721b975648ef546f3bd23bad9e7fe
                                                                                                                                                                                                                                                  • Instruction ID: f8f01e49fee640fc7ae92cf118518d02e6e5ebe3de82c243bae834c5d0d898e3
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0d458f6bc666157e6acd305b400bbde6ce6721b975648ef546f3bd23bad9e7fe
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4E1108352102018FC789E775EA905AE3FE3EFC9352304485CE2479BA50DEB07D8A8BD1
                                                                                                                                                                                                                                                  Function 05C48C58 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: be6009586e6c5670f883782570b0fc465a07172d52850e8d6690035189aa7998
                                                                                                                                                                                                                                                  • Instruction ID: b5ba3d309a1cfba5c2d92f93b99ba530f84d9fca4e1eeb06e5092dd236271a00
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: be6009586e6c5670f883782570b0fc465a07172d52850e8d6690035189aa7998
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0021D075E05218AFCB08DFA9E848AECBBF2FB89310F10912AE805B7350EB741945CF54
                                                                                                                                                                                                                                                  Function 0223D10B Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2282419751.000000000223D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0223D000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_223d000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                                                                                                  • Instruction ID: 3af2e0eccbdeba6703998650eb82f049369ec1a16032521b080bc66aa1f5b649
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2411E6B6504281CFCF16CF50D9C4B16BF72FB88314F24C5A9D8494B26AC33AD456CBA1
                                                                                                                                                                                                                                                  Function 0223D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2282419751.000000000223D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0223D000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_223d000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                                                                                                  • Instruction ID: 092c73f41e33741766444775824fd72d8ac5c563fe6c01b0dae9db33462e6679
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BC11E6B6504281DFCF16CF50D5C4B16BF71FB84324F24C6A9D9490B65AC33AE456CBA1
                                                                                                                                                                                                                                                  Function 05C48350 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 140c859da73e0f8376105080969e52d5238beac1852df686ddbf8ee1febaf475
                                                                                                                                                                                                                                                  • Instruction ID: 32e6cb4d42ef32729440370986fc7a2c381dddba02727e34dc8f609d996acc66
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 140c859da73e0f8376105080969e52d5238beac1852df686ddbf8ee1febaf475
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2F01D435B001199BDB14DEA9EC44ABFF7FAFBC4210B148036E604D3240DB309D158BA4
                                                                                                                                                                                                                                                  Function 05C4C499 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: c3e3517196e7651ed8c154845c40e54fda5df63d379f3e32be1c45b12bd78ee0
                                                                                                                                                                                                                                                  • Instruction ID: e796224b5c480cecbee6f05988b190025dbb90beff62d526b9a0b1f3c0f4eb5c
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c3e3517196e7651ed8c154845c40e54fda5df63d379f3e32be1c45b12bd78ee0
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 170104356043008FD326EF68D44469E3BE3EFC9326B15862ED14797A44DFB8990ACB91
                                                                                                                                                                                                                                                  Function 05C4BC70 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 9d7346137425cd48c38144dd536f14bb899e47ae9d52eeb52bc1e0b1372e7d9f
                                                                                                                                                                                                                                                  • Instruction ID: 6e190a2bd998364c5ba70471b859142ebc99556237562851582dc5ab9c140d34
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9d7346137425cd48c38144dd536f14bb899e47ae9d52eeb52bc1e0b1372e7d9f
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3801D8392102018FC689E775E69452D3BE3EFC9353344981CE2079BA54DEB0BD8A8BD1
                                                                                                                                                                                                                                                  Function 05C4E8B0 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 0d660770b2b936ce7fbbc999debc636865eb8977f29514752118b98d3ce04b87
                                                                                                                                                                                                                                                  • Instruction ID: 7f4f8605407269a6b7f08f88dd60104ac95b81d993d679097eb5a87380758760
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 0d660770b2b936ce7fbbc999debc636865eb8977f29514752118b98d3ce04b87
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B701F9342083089FCB05DF74C8548597FB6FF8A20071488EDE545CB262DB36DD01CB91
                                                                                                                                                                                                                                                  Function 05C45508 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 2abf279f6604d39c3611f4ee27e0d31b59af6ec8f627784c1c3ce2d59a194b10
                                                                                                                                                                                                                                                  • Instruction ID: eb45f522ef3b7c1593e4d57e560118188275683b8bd4c834df0eee31c4011ae5
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2abf279f6604d39c3611f4ee27e0d31b59af6ec8f627784c1c3ce2d59a194b10
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9501A934601346CFCB28DA2AA500A37B7E3BF84219B188C2CE40682608DA75E980CF80
                                                                                                                                                                                                                                                  Function 05C4C4A8 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 72ab6157586a5afefd283310bd920db587b650c27cbd6bfa4b77836f459b6676
                                                                                                                                                                                                                                                  • Instruction ID: 90fdfbe90356b4cce7d9ec6609cc283eeb9d31348138bb337bf4bd870fd92b79
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 72ab6157586a5afefd283310bd920db587b650c27cbd6bfa4b77836f459b6676
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5701B1352003048FD325EF69D04865E7BE3EFC8315B108A2DD24B97744DFB8A90ACB91
                                                                                                                                                                                                                                                  Function 05C4B358 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: b0bf55a92425ec1d8ede30b850564ca76973131409424744619c6da725059b36
                                                                                                                                                                                                                                                  • Instruction ID: fed128ff6444efe9e9edc3bacca815f3347667db001e34131493fedeb8ab59de
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b0bf55a92425ec1d8ede30b850564ca76973131409424744619c6da725059b36
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: AD01B178D06289FFCB45EBB8E88548C7FB2BB85200B144499E405AB251EA701A89CF51
                                                                                                                                                                                                                                                  Function 05C48F42 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: a8493527b9392c53eac5761c88b39d5b3b6f0c98d0f1562675290db1705f9dcc
                                                                                                                                                                                                                                                  • Instruction ID: 3af25d4edf9b08b8720ebb683dcad8f96d34733eaa98292fd108e13597d818f2
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a8493527b9392c53eac5761c88b39d5b3b6f0c98d0f1562675290db1705f9dcc
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9E01E5B8C0825ADFDB00DFA4D584AADBFB1FB49300F1085AAD815A7252D7740A41CF91
                                                                                                                                                                                                                                                  Function 05C48F50 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 21f287e6205f758a1d6cdf191096a9b6cb085cebd58f1c01bbb63fbe1fcff401
                                                                                                                                                                                                                                                  • Instruction ID: f5e8c2fee87b2e836dd011c750944ee09f97370e8930bd3bf3c21d3fcbfd2bc8
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 21f287e6205f758a1d6cdf191096a9b6cb085cebd58f1c01bbb63fbe1fcff401
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6301C4B8D04209DFDB04DFA9D544AAEBBF1BB48301F1085A9D815B3351E7781A40CF90
                                                                                                                                                                                                                                                  Function 05C4C170 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 35255e30966882ab2934427c47a3ac1ae55e4291352bf06f5b915321c7938a2e
                                                                                                                                                                                                                                                  • Instruction ID: 7e2c1fa9b1dec7dde8cc10dbd7b4a4d50e2e6f1d21e2d41d5f3a60afcf902bfc
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 35255e30966882ab2934427c47a3ac1ae55e4291352bf06f5b915321c7938a2e
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5401D175801B018FD315DF26E888496BBF6FF49310700C91EE487C3610DB70A58ACF80
                                                                                                                                                                                                                                                  Function 05C4ADE9 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 05e4c832d0d460c4f6cf6ac311353fe2dce72a759931da1536bd0bb161389280
                                                                                                                                                                                                                                                  • Instruction ID: a5f1e6db8a7170697d384550595defbd17c1070190ea7160e80ec96ba75104cc
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 05e4c832d0d460c4f6cf6ac311353fe2dce72a759931da1536bd0bb161389280
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 08F02E312443416FC35567A9E8946DA7FEADFCF711B00449DF14AC3142C9B5180987A1
                                                                                                                                                                                                                                                  Function 05C43EC8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: d2ecbf734402c59034b22b6a8a02d8184372fa5444e958a82277c304e86c5564
                                                                                                                                                                                                                                                  • Instruction ID: ff0eb29fdbc5780c184d2ffc84097b4961aa889c4a8d0e1cf6ab631f9e828edc
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d2ecbf734402c59034b22b6a8a02d8184372fa5444e958a82277c304e86c5564
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 28F0B4303002018BD219F76AE89096E7BD7EFC9211314992DC10AAB744EFB0FD0787E2
                                                                                                                                                                                                                                                  Function 05C467C8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: b8aba62a765896a8108008e92b902bee4e2d03be11af64d98475b3b8fb046f40
                                                                                                                                                                                                                                                  • Instruction ID: 88e900a06ba0086fcd2d160fd6396e5b7df502191b0d7f2fe0e93844c434cc10
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: b8aba62a765896a8108008e92b902bee4e2d03be11af64d98475b3b8fb046f40
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 68F0B4317443009BD7209B68EC45F957FE5EB82710F15866AE254CF1E2E7B1D8858B80
                                                                                                                                                                                                                                                  Function 05C4ACB8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: c66837f464f49dcd23f660651bd363d64697025743d834fe0444015408db1d75
                                                                                                                                                                                                                                                  • Instruction ID: 3e6176741ca20c82b0b16ed071dd98a8b05dd9818a4a313b48626c79cb94ff8f
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c66837f464f49dcd23f660651bd363d64697025743d834fe0444015408db1d75
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 82F059727481509FC3171768AC544AD3FA6DDC624230848CFE282CB241CA584502C7E1
                                                                                                                                                                                                                                                  Function 05C46EA0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 926ae6dedfbf81401f3264dc4f7aa07b21620d4af6fe6de241a0967cfc9de769
                                                                                                                                                                                                                                                  • Instruction ID: 1dce6b45d19815edf68ff1f906e546aac82ca26a4e3172f2f186ab34c0fa8cc2
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 926ae6dedfbf81401f3264dc4f7aa07b21620d4af6fe6de241a0967cfc9de769
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CDF012662041E83F8B518E9A5C10DFB7FEDDACE1627084196FE98D2141C429C961ABB0
                                                                                                                                                                                                                                                  Function 05C454F8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 643f34da86ded7f72742b12c2f8235e3cc147aa763fe9e5fedf007809f374b98
                                                                                                                                                                                                                                                  • Instruction ID: 620d022ccb0b62187603a1764ad50af5633aa6510b3d94b0280c3e67f76b5599
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 643f34da86ded7f72742b12c2f8235e3cc147aa763fe9e5fedf007809f374b98
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4FF09035601792CFDB25CF25E1809B7BBB3FF80314B14986DD04286856DA74E98ACF40
                                                                                                                                                                                                                                                  Function 05C4C110 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 85ac5f8e6df73c1ae1216f9d9fd093c8540235d57c24928c5ed40f57543dc453
                                                                                                                                                                                                                                                  • Instruction ID: b1ff34f894617565180c329321a7d014ea5e330891da6229e3629a8904eb4b26
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 85ac5f8e6df73c1ae1216f9d9fd093c8540235d57c24928c5ed40f57543dc453
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1BF0F6351053905FC3169738EC1569E3FE69FC2314B08049EF1428B252CAA5A9058BA2
                                                                                                                                                                                                                                                  Function 05C48340 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 78a5ba7f294ff106131ffadbd23a624a00759d0856893a151ff91bb2a71cd2dd
                                                                                                                                                                                                                                                  • Instruction ID: 256d8b25e2f2b42aa0b8905208f7fb92fd22bf3eeb26cf76f34d604adec2822b
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 78a5ba7f294ff106131ffadbd23a624a00759d0856893a151ff91bb2a71cd2dd
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 50F02731B041299BCB10DEADAC44ABFBFF9FB84260F18853AD518C3200EB34D901C7A5
                                                                                                                                                                                                                                                  Function 05C48FC0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 25803b526e5962aed6a56c5cf4ca5a092580f522122904736126f61264fa7a5f
                                                                                                                                                                                                                                                  • Instruction ID: 9f4d924b8e40a5fd9234b68e4741bcc38d44d640cc5069849c9a319d53b3ca56
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 25803b526e5962aed6a56c5cf4ca5a092580f522122904736126f61264fa7a5f
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: BDF04FB9D08159DFDB01CBA5C4559ADBFB1EB5A201F004596E846E7352E6394A41CF00
                                                                                                                                                                                                                                                  Function 05C4B368 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: d88c1958e7bf19ead2429996c31dd5eef3ba4d2b4383b6dd6ab44fea52c2d621
                                                                                                                                                                                                                                                  • Instruction ID: b400064d1749992523a68929ca0865af0c763626bcc3dec2ba40aec09b6180d1
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: d88c1958e7bf19ead2429996c31dd5eef3ba4d2b4383b6dd6ab44fea52c2d621
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3BF03C78E01249EFCB49EFBCE48959CBBB6FB84201B1045A9D906AB254DB701A48CF41
                                                                                                                                                                                                                                                  Function 05C4ADF8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 9489b53c31d15b91af0c8c90859ad406f87fe55178ebda78d274a8043a8c4238
                                                                                                                                                                                                                                                  • Instruction ID: 1fb35c44228d63020a121d4b71f4b619c2e26f0905344d0a87bed194fb2855bc
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9489b53c31d15b91af0c8c90859ad406f87fe55178ebda78d274a8043a8c4238
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CAE09231340201ABC3146AAAE888ADF7EDBEBCA752B10906DF20EC3241CEB5180547A5
                                                                                                                                                                                                                                                  Function 05C4C180 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 28b60e9f6eb4b291d39f7b4783ec013f16a4423458ff1c83ba5970cef6ae00f4
                                                                                                                                                                                                                                                  • Instruction ID: 4678d8b87d2b1c6e65b0ba9f78314a8f76720193321a3342d655dc36cac04200
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 28b60e9f6eb4b291d39f7b4783ec013f16a4423458ff1c83ba5970cef6ae00f4
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 25F03079501B059FD725DF26E488556BBF6FF88301700C62EE94B83A54DB70A54ACF84
                                                                                                                                                                                                                                                  Function 05C4B500 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: ee20c0c35597f1df26c9b9e12dd2b841b7e4b2d39b05773f64ccd67f3cfa961b
                                                                                                                                                                                                                                                  • Instruction ID: da688969ffe4d4c95566dfd107dcdba233f1aa6aa3b654a7bec142dccfaa6abd
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: ee20c0c35597f1df26c9b9e12dd2b841b7e4b2d39b05773f64ccd67f3cfa961b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: CBF03939D0120CBFCB41DFB8E9498CDBFB9EB44200F1042A6E905E3250EA305B95DBA1
                                                                                                                                                                                                                                                  Function 05C45698 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: a5e042ee0de256785118592d89a39ac4b634901d34fbdb5ec503493419d495e4
                                                                                                                                                                                                                                                  • Instruction ID: ac14d5c88e986f5bac13d95455d1cb57ca097ae1a438e6757795568b6d412f0d
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: a5e042ee0de256785118592d89a39ac4b634901d34fbdb5ec503493419d495e4
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B7E092B620D3109FD341DB24E800D9BB7E8EF95310B518C6EE085C7141E731E845CB65
                                                                                                                                                                                                                                                  Function 05C4C120 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 23478b8b3f50af61efde170ec0dd29d7c3793c41c2a844c4c5efea941930f1a0
                                                                                                                                                                                                                                                  • Instruction ID: 1669b55ada049fcb91c683a1ea244823a076ae8fcaecb75490e2ec6fac975772
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 23478b8b3f50af61efde170ec0dd29d7c3793c41c2a844c4c5efea941930f1a0
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 33E0ED302007519FC315E72DE8497AE7FEADFC1318F04042DE2468B600CFB6AC058B91
                                                                                                                                                                                                                                                  Function 05C4CC38 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 2a9db0a25a162c705a5af6979b27549f6fc83ce8d6a4ecd033569ab8b4280e7c
                                                                                                                                                                                                                                                  • Instruction ID: 5cc5e44dcdc610aa7dcfc75542f62014d39c2534ab318820a5c59705b069b611
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2a9db0a25a162c705a5af6979b27549f6fc83ce8d6a4ecd033569ab8b4280e7c
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 92E080327062404FC756EB18F8905ED3BE2EB85654B055155D0409FE56CB301D4E8BD1
                                                                                                                                                                                                                                                  Function 05C4CE88 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 7e44ac4b0663483ada1a1b9ffc27ba859d63b0d7a81dd2f59bb77eb3dfebb2e5
                                                                                                                                                                                                                                                  • Instruction ID: a07e142790406a4024bfe488deee623b505d4c936badcc14ec15c5555e4670d4
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7e44ac4b0663483ada1a1b9ffc27ba859d63b0d7a81dd2f59bb77eb3dfebb2e5
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 49E0DFB840A380AFD742A624B8459A93FE1EB42211B011485EC00AFA59CA308D8A87E2
                                                                                                                                                                                                                                                  Function 05C4E1FF Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 109a2937890c14b2f08085861c13d817c544bb023a864521e022d283ba789c38
                                                                                                                                                                                                                                                  • Instruction ID: f63da31a8f210140b5206276582cdca44b7e7f63e12cbb7b3ab27a4bdb1aa4a6
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 109a2937890c14b2f08085861c13d817c544bb023a864521e022d283ba789c38
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8EE04F71A45248EFCB01DFA4E9409DE7BB2DB86305B2051DAE909EB261E6700F1597A1
                                                                                                                                                                                                                                                  Function 05C4E280 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: fd649b3171412eb0a306f567c88953f8c9b4b9375262438844c74dd43e25f661
                                                                                                                                                                                                                                                  • Instruction ID: af9a3e56ca23368341958dc9ce8a108fe9a8589094bf4115de36b365b434dc6e
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: fd649b3171412eb0a306f567c88953f8c9b4b9375262438844c74dd43e25f661
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: B2E0DF3540A7009FC727FA64FD409953BE6F78AB00B421489E8016F2AACB701E4D8BE2
                                                                                                                                                                                                                                                  Function 05C4AC80 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 34e6493bae4966b59128c74e41d1d035f1c62b9d8325340c66cf9598022d280b
                                                                                                                                                                                                                                                  • Instruction ID: 7ce646ce220867b9e4bc2d25fd032d63aceaf82a0da979f6aba6ee57ded3515f
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 34e6493bae4966b59128c74e41d1d035f1c62b9d8325340c66cf9598022d280b
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 29D05E31350128A78A4E6769F4584FE7BAFEAC6662304A42EE70BC7240DEA91D0687D5
                                                                                                                                                                                                                                                  Function 05C4E8F8 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 6cca0f89a067d17a2bcb516b32a9d7ea8a8d81f0867d9f70731b77b852bbb150
                                                                                                                                                                                                                                                  • Instruction ID: 78423b92a40067a04391b5f72ef18070bacb277f9eb2bdf499aedd264c65b80e
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6cca0f89a067d17a2bcb516b32a9d7ea8a8d81f0867d9f70731b77b852bbb150
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2AE0173A2242449FC7829F64C8808943FB9BF5E62030940C6FA848F272D231E926DB61
                                                                                                                                                                                                                                                  Function 05C4B510 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: c7903f327e48cc3a6d28a5eee8c38cb4b61fde469a7e71884def368faa3e8b06
                                                                                                                                                                                                                                                  • Instruction ID: 41bab98e2667f8774142cd9026554e7c2be96730fa110c0b6c7f721fbc57e6d8
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: c7903f327e48cc3a6d28a5eee8c38cb4b61fde469a7e71884def368faa3e8b06
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: DCE07579D0020CFFCB40DFA4D5858DDBBB9EB48200F1082A6D905A3210EB705B559B80
                                                                                                                                                                                                                                                  Function 05C4E210 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 74c52b629bc781a0e59f95bcdcb0bcb9451f1a15e124bbc4f25400f5aa7cadfe
                                                                                                                                                                                                                                                  • Instruction ID: 214197ed4b69e22826e01dd4413c4561a9dab4b0c26f8366843e1c42a08f02bf
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 74c52b629bc781a0e59f95bcdcb0bcb9451f1a15e124bbc4f25400f5aa7cadfe
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 96D05B71E0020CFFCB40DFA9E94055D77F5DB44205B1051DDD509F7200DA711F149B90
                                                                                                                                                                                                                                                  Function 05C4F8EA Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 9d3b382ff0d77deddb6e66481f56de970e132877ccc394b610fb9b4556b4523a
                                                                                                                                                                                                                                                  • Instruction ID: ad0efb332c6efb9ff8ed56840ff442ed2b999f708e5a7354b3f4c7cc0baddc66
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9d3b382ff0d77deddb6e66481f56de970e132877ccc394b610fb9b4556b4523a
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: D5C08C76B001200B02C8A6AC719416D77D3C3CC6B338580BFF60EE7348EEB08D964780
                                                                                                                                                                                                                                                  Function 05C4DFD1 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                                                                  • Source File: 00000004.00000002.2291048684.0000000005C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C40000, based on PE: false
                                                                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_5c40000_2p4HikHFep.jbxd
                                                                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                                                                  • Opcode ID: 18140fa58198136949fc92953f092e04c35c1dc7509fbd1d35c765e9f7cd3fd6
                                                                                                                                                                                                                                                  • Instruction ID: 752a9044fa87099ee26e2ff7d0feb2417ef8b33eef2ee44f3842cf897f443ad3
                                                                                                                                                                                                                                                  • Opcode Fuzzy Hash: 18140fa58198136949fc92953f092e04c35c1dc7509fbd1d35c765e9f7cd3fd6
                                                                                                                                                                                                                                                  • Instruction Fuzzy Hash: 93C04C3954A3946ADB060A30AD0E9853E255B5272071500C6B7418A06396218045C6A1