Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7yJsmmW4wS.exe

Overview

General Information

Sample name:7yJsmmW4wS.exe
renamed because original name is a hash value
Original sample name:4aecacc803e54cc06db8e3a84e910d5376f58867e2436eb68a19a9c203043bd2.exe
Analysis ID:1532626
MD5:3dcc9cfed0a716b6ad3c4f4aaf1a1f46
SHA1:e512e9a92247439ca3bbb8e412ec46f191025b41
SHA256:4aecacc803e54cc06db8e3a84e910d5376f58867e2436eb68a19a9c203043bd2
Tags:exeuser-Chainskilabs
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Use Short Name Path in Command Line
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 7yJsmmW4wS.exe (PID: 2548 cmdline: "C:\Users\user\Desktop\7yJsmmW4wS.exe" MD5: 3DCC9CFED0A716B6AD3C4F4AAF1A1F46)
    • rat.exe (PID: 1240 cmdline: "C:\Users\user~1\AppData\Local\Temp\rat.exe" MD5: 0F43E9B3D93B65843F0346D76282BDC7)
      • schtasks.exe (PID: 7356 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "edge" /tr "C:\Users\user\AppData\Roaming\edge.exe" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
        • conhost.exe (PID: 7364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • freeware.exe (PID: 2980 cmdline: "C:\Users\user~1\AppData\Local\Temp\freeware.exe" MD5: BFDFA3FAE0BF91D83DDDF5A708DBEFB1)
      • conhost.exe (PID: 7192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • edge.exe (PID: 7468 cmdline: C:\Users\user\AppData\Roaming\edge.exe MD5: 0F43E9B3D93B65843F0346D76282BDC7)
  • edge.exe (PID: 7744 cmdline: C:\Users\user\AppData\Roaming\edge.exe MD5: 0F43E9B3D93B65843F0346D76282BDC7)
  • edge.exe (PID: 8052 cmdline: MD5: 0F43E9B3D93B65843F0346D76282BDC7)
  • edge.exe (PID: 7396 cmdline: MD5: 0F43E9B3D93B65843F0346D76282BDC7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["authors-reflections.gl.at.ply.gg"], "Port": "19578", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\rat.exeJoeSecurity_XWormYara detected XWormJoe Security
    C:\Users\user\AppData\Local\Temp\rat.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x877b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x8818:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x892d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x8297:$cnc4: POST / HTTP/1.1
    C:\Users\user\AppData\Roaming\edge.exeJoeSecurity_XWormYara detected XWormJoe Security
      C:\Users\user\AppData\Roaming\edge.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x877b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x8818:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x892d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x8297:$cnc4: POST / HTTP/1.1

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000008.00000000.1287942195.0000000000372000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        00000008.00000000.1287942195.0000000000372000.00000002.00000001.01000000.00000006.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x857b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
        • 0x8618:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
        • 0x872d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
        • 0x8097:$cnc4: POST / HTTP/1.1
        00000000.00000002.1291498856.0000000003271000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
          00000000.00000002.1291498856.0000000003271000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x1516b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x273eb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x15208:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x27488:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x1531d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x2759d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x14c87:$cnc4: POST / HTTP/1.1
          • 0x26f07:$cnc4: POST / HTTP/1.1
          Process Memory Space: 7yJsmmW4wS.exe PID: 2548JoeSecurity_XWormYara detected XWormJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.0.rat.exe.370000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              8.0.rat.exe.370000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
              • 0x877b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
              • 0x8818:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
              • 0x892d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
              • 0x8297:$cnc4: POST / HTTP/1.1
              0.2.7yJsmmW4wS.exe.328fc70.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
                0.2.7yJsmmW4wS.exe.328fc70.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                • 0x697b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                • 0x6a18:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                • 0x6b2d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                • 0x6497:$cnc4: POST / HTTP/1.1
                0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
                  Click to see the 1 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\edge.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\rat.exe, ProcessId: 1240, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\edge
                  Sigma detected: Startup Folder File Write
                  Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\rat.exe, ProcessId: 1240, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edge.lnk
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "edge" /tr "C:\Users\user\AppData\Roaming\edge.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "edge" /tr "C:\Users\user\AppData\Roaming\edge.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\rat.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\rat.exe, ParentProcessId: 1240, ParentProcessName: rat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "edge" /tr "C:\Users\user\AppData\Roaming\edge.exe", ProcessId: 7356, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "edge" /tr "C:\Users\user\AppData\Roaming\edge.exe", CommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "edge" /tr "C:\Users\user\AppData\Roaming\edge.exe", CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\rat.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\rat.exe, ParentProcessId: 1240, ParentProcessName: rat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "edge" /tr "C:\Users\user\AppData\Roaming\edge.exe", ProcessId: 7356, ProcessName: schtasks.exe
                  Sigma detected: Use Short Name Path in Command Line
                  Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\rat.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\rat.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\rat.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\rat.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\rat.exe, ParentCommandLine: "C:\Users\user\Desktop\7yJsmmW4wS.exe", ParentImage: C:\Users\user\Desktop\7yJsmmW4wS.exe, ParentProcessId: 2548, ParentProcessName: 7yJsmmW4wS.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\rat.exe" , ProcessId: 1240, ProcessName: rat.exe

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2024-10-13T19:16:24.283835+020028531931Malware Command and Control Activity Detected192.168.2.749979147.185.221.2319578TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: 7yJsmmW4wS.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\edge.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeAvira: detection malicious, Label: HEUR/AGEN.1305769
                  Found malware configuration
                  Source: 00000000.00000002.1291498856.0000000003271000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["authors-reflections.gl.at.ply.gg"], "Port": "19578", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeVirustotal: Detection: 42%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeReversingLabs: Detection: 87%
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeVirustotal: Detection: 72%Perma Link
                  Source: C:\Users\user\AppData\Roaming\edge.exeReversingLabs: Detection: 87%
                  Source: C:\Users\user\AppData\Roaming\edge.exeVirustotal: Detection: 72%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: 7yJsmmW4wS.exeVirustotal: Detection: 54%Perma Link
                  Source: 7yJsmmW4wS.exeReversingLabs: Detection: 73%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\edge.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: 7yJsmmW4wS.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 8.0.rat.exe.370000.0.unpackString decryptor: authors-reflections.gl.at.ply.gg
                  Source: 8.0.rat.exe.370000.0.unpackString decryptor: 19578
                  Source: 8.0.rat.exe.370000.0.unpackString decryptor: <123456789>
                  Source: 8.0.rat.exe.370000.0.unpackString decryptor: <Xwormmm>
                  Source: 8.0.rat.exe.370000.0.unpackString decryptor: XWorm V5.6
                  Source: 8.0.rat.exe.370000.0.unpackString decryptor: USB.exe
                  Source: 8.0.rat.exe.370000.0.unpackString decryptor: %AppData%
                  Source: 8.0.rat.exe.370000.0.unpackString decryptor: edge.exe
                  Source: 7yJsmmW4wS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 7yJsmmW4wS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: D:\AsUpIO20111020\20111020\objfre_wnet_AMD64\amd64\AsUpIO.pdb source: freeware.exe, 00000009.00000000.1290098975.00007FF79539F000.00000002.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmp, freeware.exe.0.dr
                  Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: Unable to locate the .pdb file in this location source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: The module signature does not match with .pdb signature. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: .pdb.dbg source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: C:\Users\skinn\OneDrive\Desktop\wait wait what\Roblox Cheating Sources\thedecentsource\santo\build\santo.pdbmm/GCTL source: freeware.exe, 00000009.00000000.1290098975.00007FF79539F000.00000002.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmp, freeware.exe.0.dr
                  Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: or you do not have access permission to the .pdb location. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: C:\Users\kenneth\Downloads\payson-ioctl-cheat-driver-main\build\driver\driver.pdb source: freeware.exe, 00000009.00000000.1290098975.00007FF79539F000.00000002.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmp, freeware.exe.0.dr
                  Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: dbghelp.pdb source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: C:\Users\skinn\OneDrive\Desktop\wait wait what\Roblox Cheating Sources\thedecentsource\santo\build\santo.pdb source: freeware.exe, 00000009.00000000.1290098975.00007FF79539F000.00000002.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmp, freeware.exe.0.dr
                  Source: Binary string: dbghelp.pdbGCTL source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7953992B4 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,9_2_00007FF7953992B4
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF795399210 FindClose,abort,FindFirstFileExW,GetLastError,9_2_00007FF795399210

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49977 -> 147.185.221.23:19578
                  Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49979 -> 147.185.221.23:19578
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: authors-reflections.gl.at.ply.gg
                  Connects to many ports of the same IP (likely port scanning)
                  Source: global trafficTCP traffic: 147.185.221.23 ports 19578,1,5,7,8,9
                  Source: global trafficTCP traffic: 192.168.2.7:49700 -> 147.185.221.23:19578
                  Source: Joe Sandbox ViewIP Address: 147.185.221.23 147.185.221.23
                  Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficDNS traffic detected: DNS query: authors-reflections.gl.at.ply.gg
                  Source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://https://_bad_pdb_file.pdb
                  Source: rat.exe, 00000008.00000002.3717163305.00000000024C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: freeware.exe, 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000000.1290142796.00007FF7953E1000.00000008.00000001.01000000.00000007.sdmp, freeware.exe.0.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: freeware.exe, 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000000.1290142796.00007FF7953E1000.00000008.00000001.01000000.00000007.sdmp, freeware.exe.0.drString found in binary or memory: http://www.urwpp.com
                  Source: freeware.exe, 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000000.1290142796.00007FF7953E1000.00000008.00000001.01000000.00000007.sdmp, freeware.exe.0.drString found in binary or memory: http://www.urwpp.de
                  Source: freeware.exe, 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000000.1290142796.00007FF7953E1000.00000008.00000001.01000000.00000007.sdmp, freeware.exe.0.drString found in binary or memory: http://www.urwpp.dehttp://www.urwpp.dehttp://www.urwpp.comhttp://www.urwpp.comNimbus
                  Source: freeware.exe.0.drString found in binary or memory: https://github.com/googlefonts/lexend)6_ju
                  Source: freeware.exe.0.drString found in binary or memory: https://scripts.sil.org/OFLThis
                  Source: freeware.exe.0.drString found in binary or memory: https://scripts.sil.org/OFLhttps://www.lexend.comBonnie
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7952B9D64 _beginthreadex,_Mtx_lock,_Mtx_unlock,GetAsyncKeyState,GetAsyncKeyState,terminate,_invalid_parameter_noinfo_noreturn,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,9_2_00007FF7952B9D64

                  Operating System Destruction

                  barindex
                  Protects its processes via BreakOnTermination flag
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: 01 00 00 00 Jump to behavior

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 8.0.rat.exe.370000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.7yJsmmW4wS.exe.328fc70.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000008.00000000.1287942195.0000000000372000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000002.1291498856.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Temp\rat.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\edge.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7952B6A08 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,_stricmp,getenv,memchr,LoadLibraryExA,VirtualFree,_invalid_parameter_noinfo_noreturn,VirtualFree,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,9_2_00007FF7952B6A08
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7952B7228: LoadLibraryExA,_beginthreadex,terminate,?_Throw_Cpp_error@std@@YAXH@Z,_Thrd_id,_Thrd_join,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,?_Throw_Cpp_error@std@@YAXH@Z,memcmp,GetModuleHandleA,GetCurrentProcessId,memcmp,GetModuleHandleA,GetCurrentProcessId,DeviceIoControl,memcmp,GetModuleHandleA,GetCurrentProcessId,DeviceIoControl,9_2_00007FF7952B7228
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeCode function: 0_2_00007FFAACCE0A210_2_00007FFAACCE0A21
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeCode function: 8_2_00007FFAACCE27198_2_00007FFAACCE2719
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeCode function: 8_2_00007FFAACCE12898_2_00007FFAACCE1289
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeCode function: 8_2_00007FFAACCE8A668_2_00007FFAACCE8A66
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeCode function: 8_2_00007FFAACCE98128_2_00007FFAACCE9812
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeCode function: 8_2_00007FFAACCE0E338_2_00007FFAACCE0E33
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeCode function: 8_2_00007FFAACCE37698_2_00007FFAACCE3769
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeCode function: 8_2_00007FFAACCE1BC58_2_00007FFAACCE1BC5
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7952B72289_2_00007FF7952B7228
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7952D225C9_2_00007FF7952D225C
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7952B5E5C9_2_00007FF7952B5E5C
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7952CF2D59_2_00007FF7952CF2D5
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7953992B49_2_00007FF7953992B4
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7952B29809_2_00007FF7952B2980
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7952D11BC9_2_00007FF7952D11BC
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7952BC2149_2_00007FF7952BC214
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7952B6A089_2_00007FF7952B6A08
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7952C2E0C9_2_00007FF7952C2E0C
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7952CA5D89_2_00007FF7952CA5D8
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7952C7CC09_2_00007FF7952C7CC0
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7952B90B09_2_00007FF7952B90B0
                  Source: C:\Users\user\AppData\Roaming\edge.exeCode function: 14_2_00007FFAACCE128914_2_00007FFAACCE1289
                  Source: C:\Users\user\AppData\Roaming\edge.exeCode function: 14_2_00007FFAACCE1BC514_2_00007FFAACCE1BC5
                  Source: C:\Users\user\AppData\Roaming\edge.exeCode function: 16_2_00007FFAACCD128916_2_00007FFAACCD1289
                  Source: C:\Users\user\AppData\Roaming\edge.exeCode function: 16_2_00007FFAACCD1BC516_2_00007FFAACCD1BC5
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: String function: 00007FF7952B3EBC appears 58 times
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: String function: 00007FF7952D2F28 appears 109 times
                  Source: 7yJsmmW4wS.exe, 00000000.00000000.1255644971.0000000001038000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefreeware.exe4 vs 7yJsmmW4wS.exe
                  Source: 7yJsmmW4wS.exe, 00000000.00000002.1291498856.0000000003271000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerat.exe4 vs 7yJsmmW4wS.exe
                  Source: 7yJsmmW4wS.exeBinary or memory string: OriginalFilenamefreeware.exe4 vs 7yJsmmW4wS.exe
                  Source: 7yJsmmW4wS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 8.0.rat.exe.370000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.7yJsmmW4wS.exe.328fc70.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000008.00000000.1287942195.0000000000372000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000002.1291498856.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: C:\Users\user\AppData\Local\Temp\rat.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: C:\Users\user\AppData\Roaming\edge.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 7yJsmmW4wS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: rat.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: rat.exe.0.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: rat.exe.0.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                  Source: edge.exe.8.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: edge.exe.8.dr, Helper.csCryptographic APIs: 'TransformFinalBlock'
                  Source: edge.exe.8.dr, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
                  Source: rat.exe.0.dr, Settings.csBase64 encoded string: 'mZ5PY82JATlZAMnr4kQ0nx73VB3LsOpdxE3BVduerFREmaiVDQ+JeiNHpLtTHU1m'
                  Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, Settings.csBase64 encoded string: 'mZ5PY82JATlZAMnr4kQ0nx73VB3LsOpdxE3BVduerFREmaiVDQ+JeiNHpLtTHU1m'
                  Source: edge.exe.8.dr, Settings.csBase64 encoded string: 'mZ5PY82JATlZAMnr4kQ0nx73VB3LsOpdxE3BVduerFREmaiVDQ+JeiNHpLtTHU1m'
                  Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: rat.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: rat.exe.0.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: edge.exe.8.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: edge.exe.8.dr, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: freeware.exe.0.drBinary string: \Device\PhysicalMemory
                  Source: freeware.exe.0.drBinary string: \Device\AsUpdateio
                  Source: freeware.exe.0.drBinary string: \Device\crazyape776
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@13/6@1/1
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7952BB728 CreateToolhelp32Snapshot,Process32First,lstrcmpiA,Process32Next,CloseHandle,CloseHandle,9_2_00007FF7952BB728
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7yJsmmW4wS.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeMutant created: \Sessions\1\BaseNamedObjects\DfSwcy0uKBIsveTI1
                  Source: C:\Users\user\AppData\Roaming\edge.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7364:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7192:120:WilError_03
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeMutant created: \Sessions\1\BaseNamedObjects\QxbISg5F4EKZB8tq
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeFile created: C:\Users\user\AppData\Local\Temp\rat.exeJump to behavior
                  Source: 7yJsmmW4wS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 7yJsmmW4wS.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 7yJsmmW4wS.exeVirustotal: Detection: 54%
                  Source: 7yJsmmW4wS.exeReversingLabs: Detection: 73%
                  Source: unknownProcess created: C:\Users\user\Desktop\7yJsmmW4wS.exe "C:\Users\user\Desktop\7yJsmmW4wS.exe"
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess created: C:\Users\user\AppData\Local\Temp\rat.exe "C:\Users\user~1\AppData\Local\Temp\rat.exe"
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess created: C:\Users\user\AppData\Local\Temp\freeware.exe "C:\Users\user~1\AppData\Local\Temp\freeware.exe"
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "edge" /tr "C:\Users\user\AppData\Roaming\edge.exe"
                  Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\edge.exe C:\Users\user\AppData\Roaming\edge.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\edge.exe C:\Users\user\AppData\Roaming\edge.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\edge.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\edge.exe
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess created: C:\Users\user\AppData\Local\Temp\rat.exe "C:\Users\user~1\AppData\Local\Temp\rat.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess created: C:\Users\user\AppData\Local\Temp\freeware.exe "C:\Users\user~1\AppData\Local\Temp\freeware.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "edge" /tr "C:\Users\user\AppData\Roaming\edge.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: scrrun.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: linkinfo.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: ntshrui.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: cscapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: avicap32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: msvfw32.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeSection loaded: msvcp140.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeSection loaded: dbghelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeSection loaded: d3d11.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeSection loaded: d3dcompiler_43.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeSection loaded: d3dx11_43.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeSection loaded: vcruntime140_1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeSection loaded: vcruntime140_1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeSection loaded: dxgi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                  Source: edge.lnk.8.drLNK file: ..\..\..\..\..\edge.exe
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: 7yJsmmW4wS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: 7yJsmmW4wS.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: 7yJsmmW4wS.exeStatic file information: File size 1464320 > 1048576
                  Source: 7yJsmmW4wS.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x164e00
                  Source: 7yJsmmW4wS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: D:\AsUpIO20111020\20111020\objfre_wnet_AMD64\amd64\AsUpIO.pdb source: freeware.exe, 00000009.00000000.1290098975.00007FF79539F000.00000002.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmp, freeware.exe.0.dr
                  Source: Binary string: Drive not readyThis error indicates a .pdb file related failure. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: Unable to locate the .pdb file in this location source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: The module signature does not match with .pdb signature. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: .pdb.dbg source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: Age does not matchThe module age and .pdb age do not match. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: C:\Users\skinn\OneDrive\Desktop\wait wait what\Roblox Cheating Sources\thedecentsource\santo\build\santo.pdbmm/GCTL source: freeware.exe, 00000009.00000000.1290098975.00007FF79539F000.00000002.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmp, freeware.exe.0.dr
                  Source: Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: or you do not have access permission to the .pdb location. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: C:\Users\kenneth\Downloads\payson-ioctl-cheat-driver-main\build\driver\driver.pdb source: freeware.exe, 00000009.00000000.1290098975.00007FF79539F000.00000002.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmp, freeware.exe.0.dr
                  Source: Binary string: Downloading symbols for [%s] %ssrv*symsrv*http://https://_bad_pdb_file.pdb source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: Signature does not matchThe module signature does not match with .pdb signature source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: dbghelp.pdb source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp
                  Source: Binary string: C:\Users\skinn\OneDrive\Desktop\wait wait what\Roblox Cheating Sources\thedecentsource\santo\build\santo.pdb source: freeware.exe, 00000009.00000000.1290098975.00007FF79539F000.00000002.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmp, freeware.exe.0.dr
                  Source: Binary string: dbghelp.pdbGCTL source: freeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmp

                  Data Obfuscation

                  barindex
                  .NET source code contains method to dynamically call methods (often used by packers)
                  Source: rat.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: rat.exe.0.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: edge.exe.8.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
                  Source: edge.exe.8.dr, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
                  .NET source code contains potential unpacker
                  Source: rat.exe.0.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                  Source: rat.exe.0.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                  Source: rat.exe.0.dr, Messages.cs.Net Code: Memory
                  Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                  Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                  Source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, Messages.cs.Net Code: Memory
                  Source: edge.exe.8.dr, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
                  Source: edge.exe.8.dr, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
                  Source: edge.exe.8.dr, Messages.cs.Net Code: Memory
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeCode function: 0_2_00007FFAACCE00BD pushad ; iretd 0_2_00007FFAACCE00C1
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeCode function: 8_2_00007FFAACCE00BD pushad ; iretd 8_2_00007FFAACCE00C1
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7952CE535 push rbp; iretd 9_2_00007FF7952CE536
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7952BE08D push rdi; ret 9_2_00007FF7952BE08E
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7952BBF34 push rbp; iretd 9_2_00007FF7952BBF35
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7952BBFE6 push rbp; iretd 9_2_00007FF7952BBFE7
                  Source: C:\Users\user\AppData\Roaming\edge.exeCode function: 14_2_00007FFAACCE00BD pushad ; iretd 14_2_00007FFAACCE00C1
                  Source: C:\Users\user\AppData\Roaming\edge.exeCode function: 16_2_00007FFAACCD00BD pushad ; iretd 16_2_00007FFAACCD00C1
                  Source: 7yJsmmW4wS.exeStatic PE information: section name: .text entropy: 7.998334006790471
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeFile created: C:\Users\user\AppData\Local\Temp\freeware.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeFile created: C:\Users\user\AppData\Roaming\edge.exeJump to dropped file
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeFile created: C:\Users\user\AppData\Local\Temp\rat.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "edge" /tr "C:\Users\user\AppData\Roaming\edge.exe"
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edge.lnkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edge.lnkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run edgeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run edgeJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeMemory allocated: 1870000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeMemory allocated: 1B270000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeMemory allocated: BC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeMemory allocated: 1A4C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeMemory allocated: 1430000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeMemory allocated: 1B120000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeMemory allocated: A30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeMemory allocated: 1A910000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeMemory allocated: 1690000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeMemory allocated: 1B060000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeMemory allocated: 13C0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeMemory allocated: 1AE80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWindow / User API: threadDelayed 2396Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWindow / User API: threadDelayed 7431Jump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exe TID: 6704Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exe TID: 7444Thread sleep time: -15679732462653109s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exe TID: 7492Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exe TID: 7764Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exe TID: 8072Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exe TID: 7364Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF7953992B4 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,9_2_00007FF7953992B4
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF795399210 FindClose,abort,FindFirstFileExW,GetLastError,9_2_00007FF795399210
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: rat.exe, 00000008.00000002.3719816331.000000001B410000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWnStr%SystemRoot%\system32\mswsock.dllem.Web.Security.SqlRoleProvider, Sys

                  Anti Debugging

                  barindex
                  Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
                  Source: C:\Users\user\AppData\Roaming\edge.exeSystem information queried: CodeIntegrityInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeSystem information queried: CodeIntegrityInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF795398080 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00007FF795398080
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess created: C:\Users\user\AppData\Local\Temp\rat.exe "C:\Users\user~1\AppData\Local\Temp\rat.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeProcess created: C:\Users\user\AppData\Local\Temp\freeware.exe "C:\Users\user~1\AppData\Local\Temp\freeware.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "edge" /tr "C:\Users\user\AppData\Roaming\edge.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: GetLocaleInfoEx,FormatMessageA,9_2_00007FF795398D90
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeQueries volume information: C:\Users\user\Desktop\7yJsmmW4wS.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeQueries volume information: C:\Users\user\AppData\Local\Temp\rat.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeQueries volume information: C:\Users\user\AppData\Roaming\edge.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeQueries volume information: C:\Users\user\AppData\Roaming\edge.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeQueries volume information: C:\Users\user\AppData\Roaming\edge.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\edge.exeQueries volume information: C:\Users\user\AppData\Roaming\edge.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\freeware.exeCode function: 9_2_00007FF795398C10 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,9_2_00007FF795398C10
                  Source: C:\Users\user\Desktop\7yJsmmW4wS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: rat.exe, 00000008.00000002.3719816331.000000001B4F1000.00000004.00000020.00020000.00000000.sdmp, rat.exe, 00000008.00000002.3719816331.000000001B4AE000.00000004.00000020.00020000.00000000.sdmp, rat.exe, 00000008.00000002.3715723586.0000000000869000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                  Source: C:\Users\user\AppData\Local\Temp\rat.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: 8.0.rat.exe.370000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7yJsmmW4wS.exe.328fc70.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000000.1287942195.0000000000372000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1291498856.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 7yJsmmW4wS.exe PID: 2548, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rat.exe PID: 1240, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\rat.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\edge.exe, type: DROPPED

                  Remote Access Functionality

                  barindex
                  Yara detected XWorm
                  Source: Yara matchFile source: 8.0.rat.exe.370000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7yJsmmW4wS.exe.328fc70.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.7yJsmmW4wS.exe.328fc70.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000008.00000000.1287942195.0000000000372000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1291498856.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 7yJsmmW4wS.exe PID: 2548, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: rat.exe PID: 1240, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\rat.exe, type: DROPPED
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\edge.exe, type: DROPPED

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                  Windows Management Instrumentation                  		1
                  Scheduled Task/Job                  		11
                  Process Injection                  		1
                  Masquerading                  		11
                  Input Capture                  		1
                  System Time Discovery                  		Remote Services11
                  Input Capture                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Scheduled Task/Job                  		21
                  Registry Run Keys / Startup Folder                  		1
                  Scheduled Task/Job                  		1
                  Disable or Modify Tools                  		LSASS Memory321
                  Security Software Discovery                  		Remote Desktop Protocol11
                  Archive Collected Data                  		1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAt1
                  DLL Side-Loading                  		21
                  Registry Run Keys / Startup Folder                  		231
                  Virtualization/Sandbox Evasion                  		Security Account Manager231
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                  DLL Side-Loading                  		11
                  Process Injection                  		NTDS1
                  Process Discovery                  		Distributed Component Object ModelInput Capture11
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  Application Window Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
                  Obfuscated Files or Information                  		Cached Domain Credentials2
                  File and Directory Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                  Software Packing                  		DCSync24
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1532626 Sample: 7yJsmmW4wS.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 100 40 authors-reflections.gl.at.ply.gg 2->40 44 Suricata IDS alerts for network traffic 2->44 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 10 other signatures 2->50 9 7yJsmmW4wS.exe 4 2->9         started        12 edge.exe 1 2->12         started        15 edge.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 34 C:\Users\user\AppData\Local\Temp\rat.exe, PE32 9->34 dropped 36 C:\Users\user\AppData\Local\...\freeware.exe, PE32+ 9->36 dropped 38 C:\Users\user\AppData\...\7yJsmmW4wS.exe.log, CSV 9->38 dropped 19 rat.exe 1 5 9->19         started        24 freeware.exe 1 9->24         started        60 Antivirus detection for dropped file 12->60 62 Multi AV Scanner detection for dropped file 12->62 64 Machine Learning detection for dropped file 12->64 66 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 15->66 signatures6 process7 dnsIp8 42 authors-reflections.gl.at.ply.gg 147.185.221.23, 19578, 49700, 49839 SALSGIVERUS United States 19->42 32 C:\Users\user\AppData\Roaming\edge.exe, PE32 19->32 dropped 52 Antivirus detection for dropped file 19->52 54 Multi AV Scanner detection for dropped file 19->54 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 19->56 58 3 other signatures 19->58 26 schtasks.exe 1 19->26         started        28 conhost.exe 24->28         started        file9 signatures10 process11 process12 30 conhost.exe 26->30         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  7yJsmmW4wS.exe55%VirustotalBrowse
                  7yJsmmW4wS.exe74%ReversingLabsByteCode-MSIL.Trojan.XWormRAT
                  7yJsmmW4wS.exe100%AviraTR/Dropper.Gen
                  7yJsmmW4wS.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\edge.exe100%AviraHEUR/AGEN.1305769
                  C:\Users\user\AppData\Local\Temp\rat.exe100%AviraHEUR/AGEN.1305769
                  C:\Users\user\AppData\Roaming\edge.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\rat.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\freeware.exe42%VirustotalBrowse
                  C:\Users\user\AppData\Local\Temp\rat.exe88%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
                  C:\Users\user\AppData\Local\Temp\rat.exe73%VirustotalBrowse
                  C:\Users\user\AppData\Roaming\edge.exe88%ReversingLabsByteCode-MSIL.Trojan.Jalapeno
                  C:\Users\user\AppData\Roaming\edge.exe73%VirustotalBrowse

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  authors-reflections.gl.at.ply.gg4%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  https://github.com/googlefonts/lexend)6_ju0%VirustotalBrowse
                  https://scripts.sil.org/OFLThis0%VirustotalBrowse
                  https://scripts.sil.org/OFLhttps://www.lexend.comBonnie0%VirustotalBrowse
                  authors-reflections.gl.at.ply.gg4%VirustotalBrowse
                  http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse
                  http://www.urwpp.de0%VirustotalBrowse
                  http://www.urwpp.com0%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  authors-reflections.gl.at.ply.gg
                  		147.185.221.23
                  		truetrueunknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  authors-reflections.gl.at.ply.ggtrueunknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://github.com/googlefonts/lexend)6_jufreeware.exe.0.drfalseunknown
                  https://scripts.sil.org/OFLThisfreeware.exe.0.drfalseunknown
                  http://www.apache.org/licenses/LICENSE-2.0freeware.exe, 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000000.1290142796.00007FF7953E1000.00000008.00000001.01000000.00000007.sdmp, freeware.exe.0.drfalseunknown
                  http://www.urwpp.defreeware.exe, 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000000.1290142796.00007FF7953E1000.00000008.00000001.01000000.00000007.sdmp, freeware.exe.0.drfalseunknown
                  https://scripts.sil.org/OFLhttps://www.lexend.comBonniefreeware.exe.0.drfalseunknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerat.exe, 00000008.00000002.3717163305.00000000024C1000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.urwpp.dehttp://www.urwpp.dehttp://www.urwpp.comhttp://www.urwpp.comNimbusfreeware.exe, 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000000.1290142796.00007FF7953E1000.00000008.00000001.01000000.00000007.sdmp, freeware.exe.0.drfalse
                    		unknown
                    http://https://_bad_pdb_file.pdbfreeware.exe, 00000009.00000002.3717107290.00007FFB087AD000.00000002.00000001.01000000.0000000A.sdmpfalse
                      		unknown
                      http://www.urwpp.comfreeware.exe, 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmp, freeware.exe, 00000009.00000000.1290142796.00007FF7953E1000.00000008.00000001.01000000.00000007.sdmp, freeware.exe.0.drfalseunknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      147.185.221.23
                      		authors-reflections.gl.at.ply.ggUnited States
                      		12087SALSGIVERUStrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1532626
                      Start date and time:2024-10-13 19:12:08 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 8m 41s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:23
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Sample name:7yJsmmW4wS.exe
                      renamed because original name is a hash value
                      Original Sample Name:4aecacc803e54cc06db8e3a84e910d5376f58867e2436eb68a19a9c203043bd2.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@13/6@1/1
                      EGA Information:
                      • Successful, ratio: 20%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 23
                      • Number of non-executed functions: 83
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target 7yJsmmW4wS.exe, PID 2548 because it is empty
                      • Execution Graph export aborted for target edge.exe, PID 7468 because it is empty
                      • Execution Graph export aborted for target edge.exe, PID 7744 because it is empty
                      • Execution Graph export aborted for target freeware.exe, PID 2980 because there are no executed function
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      13:13:11API Interceptor15805638x Sleep call for process: rat.exe modified
                      19:13:12Task SchedulerRun new task: edge path: C:\Users\user\AppData\Roaming\edge.exe
                      19:13:12AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run edge C:\Users\user\AppData\Roaming\edge.exe
                      20:55:59AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run edge C:\Users\user\AppData\Roaming\edge.exe
                      20:56:19AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edge.lnk

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      147.185.221.23I8YtUAUWeS.exeGet hashmaliciousXWormBrowse
                        s3OBQLA3xR.exeGet hashmaliciousXWormBrowse
                          W1FREE.exeGet hashmaliciousXWormBrowse
                            x2Yi9Hr77a.exeGet hashmaliciousXWormBrowse
                              H2f8SkAvdV.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                A39tzaySzX.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                  H1N45BQJ8x.exeGet hashmaliciousXWormBrowse

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    SALSGIVERUSI8YtUAUWeS.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.23
                                    s3OBQLA3xR.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.23
                                    W1FREE.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.23
                                    dHp58IIEYz.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.22
                                    Lr87y2w72r.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.18
                                    7LwVrYH7sy.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.18
                                    432mtXKD3l.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.22
                                    5q4X9fRo4b.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                    • 147.185.221.17
                                    l18t80u9zg.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.22
                                    Windows Defender.exeGet hashmaliciousXWormBrowse
                                    • 147.185.221.22

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\7yJsmmW4wS.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\7yJsmmW4wS.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):654
                                    Entropy (8bit):5.380476433908377
                                    Encrypted:false
                                    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                    MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                    SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                    SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                    SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                    Malicious:true
                                    Reputation:moderate, very likely benign file
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\edge.exe.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\edge.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):654
                                    Entropy (8bit):5.380476433908377
                                    Encrypted:false
                                    SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                    MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                    SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                    SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                    SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                    C:\Users\user\AppData\Local\Temp\freeware.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\7yJsmmW4wS.exe
                                    File Type:PE32+ executable (console) x86-64, for MS Windows
                                    Category:dropped
                                    Size (bytes):2322432
                                    Entropy (8bit):7.007547565174849
                                    Encrypted:false
                                    SSDEEP:49152:5iDc4qGH0Ux97b7b7blyAaqWq47gmEEnyKPZHRKttY+z+4y5PuL1dxhVQcmYD:2CUlaRqyZxKttYN/PuL1ZVF
                                    MD5:BFDFA3FAE0BF91D83DDDF5A708DBEFB1
                                    SHA1:EFDE91E21BE9CC72F232FF7EECE993D044308BB7
                                    SHA-256:7EAD32808AB47500FF3E36FC1B4702E797457ACC46E2769CD23004E5FAEB6761
                                    SHA-512:740429D8D3E15EB4DA2ED45F5C3BBE159D3F8C4B734044A26A478F71E6B529881CA0A198A00578105BFFDD34B013B024D6D94F404AEE91C1EAC0A53414F25A6F
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Virustotal, Detection: 42%, Browse
                                    Reputation:low
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........1...b...b...b.yb...b;.vb...b.F.c...b.F.b...b.F.c...b.F.c...b.F.c...b...c...b...bY..bj..c...b.G.c...b.G.c...b.G.b...b.G.c...bRich...b........PE..d...fU.g.........."....)......................@..............................#...........`.............................................L.......0.....#.......#..............#.4.......p.......................(.......@...............@............................text............................... ..`.rdata..B...........................@..@.data...............................@....pdata.......#.......".............@..@.rsrc.........#......\#.............@..@.reloc..4.....#......^#.............@..B................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\rat.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\7yJsmmW4wS.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):40448
                                    Entropy (8bit):5.636394334726735
                                    Encrypted:false
                                    SSDEEP:768:ET7JKHWcEbDvghvq3cJ+uap/5fzbN2WzFPw9UwOphwuA4c:A7JKHWcqcLiFN2iFY9UwOpGh4c
                                    MD5:0F43E9B3D93B65843F0346D76282BDC7
                                    SHA1:140BE5EEC263CDBADB57579201AA7CCACD3C770D
                                    SHA-256:108FF90BF1870B1618CCBA08FFA06DAE87028F514BDF2410B46204AFA2F8248B
                                    SHA-512:E322DA86925D29C214223F7E05C52B86104333D8E6A28C8F91A2B261B5B50DD08A209EFBA59AEAEE17607BE52EC2C2405030FC6945CE11FA0DCA01FEFDA8A029
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\rat.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\rat.exe, Author: ditekSHen
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 88%
                                    • Antivirus: Virustotal, Detection: 73%, Browse
                                    Reputation:low
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b.g................................. ........@.. ....................................@.................................L...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......8_...T............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\edge.lnk

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\rat.exe
                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Oct 13 16:13:10 2024, mtime=Sun Oct 13 16:13:10 2024, atime=Sun Oct 13 16:13:10 2024, length=40448, window=hide
                                    Category:dropped
                                    Size (bytes):751
                                    Entropy (8bit):5.067548280755048
                                    Encrypted:false
                                    SSDEEP:12:8ocO4gN+2Chsi1Y//jt6AALuQaJ8+aDjAvNHTBHFeQJCQJzBmV:8fl2f9muQz+yAppF9JZJtm
                                    MD5:8236853F02B2A1FCE12A171121A196F0
                                    SHA1:D9F5512AABFB2A7464386289EF58CE355E6385AE
                                    SHA-256:FFA9411284490D1CAA872B22CC5D35505EBD51CE2B3BEA04C5F02E2398EDF237
                                    SHA-512:A9FEF469758F1700D4D0B3BD31DC5E2246517C9461ADF3AD0F572E828506F75A335434872B18CB73D4E4F7B068BFBFCC56B469610FAA495AF875A8D4E40ADAFA
                                    Malicious:false
                                    Preview:L..................F.... ...e-.-....e-.-....e-.-............................n.:..DG..Yr?.D..U..k0.&...&......Qg.*_.....?%.....R..........t...CFSF..1.....EW.=..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW.=MY............................3*N.A.p.p.D.a.t.a...B.V.1.....MY....Roaming.@......EW.=MY............................n.+.R.o.a.m.i.n.g.....Z.2.....MY.. .edge.exe..B......MY..MY................................e.d.g.e...e.x.e.......Z...............-.......Y............}.......C:\Users\user\AppData\Roaming\edge.exe........\.....\.....\.....\.....\.e.d.g.e...e.x.e.`.......X.......494126...........hT..CrF.f4... ..../Tc...,......hT..CrF.f4... ..../Tc...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                    C:\Users\user\AppData\Roaming\edge.exe

                                    Download File
                                    Process:C:\Users\user\AppData\Local\Temp\rat.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):40448
                                    Entropy (8bit):5.636394334726735
                                    Encrypted:false
                                    SSDEEP:768:ET7JKHWcEbDvghvq3cJ+uap/5fzbN2WzFPw9UwOphwuA4c:A7JKHWcqcLiFN2iFY9UwOpGh4c
                                    MD5:0F43E9B3D93B65843F0346D76282BDC7
                                    SHA1:140BE5EEC263CDBADB57579201AA7CCACD3C770D
                                    SHA-256:108FF90BF1870B1618CCBA08FFA06DAE87028F514BDF2410B46204AFA2F8248B
                                    SHA-512:E322DA86925D29C214223F7E05C52B86104333D8E6A28C8F91A2B261B5B50DD08A209EFBA59AEAEE17607BE52EC2C2405030FC6945CE11FA0DCA01FEFDA8A029
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\edge.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\edge.exe, Author: ditekSHen
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 88%
                                    • Antivirus: Virustotal, Detection: 73%, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....b.g................................. ........@.. ....................................@.................................L...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......8_...T............................................................(....*..(....*.s.........s.........s.........s.........*...0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0..........~....o.....+..*..0............(....(.....+..*....0...........(.....+..*..0...............(.....+..*..0...........(.....+..*..0................-.(...+.+.+...+..*.0.........................*..(....*.0.. .......~.........-.(...+.....~.....+..*..(....*.0..

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.997859272989848
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    File name:7yJsmmW4wS.exe
                                    File size:1'464'320 bytes
                                    MD5:3dcc9cfed0a716b6ad3c4f4aaf1a1f46
                                    SHA1:e512e9a92247439ca3bbb8e412ec46f191025b41
                                    SHA256:4aecacc803e54cc06db8e3a84e910d5376f58867e2436eb68a19a9c203043bd2
                                    SHA512:9400b6f93ea25a644be656d2a1d9d3ba7a44ba2abdeb2140e6428fcdd4ba198216628c094602684744de2293bcbfe7e323c6ad74e4d7c6e16c77b66d1f65666c
                                    SSDEEP:24576:bvx5AU4Cte393UvHQbyGDfa1HSiSvcXKF41oVMz8f9ShSpwRs6MmgBXzAnPcWJ+G:bvPJ4Ue1IweVpSiGIec8Pr6MmgBX3H0g
                                    TLSH:016533B08BFCF325EED8573568603601C362A4A6784F1C5E8DA0892A631FA5F065DFD7
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)c.g.................N...........l... ........@.. ....................................@................................

                                    File Icon

                                    Icon Hash:00928e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0x566cae
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x670B6329 [Sun Oct 13 06:05:29 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x166c540x57.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x1680000x4e0.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x16a0000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000x164cb40x164e00d2b6185c2aee59bf0e792e0d80bef820False0.9953542305166375data7.998334006790471IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0x1680000x4e00x60007e863eeca965422f6550ca650e23d0dFalse0.3776041666666667data3.726934327461166IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x16a0000xc0x200b5ddd55df5d98f6eaa46a44d28165bd9False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_VERSION0x1680a00x24cdata0.47278911564625853
                                    RT_MANIFEST0x1682f00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-10-13T19:15:50.862264+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.749977147.185.221.2319578TCP
                                    2024-10-13T19:16:24.283835+02002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.749979147.185.221.2319578TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 13, 2024 19:13:12.315424919 CEST4970019578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:13:12.320256948 CEST1957849700147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:13:12.320333004 CEST4970019578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:13:12.470298052 CEST4970019578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:13:12.475204945 CEST1957849700147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:13:23.118040085 CEST4970019578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:13:23.122948885 CEST1957849700147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:13:33.719511986 CEST1957849700147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:13:33.719578028 CEST4970019578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:13:35.124120951 CEST4970019578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:13:35.128941059 CEST1957849700147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:13:35.146059990 CEST4983919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:13:35.150938034 CEST1957849839147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:13:35.151021957 CEST4983919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:13:35.247178078 CEST4983919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:13:35.252778053 CEST1957849839147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:13:45.393857956 CEST4983919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:13:45.398719072 CEST1957849839147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:13:55.533729076 CEST4983919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:13:55.538716078 CEST1957849839147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:13:56.525755882 CEST1957849839147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:13:56.525816917 CEST4983919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:13:56.580553055 CEST4983919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:13:56.581928968 CEST4996919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:13:56.585289001 CEST1957849839147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:13:56.586813927 CEST1957849969147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:13:56.586884975 CEST4996919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:13:56.621480942 CEST4996919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:13:56.626348019 CEST1957849969147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:11.221467972 CEST4996919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:11.226448059 CEST1957849969147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:17.964137077 CEST1957849969147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:17.967668056 CEST4996919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:19.377350092 CEST4996919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:19.379607916 CEST4997419578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:19.382204056 CEST1957849969147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:19.384478092 CEST1957849974147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:19.384545088 CEST4997419578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:19.419876099 CEST4997419578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:19.424793005 CEST1957849974147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:29.643280983 CEST4997419578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:29.648325920 CEST1957849974147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:29.690316916 CEST4997419578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:29.695425034 CEST1957849974147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:29.721411943 CEST4997419578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:29.726260900 CEST1957849974147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:29.736875057 CEST4997419578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:29.741830111 CEST1957849974147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:29.783880949 CEST4997419578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:29.788938046 CEST1957849974147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:29.862142086 CEST4997419578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:29.868067026 CEST1957849974147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:29.940114021 CEST4997419578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:29.946146965 CEST1957849974147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:29.971299887 CEST4997419578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:29.977231979 CEST1957849974147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:37.424400091 CEST4997419578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:37.429410934 CEST1957849974147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:40.765373945 CEST1957849974147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:40.766608000 CEST4997419578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:45.408560991 CEST4997419578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:45.411724091 CEST4997519578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:45.413568020 CEST1957849974147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:45.416692972 CEST1957849975147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:45.416778088 CEST4997519578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:45.452955008 CEST4997519578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:45.457941055 CEST1957849975147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:45.486896992 CEST4997519578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:45.491996050 CEST1957849975147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:45.502448082 CEST4997519578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:45.507559061 CEST1957849975147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:45.533838034 CEST4997519578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:45.538928032 CEST1957849975147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:45.549283028 CEST4997519578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:45.554351091 CEST1957849975147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:45.736910105 CEST4997519578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:45.741889954 CEST1957849975147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:45.783823967 CEST4997519578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:45.788809061 CEST1957849975147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:45.799665928 CEST4997519578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:45.804627895 CEST1957849975147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:45.846390963 CEST4997519578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:45.851336956 CEST1957849975147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:48.721702099 CEST4997519578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:48.726679087 CEST1957849975147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:14:51.408878088 CEST4997519578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:14:51.413763046 CEST1957849975147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:01.799370050 CEST4997519578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:01.806263924 CEST1957849975147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:01.908783913 CEST4997519578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:01.914226055 CEST1957849975147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:06.855192900 CEST1957849975147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:06.855282068 CEST4997519578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:06.939958096 CEST4997519578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:06.943466902 CEST4997619578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:06.944812059 CEST1957849975147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:06.948431969 CEST1957849976147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:06.948540926 CEST4997619578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:07.081887007 CEST4997619578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:07.086827040 CEST1957849976147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:07.674572945 CEST4997619578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:07.679570913 CEST1957849976147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:10.848048925 CEST4997619578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:10.853168964 CEST1957849976147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:12.783811092 CEST4997619578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:12.788872957 CEST1957849976147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:17.690049887 CEST4997619578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:17.694977045 CEST1957849976147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:17.721215963 CEST4997619578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:17.726059914 CEST1957849976147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:21.255433083 CEST4997619578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:21.260545969 CEST1957849976147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:28.002547979 CEST4997619578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:28.007566929 CEST1957849976147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:28.080559015 CEST4997619578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:28.085670948 CEST1957849976147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:28.342479944 CEST1957849976147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:28.342569113 CEST4997619578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:33.128576040 CEST4997619578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:33.128580093 CEST4997719578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:33.134095907 CEST1957849976147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:33.134119034 CEST1957849977147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:33.134320021 CEST4997719578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:33.340935946 CEST4997719578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:33.346555948 CEST1957849977147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:44.018284082 CEST4997719578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:44.023838997 CEST1957849977147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:44.049375057 CEST4997719578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:44.054466009 CEST1957849977147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:44.064918041 CEST4997719578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:44.069832087 CEST1957849977147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:44.111962080 CEST4997719578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:44.117388010 CEST1957849977147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:47.612032890 CEST4997719578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:47.617244005 CEST1957849977147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:49.190114021 CEST4997719578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:49.195138931 CEST1957849977147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:50.862263918 CEST4997719578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:50.867635965 CEST1957849977147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:54.252501965 CEST4997719578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:54.258184910 CEST1957849977147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:54.268260002 CEST4997719578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:54.273252010 CEST1957849977147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:54.314955950 CEST4997719578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:54.321305990 CEST1957849977147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:54.393167973 CEST4997719578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:54.398389101 CEST1957849977147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:54.408688068 CEST4997719578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:54.413759947 CEST1957849977147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:54.424344063 CEST4997719578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:54.431130886 CEST1957849977147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:54.439965010 CEST4997719578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:54.445360899 CEST1957849977147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:54.455471039 CEST4997719578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:54.460642099 CEST1957849977147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:54.544955969 CEST1957849977147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:54.545120001 CEST4997719578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:54.545197010 CEST4997719578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:54.549498081 CEST4997819578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:54.550345898 CEST1957849977147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:54.554411888 CEST1957849978147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:54.554852009 CEST4997819578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:54.625579119 CEST4997819578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:54.630707979 CEST1957849978147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:59.658829927 CEST4997819578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:59.663826942 CEST1957849978147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:59.674532890 CEST4997819578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:59.679414034 CEST1957849978147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:15:59.705761909 CEST4997819578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:15:59.710664988 CEST1957849978147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:08.486913919 CEST4997819578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:08.492258072 CEST1957849978147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:09.971357107 CEST4997819578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:09.976516008 CEST1957849978147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:10.018122911 CEST4997819578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:10.023272038 CEST1957849978147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:15.752569914 CEST4997819578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:15.757730961 CEST1957849978147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:15.935811996 CEST1957849978147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:15.935904980 CEST4997819578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:20.033565998 CEST4997819578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:20.035181046 CEST4997919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:20.038546085 CEST1957849978147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:20.040201902 CEST1957849979147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:20.040301085 CEST4997919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:20.077361107 CEST4997919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:20.082518101 CEST1957849979147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:20.111892939 CEST4997919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:20.117163897 CEST1957849979147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:20.127420902 CEST4997919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:20.132342100 CEST1957849979147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:22.096450090 CEST4997919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:22.103252888 CEST1957849979147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:24.283834934 CEST4997919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:24.288813114 CEST1957849979147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:28.846292019 CEST4997919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:28.851497889 CEST1957849979147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:30.299346924 CEST4997919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:30.304512024 CEST1957849979147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:30.377510071 CEST4997919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:30.382648945 CEST1957849979147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:38.143547058 CEST4997919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:38.149203062 CEST1957849979147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:40.502579927 CEST4997919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:40.507596970 CEST1957849979147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:40.518424988 CEST4997919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:40.523890972 CEST1957849979147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:40.533864021 CEST4997919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:40.540795088 CEST1957849979147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:41.439224958 CEST1957849979147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:41.439307928 CEST4997919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:45.627420902 CEST4997919578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:45.629724979 CEST4998019578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:45.632397890 CEST1957849979147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:45.634630919 CEST1957849980147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:45.634701967 CEST4998019578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:45.671724081 CEST4998019578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:45.676738977 CEST1957849980147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:45.690026999 CEST4998019578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:45.694914103 CEST1957849980147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:45.799429893 CEST4998019578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:45.804594040 CEST1957849980147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:45.815069914 CEST4998019578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:45.820954084 CEST1957849980147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:45.893460989 CEST4998019578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:45.898900986 CEST1957849980147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:45.924372911 CEST4998019578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:45.930237055 CEST1957849980147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:45.955668926 CEST4998019578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:45.961458921 CEST1957849980147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:45.971252918 CEST4998019578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:45.976907015 CEST1957849980147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:51.064929008 CEST4998019578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:51.070713043 CEST1957849980147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:16:57.877717018 CEST4998019578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:16:57.882839918 CEST1957849980147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:17:02.315188885 CEST4998019578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:17:02.320342064 CEST1957849980147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:17:07.014601946 CEST1957849980147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:17:07.017436028 CEST4998019578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:17:15.299349070 CEST4998019578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:17:15.300802946 CEST4998119578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:17:15.304425001 CEST1957849980147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:17:15.305763960 CEST1957849981147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:17:15.305876970 CEST4998119578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:17:15.333889008 CEST4998119578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:17:15.338860989 CEST1957849981147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:17:29.862045050 CEST4998119578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:17:29.866965055 CEST1957849981147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:17:36.703522921 CEST1957849981147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:17:36.703648090 CEST4998119578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:17:42.799305916 CEST4998119578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:17:42.800616980 CEST4998219578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:17:42.805026054 CEST1957849981147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:17:42.805994034 CEST1957849982147.185.221.23192.168.2.7
                                    Oct 13, 2024 19:17:42.806272984 CEST4998219578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:17:42.844145060 CEST4998219578192.168.2.7147.185.221.23
                                    Oct 13, 2024 19:17:42.849191904 CEST1957849982147.185.221.23192.168.2.7

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Oct 13, 2024 19:13:12.294356108 CEST6318553192.168.2.71.1.1.1
                                    Oct 13, 2024 19:13:12.307651997 CEST53631851.1.1.1192.168.2.7

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Oct 13, 2024 19:13:12.294356108 CEST192.168.2.71.1.1.10xcbd6Standard query (0)authors-reflections.gl.at.ply.ggA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Oct 13, 2024 19:13:12.307651997 CEST1.1.1.1192.168.2.70xcbd6No error (0)authors-reflections.gl.at.ply.gg147.185.221.23A (IP address)IN (0x0001)false

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:13:13:02
                                    Start date:13/10/2024
                                    Path:C:\Users\user\Desktop\7yJsmmW4wS.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\7yJsmmW4wS.exe"
                                    Imagebase:0xed0000
                                    File size:1'464'320 bytes
                                    MD5 hash:3DCC9CFED0A716B6AD3C4F4AAF1A1F46
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1291498856.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1291498856.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:8
                                    Start time:13:13:06
                                    Start date:13/10/2024
                                    Path:C:\Users\user\AppData\Local\Temp\rat.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user~1\AppData\Local\Temp\rat.exe"
                                    Imagebase:0x370000
                                    File size:40'448 bytes
                                    MD5 hash:0F43E9B3D93B65843F0346D76282BDC7
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000008.00000000.1287942195.0000000000372000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000000.1287942195.0000000000372000.00000002.00000001.01000000.00000006.sdmp, Author: ditekSHen
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Local\Temp\rat.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\rat.exe, Author: ditekSHen
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 88%, ReversingLabs
                                    • Detection: 73%, Virustotal, Browse
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:9
                                    Start time:13:13:06
                                    Start date:13/10/2024
                                    Path:C:\Users\user\AppData\Local\Temp\freeware.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user~1\AppData\Local\Temp\freeware.exe"
                                    Imagebase:0x7ff7952b0000
                                    File size:2'322'432 bytes
                                    MD5 hash:BFDFA3FAE0BF91D83DDDF5A708DBEFB1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 42%, Virustotal, Browse
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:10
                                    Start time:13:13:06
                                    Start date:13/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff75da10000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    General

                                    Target ID:12
                                    Start time:13:13:10
                                    Start date:13/10/2024
                                    Path:C:\Windows\System32\schtasks.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "edge" /tr "C:\Users\user\AppData\Roaming\edge.exe"
                                    Imagebase:0x7ff68aec0000
                                    File size:235'008 bytes
                                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:13
                                    Start time:13:13:10
                                    Start date:13/10/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff75da10000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:14
                                    Start time:13:13:12
                                    Start date:13/10/2024
                                    Path:C:\Users\user\AppData\Roaming\edge.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Users\user\AppData\Roaming\edge.exe
                                    Imagebase:0xe00000
                                    File size:40'448 bytes
                                    MD5 hash:0F43E9B3D93B65843F0346D76282BDC7
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: C:\Users\user\AppData\Roaming\edge.exe, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: C:\Users\user\AppData\Roaming\edge.exe, Author: ditekSHen
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 100%, Joe Sandbox ML
                                    • Detection: 88%, ReversingLabs
                                    • Detection: 73%, Virustotal, Browse
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:16
                                    Start time:14:56:00
                                    Start date:13/10/2024
                                    Path:C:\Users\user\AppData\Roaming\edge.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Users\user\AppData\Roaming\edge.exe
                                    Imagebase:0x500000
                                    File size:40'448 bytes
                                    MD5 hash:0F43E9B3D93B65843F0346D76282BDC7
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:20
                                    Start time:14:57:00
                                    Start date:13/10/2024
                                    Path:C:\Users\user\AppData\Roaming\edge.exe
                                    Wow64 process (32bit):
                                    Commandline:
                                    Imagebase:
                                    File size:40'448 bytes
                                    MD5 hash:0F43E9B3D93B65843F0346D76282BDC7
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:22
                                    Start time:14:58:01
                                    Start date:13/10/2024
                                    Path:C:\Users\user\AppData\Roaming\edge.exe
                                    Wow64 process (32bit):
                                    Commandline:
                                    Imagebase:
                                    File size:40'448 bytes
                                    MD5 hash:0F43E9B3D93B65843F0346D76282BDC7
                                    Has elevated privileges:
                                    Has administrator privileges:
                                    Programmed in:C, C++ or other language
                                    Reputation:low
                                    Has exited:false

                                    Disassembly

                                    Reset < >

                                      Executed Functions

                                      Function 00007FFAACCE0A21 Relevance: .4, Instructions: 398COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1292640516.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffaacce0000_7yJsmmW4wS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1ccf9137500ca55e935630046c0cc1b8ebcb2c6e9b54b700050ba1a833d80295
                                      • Instruction ID: a78f042de37a4f49be4e0e92bb98a9d625f2fe9ec41d15711e05f59ceb12e515
                                      • Opcode Fuzzy Hash: 1ccf9137500ca55e935630046c0cc1b8ebcb2c6e9b54b700050ba1a833d80295
                                      • Instruction Fuzzy Hash: F9D16F31A189199FEB98EF28C459AB973E1FF59311B108679E46EC32D2DF34EC458780
                                      Function 00007FFAACCE04B2 Relevance: 1.8, Strings: 1, Instructions: 509COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1292640516.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffaacce0000_7yJsmmW4wS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 3CL_^
                                      • API String ID: 0-3907758863
                                      • Opcode ID: f19314add4a722eabc55e782046d2c9453c5335989ac990bdaa04bd90f5dcd76
                                      • Instruction ID: b14eb064d6bc02aac5bc668c51d5a9a6f9fd09d741e9b089f6e6cb69a9ed83d6
                                      • Opcode Fuzzy Hash: f19314add4a722eabc55e782046d2c9453c5335989ac990bdaa04bd90f5dcd76
                                      • Instruction Fuzzy Hash: FA41A351A0FAC2AFF3555BB4485A5A9BB90FF63310B0C81BAC09C464C3DF19E81AD3D1
                                      Function 00007FFAACCE04A8 Relevance: 1.6, Strings: 1, Instructions: 333COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1292640516.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffaacce0000_7yJsmmW4wS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 88
                                      • API String ID: 0-364594109
                                      • Opcode ID: 9895f6e9db35491eb90c4aea14f7418d1b83d61565281ec071c0dc06b2e802f4
                                      • Instruction ID: 8c1f6cee7403b7f9820ecb08d661e540bc0b789b29dc7b57230de20a0c2294c7
                                      • Opcode Fuzzy Hash: 9895f6e9db35491eb90c4aea14f7418d1b83d61565281ec071c0dc06b2e802f4
                                      • Instruction Fuzzy Hash: F8A1E3A1A19A498FF798EF6C88597B977D1EF9A310F0441B9E40DC3293DF68D84583C1
                                      Function 00007FFAACCE1509 Relevance: 1.6, Strings: 1, Instructions: 332COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1292640516.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffaacce0000_7yJsmmW4wS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 88
                                      • API String ID: 0-364594109
                                      • Opcode ID: 2ab6e47194ec43230cc7332b4eabe7b63e4fd45fa7bd9fab454d698b5669d705
                                      • Instruction ID: bf157575c519a697975c36db5a8b5504437436218cd7b2df18b263f2fc4ac94f
                                      • Opcode Fuzzy Hash: 2ab6e47194ec43230cc7332b4eabe7b63e4fd45fa7bd9fab454d698b5669d705
                                      • Instruction Fuzzy Hash: F2A1E3A1A19A498FF798EF6C88597B87BD1EF9A200F4441B9D40DC3293DF68D84583C1
                                      Function 00007FFAACCE109E Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1292640516.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffaacce0000_7yJsmmW4wS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2dcf62d4b0044ead83193d1ed3092f1a9ee857829c0fa9e099c3901f4669e5b4
                                      • Instruction ID: 501c38b44c7f1e3ab5f972a746b358ae03030337cf48a99db7651b6c514cfcfa
                                      • Opcode Fuzzy Hash: 2dcf62d4b0044ead83193d1ed3092f1a9ee857829c0fa9e099c3901f4669e5b4
                                      • Instruction Fuzzy Hash: BCE09B43B198490BF798B96CA4967B863C2E7DE235B504276D10DC3386ED1C9C8743C1
                                      Function 00007FFAACCE09E6 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1292640516.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffaacce0000_7yJsmmW4wS.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a156ec0248f234e92eca748502a4eeb77c9dd8b07d515a6b6d50c0c12cb4b841
                                      • Instruction ID: 04e9a143fa80b590dfa49e1ccf92595bcc9181d6204b12706aee062a9ae23194
                                      • Opcode Fuzzy Hash: a156ec0248f234e92eca748502a4eeb77c9dd8b07d515a6b6d50c0c12cb4b841
                                      • Instruction Fuzzy Hash: 28E0CD2061891547B784F6289445D79B3C1FF94354B444064F40EC7295DE18DA8147C2

                                      Execution Graph

                                      Execution Coverage:20.4%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:3
                                      Total number of Limit Nodes:0
                                      execution_graph 4067 7ffaacce3d1f 4068 7ffaacce3d2e RtlSetProcessIsCritical 4067->4068 4070 7ffaacce3f22 4068->4070

                                      Executed Functions

                                      Function 00007FFAACCE3D1F Relevance: 1.8, APIs: 1, Instructions: 271COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 700 7ffaacce3d1f-7ffaacce3d2c 701 7ffaacce3d2f-7ffaacce3d50 700->701 702 7ffaacce3d2e 700->702 703 7ffaacce3d52-7ffaacce3d54 701->703 704 7ffaacce3d55-7ffaacce3dc0 701->704 702->701 703->704 705 7ffaacce3dc2-7ffaacce3dce 704->705 706 7ffaacce3dd0-7ffaacce3df4 704->706 705->706 707 7ffaacce3e07-7ffaacce3e2b 706->707 708 7ffaacce3df6-7ffaacce3e06 706->708 709 7ffaacce3e2e-7ffaacce3e41 707->709 710 7ffaacce3e2d 707->710 708->707 711 7ffaacce3e43 709->711 712 7ffaacce3e44-7ffaacce3e55 709->712 710->709 711->712 713 7ffaacce3e57 712->713 714 7ffaacce3e58-7ffaacce3f20 RtlSetProcessIsCritical 712->714 713->714 718 7ffaacce3f28-7ffaacce3f5d 714->718 719 7ffaacce3f22 714->719 719->718
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.3721011628.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_7ffaacce0000_rat.jbxd
                                      Similarity
                                      • API ID: CriticalProcess
                                      • String ID:
                                      • API String ID: 2695349919-0
                                      • Opcode ID: c340c7501fb0ba4532ed902c21d1339e09c3b22a8a0d693fb7aed1234fb3c104
                                      • Instruction ID: aa608daf5207454b9916f9d0b7bea6c06ad1237160d3d5e1f4d858314df37b73
                                      • Opcode Fuzzy Hash: c340c7501fb0ba4532ed902c21d1339e09c3b22a8a0d693fb7aed1234fb3c104
                                      • Instruction Fuzzy Hash: 7091BB7184E7C58FD7178B7898616957FF0EF13220B0E45EBC0C5CB5A3D628694AC7A2

                                      Non-executed Functions

                                      Function 00007FF7952B7228 Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 340libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: Cpp_error@std@@Throw_$CurrentHandleInformationLibraryLoadModuleProcessQuerySystemThrd_idThrd_join_beginthreadex_stricmpgetenvmemcmpterminate
                                      • String ID: NtShutdownSystem$ntoskrnl.exe
                                      • API String ID: 648729289-2606169466
                                      • Opcode ID: 743bd4cd71c1a02f60fcc5f39df8abe606f1c05cce73d0d3111a19df3510348c
                                      • Instruction ID: 4c507cc96d2392b225aeaa25d20180278055ed6e5b5928e0d78d30dee44f00a6
                                      • Opcode Fuzzy Hash: 743bd4cd71c1a02f60fcc5f39df8abe606f1c05cce73d0d3111a19df3510348c
                                      • Instruction Fuzzy Hash: 31F19166A18B6181EB70AB70E8503B9A7E4FB49B88F984539D98D03765DF3CE094C360
                                      Function 00007FF7953992B4 Relevance: 33.2, APIs: 22, Instructions: 224fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handleabort
                                      • String ID:
                                      • API String ID: 4293554670-0
                                      • Opcode ID: 83d6def80d16beef371d018fe411b4e81be1f2db12801f6809b2e6ddef41799d
                                      • Instruction ID: 29d4eceb0d1899511a4d187f4e2b27584718f4a30e2f709337fe74cab3a9527d
                                      • Opcode Fuzzy Hash: 83d6def80d16beef371d018fe411b4e81be1f2db12801f6809b2e6ddef41799d
                                      • Instruction Fuzzy Hash: 339198B6A28A12C6F775AB35A42427AA3D0AF44F78F94433CD96D477D4DF3CE8418620
                                      Function 00007FF7952B2980 Relevance: 31.9, APIs: 12, Strings: 6, Instructions: 442COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetConsoleTitleA.KERNEL32 ref: 00007FF7952B2A4D
                                      • SHGetFolderPathW.SHELL32 ref: 00007FF7952B2A68
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952B2B11
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952B2C21
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952B2CFE
                                        • Part of subcall function 00007FF7952B50F8: memcpy.VCRUNTIME140 ref: 00007FF7952B5194
                                        • Part of subcall function 00007FF7952B50F8: memcpy.VCRUNTIME140 ref: 00007FF7952B51A5
                                        • Part of subcall function 00007FF7952B5A68: __std_fs_code_page.MSVCPRT ref: 00007FF7952B5A8B
                                        • Part of subcall function 00007FF7952B5A68: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7952B5ADB
                                        • Part of subcall function 00007FF7952B5A68: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7952B5B13
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952B2DEB
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952B2EC5
                                      • ?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7952B2EE9
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952B2F1F
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952B2F67
                                      • ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7952B302B
                                      • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7952B3043
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$D@std@@@std@@U?$char_traits@__std_fs_convert_narrow_to_widememcpy$?always_noconv@codecvt_base@std@@?get@?$basic_istream@ConsoleFolderInit@?$basic_streambuf@PathTitle__std_fs_code_page
                                      • String ID: ,8.L$\chaos$\chaos\configs$chaos.xyz > press enter to close console [closes cheat]$create_directory$exists
                                      • API String ID: 1486308692-1720555787
                                      • Opcode ID: 6850c6fc4c2efd93cfacb228e257ad74a4085a31a6c3bbec25d39125468d0b73
                                      • Instruction ID: db71cb28426578e2b5df85a5c896765022f9ce750f013ccaf97abcfdf636624b
                                      • Opcode Fuzzy Hash: 6850c6fc4c2efd93cfacb228e257ad74a4085a31a6c3bbec25d39125468d0b73
                                      • Instruction Fuzzy Hash: 7412DAA2B18B5686EB20EB74E8500ADB3F1FB8AB54F900235EA5D53A99DF3CD544C710
                                      Function 00007FF7952B6A08 Relevance: 31.8, APIs: 14, Strings: 4, Instructions: 313nativememorylibraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: Virtual_invalid_parameter_noinfo_noreturn$Free$InformationQuerySystem$AllocLibraryLoad_stricmpgetenvmemchr
                                      • String ID: SYSTEMROOT$\SystemR$ntoskrnl.exe$oot\
                                      • API String ID: 3518534199-2069063710
                                      • Opcode ID: f895646c18394fb73f5f27c923ff0b1da01e2027c31a105874ef6d05384caf09
                                      • Instruction ID: 043c4140442ec591768d7ca8a96bb6002846c5645946e6348c287c25b61ddb4b
                                      • Opcode Fuzzy Hash: f895646c18394fb73f5f27c923ff0b1da01e2027c31a105874ef6d05384caf09
                                      • Instruction Fuzzy Hash: 9DD1D9A2F14A6286FB20DF75E8542BDA3B1EB49FA8F804335DA2D136D4DE38E451C310
                                      Function 00007FF7952C7CC0 Relevance: 28.4, APIs: 10, Strings: 6, Instructions: 378COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF7952BFC48: memcmp.VCRUNTIME140 ref: 00007FF7952BFCC2
                                        • Part of subcall function 00007FF7952BFC48: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BFD52
                                        • Part of subcall function 00007FF7952BFC48: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BFD59
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C7D87
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C7F3E
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C7F78
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C7FC3
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C7FFD
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C8037
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C8071
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C8233
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C823A
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C8241
                                        • Part of subcall function 00007FF7952C1B64: memmove.VCRUNTIME140 ref: 00007FF7952C1C6E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$memcmpmemmove
                                      • String ID: ???$Body$board$gui$iders$name
                                      • API String ID: 2239884541-4248146696
                                      • Opcode ID: a3979caf59c9b59e30e4b45745bbb076234198d626cc8260d074aebd17bda012
                                      • Instruction ID: ead36b9bf651c23792c2eeb64c6492d90067d2d103a20495cd56c466a64acc35
                                      • Opcode Fuzzy Hash: a3979caf59c9b59e30e4b45745bbb076234198d626cc8260d074aebd17bda012
                                      • Instruction Fuzzy Hash: 8C02B9A2E18B9284EB20EB74D8401BDA7A1AF45BA8F945339DE5D136D9DF7CD1C1C310
                                      Function 00007FF7952BC214 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 330COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF7952B3DE8: memset.VCRUNTIME140 ref: 00007FF7952B3E43
                                      • rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF7952BC2DF
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BC446
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BC49B
                                      • ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z.MSVCP140 ref: 00007FF7952BC4EB
                                        • Part of subcall function 00007FF7952B4368: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF7952B3A6A,?,?,?,00007FF7952B28FD), ref: 00007FF7952B43CA
                                        • Part of subcall function 00007FF7952B4368: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,00007FF7952B3A6A,?,?,?,00007FF7952B28FD), ref: 00007FF7952B43E7
                                      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7952BC518
                                        • Part of subcall function 00007FF7952B2734: _CxxThrowException.VCRUNTIME140 ref: 00007FF7952B2780
                                      • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7952BC57C
                                      • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7952BC586
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BC5C1
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BC618
                                      • memmove.VCRUNTIME140 ref: 00007FF7952BC6B2
                                        • Part of subcall function 00007FF7952BC214: CreateFileA.KERNEL32 ref: 00007FF7952BC751
                                        • Part of subcall function 00007FF7952BC214: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BC796
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: D@std@@@std@@U?$char_traits@_invalid_parameter_noinfo_noreturn$??1?$basic_ios@??1?$basic_ostream@?setstate@?$basic_ios@?write@?$basic_ostream@CreateExceptionFileInit@?$basic_streambuf@ThrowV12@fclosememmovememsetrand
                                      • String ID: \\.\AsUpdateio$temp_directory_path$uvwxyz
                                      • API String ID: 898089867-1750243440
                                      • Opcode ID: 8ac6b1c60800bd341babd304005258899236d3ff339ff9e5417aabe51f39c7e1
                                      • Instruction ID: b61c18fd1cfa85c88c250161ec6551f393f2cee130bfc29b799159cc973a2a9b
                                      • Opcode Fuzzy Hash: 8ac6b1c60800bd341babd304005258899236d3ff339ff9e5417aabe51f39c7e1
                                      • Instruction Fuzzy Hash: DEF1C7A2A14BD689EB30DF34D8503FDA3A0FB59B58F805239DA5D47A99DF38E584C310
                                      Function 00007FF7952B9D64 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 274COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: Cpp_error@std@@Throw_$_beginthreadex_invalid_parameter_noinfo_noreturnmallocterminate
                                      • String ID: Humanoid
                                      • API String ID: 2559812874-1470153286
                                      • Opcode ID: b73eab2152e4a69f92e094c17350492c268afe6b970cb7123b019c5ebf4dfac8
                                      • Instruction ID: 507c6d9cd77de6c5efdef95764b01548e5a032a5a1f031c2072530a650c60dda
                                      • Opcode Fuzzy Hash: b73eab2152e4a69f92e094c17350492c268afe6b970cb7123b019c5ebf4dfac8
                                      • Instruction Fuzzy Hash: 88D18172A1DB6295EB71EF70E8402B8B3E0AF0AF58F844139D94D276A5DF3CA455D320
                                      Function 00007FF7952B90B0 Relevance: 10.9, APIs: 7, Instructions: 389keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: randsqrtf$ClientControlCursorDeviceInputScreenSendmemset
                                      • String ID:
                                      • API String ID: 1336566397-0
                                      • Opcode ID: 2336d7f31ccf536e5ad8e2a0781ee051102484c9beaa5b4dbce9a589e4376a88
                                      • Instruction ID: aea71f513e3856dcd1ec678936c6e583cd023700b7b23907c96244bb2dd0b150
                                      • Opcode Fuzzy Hash: 2336d7f31ccf536e5ad8e2a0781ee051102484c9beaa5b4dbce9a589e4376a88
                                      • Instruction Fuzzy Hash: 8112BA32D28B9985E722DB3698410B9F3A0FFAE744F589726E94832575DF38F085DB10
                                      Function 00007FF7952D225C Relevance: 10.8, APIs: 2, Strings: 5, Instructions: 262COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: ExceptionThrow
                                      • String ID: %.2X$: 0x$\u%04x$incomplete UTF-8 string; last byte: 0x$invalid UTF-8 byte at index
                                      • API String ID: 432778473-50787910
                                      • Opcode ID: 292d750db64ed8caaf97f4f84411259a2c66f3650b62026e1e0052a914830f7b
                                      • Instruction ID: 00fd32d2243fb7bcc97ebe4257239fc13beceae3f6ef2bc1655e4a2b042e2cb7
                                      • Opcode Fuzzy Hash: 292d750db64ed8caaf97f4f84411259a2c66f3650b62026e1e0052a914830f7b
                                      • Instruction Fuzzy Hash: 4BA101B3A0866691EA34EB35D8501BDA7E1FF85F84FC4813ACE0D076A5DE2CE615C360
                                      Function 00007FF7952BB728 Relevance: 9.0, APIs: 6, Instructions: 40processstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32lstrcmpi
                                      • String ID:
                                      • API String ID: 3122021977-0
                                      • Opcode ID: 53a1973895d1babdf3e1ebeddce4af49eea12ff8fc11d895e00ead4479638541
                                      • Instruction ID: efabdb47e37e509a9bac47202ef2f2d58f03159f2c40d4f07a4d25ab62eb17de
                                      • Opcode Fuzzy Hash: 53a1973895d1babdf3e1ebeddce4af49eea12ff8fc11d895e00ead4479638541
                                      • Instruction Fuzzy Hash: B4111F72618A56C6EB71AB31E85437AE3E0FF8CF88F844139D98D46664DF3CD5048B50
                                      Function 00007FF795398C10 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                      • String ID:
                                      • API String ID: 2933794660-0
                                      • Opcode ID: 6b053be21ca0ea58507c8060663c019c148aef7c5db2175973fa9f92f3380a36
                                      • Instruction ID: bf26b4e347f049ed83baddcd9b0a2b38a3083784af6a55db93ec10629285b6e7
                                      • Opcode Fuzzy Hash: 6b053be21ca0ea58507c8060663c019c148aef7c5db2175973fa9f92f3380a36
                                      • Instruction Fuzzy Hash: 9E114C26B24F118AEB10EB70E8542B873E4FB59B58F840A39DA6D427A4DF78D5688350
                                      Function 00007FF795398D90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: FormatInfoLocaleMessage
                                      • String ID: !x-sys-default-locale
                                      • API String ID: 4235545615-2729719199
                                      • Opcode ID: 2651cd5cee3f4cc458a44f4ca5cc0a342ee14bffbdd41830a4ede7577b5a6bc9
                                      • Instruction ID: 77362c6741cf01f6680f3fda625c3496d3e9f01083f0ca0197bed1efd96f5b3b
                                      • Opcode Fuzzy Hash: 2651cd5cee3f4cc458a44f4ca5cc0a342ee14bffbdd41830a4ede7577b5a6bc9
                                      • Instruction Fuzzy Hash: 6901A1B2B2879582E7219B22F46077AE7D1F7D8B88F94413DDA4907A94CF3CD4008750
                                      Function 00007FF7952C8820 Relevance: 33.5, APIs: 11, Strings: 8, Instructions: 281COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$Cpp_error@std@@Mtx_lockMtx_unlockThrow_
                                      • String ID: Business Loaded$Head$Humanoid$Phantom Loaded$Scorched Earth Loaded$Universal Loaded$[Watchdog] -> Seen crash on esp, Restarting$mvsDuels Loaded
                                      • API String ID: 1935054032-2595692204
                                      • Opcode ID: 8d8af8cc113043a248d0d133639304224298c1fd4bb7e350a7476498129b03a7
                                      • Instruction ID: b4bd6b7bcc737f379eab33199c74a0e22478ec66e11e79b55615244ef0a1cb14
                                      • Opcode Fuzzy Hash: 8d8af8cc113043a248d0d133639304224298c1fd4bb7e350a7476498129b03a7
                                      • Instruction Fuzzy Hash: 66D1B6A2E18B9285EB20EF34D8403BDA3A0FB55B98F904635E66D176E9DF7CD185C310
                                      Function 00007FF7952B9978 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 222COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: Cpp_error@std@@Throw_$D@std@@@std@@U?$char_traits@V01@$??6?$basic_ostream@V01@@_invalid_parameter_noinfo_noreturn$?setstate@?$basic_ios@?uncaught_exceptions@std@@Mtx_lockMtx_unlockOsfx@?$basic_ostream@Thrd_idThrd_join_beginthreadexterminate
                                      • String ID: [Watchdog] -> Aimbot restarted.$[Watchdog] -> Loop seems to be stuck. Restarting aimbot...$t...
                                      • API String ID: 649663718-3666851863
                                      • Opcode ID: d25a451d219f985f54dbcf59e601acebe23dc0981f6b1232b8c33c6741dbee4c
                                      • Instruction ID: 615db4c4ed31f658ae0199ebc759969e849ce0c2ce8b12b13bc99c1c4f4f3216
                                      • Opcode Fuzzy Hash: d25a451d219f985f54dbcf59e601acebe23dc0981f6b1232b8c33c6741dbee4c
                                      • Instruction Fuzzy Hash: 4BB193A2E18A5285F721EF75E8943B8B3E1EF49F58F804239D54C066A5EF7CA194C320
                                      Function 00007FF7952D4C88 Relevance: 28.4, APIs: 11, Strings: 5, Instructions: 400COMMON
                                      Download Yara Rule
                                      APIs
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952D4DD5
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952D4E0F
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952D4F2E
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952D4F69
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952D4FAF
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952D4FEB
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952D503F
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952D50CC
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952D5114
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952D51AE
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952D51F6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn
                                      • String ID: ; expected $; last read: '$rror $unexpected $while parsing
                                      • API String ID: 3668304517-2437721902
                                      • Opcode ID: 0d948c2d3c4d12f358245978ff432f44f23ace0db4729a22c067bcf4c76e2198
                                      • Instruction ID: 1a427a4ff00285f5b17524959ad3ea509d2c1d08a20b0ede442570af5a5b9c96
                                      • Opcode Fuzzy Hash: 0d948c2d3c4d12f358245978ff432f44f23ace0db4729a22c067bcf4c76e2198
                                      • Instruction Fuzzy Hash: 52F1C1A3E18B9685EA20EB74E84007DA3E1FB85BA8F905335DA6C176D5DF7CE480C710
                                      Function 00007FF7952C6A40 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 379COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF7952BFC48: memcmp.VCRUNTIME140 ref: 00007FF7952BFCC2
                                        • Part of subcall function 00007FF7952BFC48: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BFD52
                                        • Part of subcall function 00007FF7952BFC48: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BFD59
                                        • Part of subcall function 00007FF7952B5650: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF7952B5022,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF7952B5697
                                        • Part of subcall function 00007FF7952B5650: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7952B56B7
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C6B88
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C6BC2
                                      • _Mtx_lock.MSVCP140 ref: 00007FF7952C6C21
                                      • _Mtx_unlock.MSVCP140 ref: 00007FF7952C6C51
                                      • _Mtx_lock.MSVCP140 ref: 00007FF7952C6F9B
                                      • _Mtx_unlock.MSVCP140 ref: 00007FF7952C6FF0
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C7034
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C703B
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C7042
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C7049
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C7050
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C7057
                                      • ?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF7952C7076
                                      • ?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140 ref: 00007FF7952C7082
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$Cpp_error@std@@Mtx_lockMtx_unlockThrow_$Concurrency::cancel_current_taskmemcmp
                                      • String ID: Head$Humanoid
                                      • API String ID: 3897814415-4240587822
                                      • Opcode ID: 5c283ffce17d46ec022111e212e2c79b11c7001592e2b8e2198a85374f3160c5
                                      • Instruction ID: eceb747d36d359424312b55bb7135340e6edf33d3f4e6a952605626f69fc7eb5
                                      • Opcode Fuzzy Hash: 5c283ffce17d46ec022111e212e2c79b11c7001592e2b8e2198a85374f3160c5
                                      • Instruction Fuzzy Hash: 3A02E9A2E18B9285EB20EF34D8403BDA3A1FB55B98F904235EA5D176D9DF7CE184C350
                                      Function 00007FF7952C95F0 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 351COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF7952B3C48: memmove.VCRUNTIME140(?,?,?,?,00000000,00007FF7952B6B8F), ref: 00007FF7952B3C96
                                        • Part of subcall function 00007FF7952D2BB0: memcpy.VCRUNTIME140 ref: 00007FF7952D2C44
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C96D8
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C9711
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C975A
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C97A3
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C98E8
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C9933
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C997C
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C99BC
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C9A07
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C9A40
                                      • __std_exception_copy.VCRUNTIME140 ref: 00007FF7952C9A97
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C9AE4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copymemcpymemmove
                                      • String ID: at line $, column $parse error
                                      • API String ID: 3181041822-182125887
                                      • Opcode ID: e498313f471a68208f3db2abf725523480e63eafab939742ac492eaa3ac6549c
                                      • Instruction ID: 19f910505ca9e6aec19ca33edc03c39a4622ef2ecbf7c8a554ec1b7b0a130c24
                                      • Opcode Fuzzy Hash: e498313f471a68208f3db2abf725523480e63eafab939742ac492eaa3ac6549c
                                      • Instruction Fuzzy Hash: 4FF1D9A2E18B9685EB10EB74D84017DA7A1FB96BA4F505339EA6D127D5DF3CE1C0C310
                                      Function 00007FF7952C76E0 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 344COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$Cpp_error@std@@Throw_$Mtx_lockMtx_unlock
                                      • String ID: d
                                      • API String ID: 4102343242-2564639436
                                      • Opcode ID: d3920ceae3b327bcc56fec86b6b2f2c819dd16bab54583c3c145e804d13e3ff8
                                      • Instruction ID: 5c9699b4a2e4620746abca38c7168ac0e5eadf664176ff642cf518f8f6462b38
                                      • Opcode Fuzzy Hash: d3920ceae3b327bcc56fec86b6b2f2c819dd16bab54583c3c145e804d13e3ff8
                                      • Instruction Fuzzy Hash: C6F1C962E18A9281EB20EF35D8403BDB3A0FB45B94F945239DA5D076EADF3CE585C710
                                      Function 00007FF7952C5F7C Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 273COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$Cpp_error@std@@Mtx_lockMtx_unlockThrow_memcmp
                                      • String ID: Head$Root
                                      • API String ID: 3650642147-103748046
                                      • Opcode ID: 8f4cc3795c9ab27cf3d0b7f139ac561646cbb80b294ef9de35bf11a14e55e1e6
                                      • Instruction ID: 92c2d8bd7485d5b42bd88ec869fda88b4c22fe2c7ddc720d5776d18ca7921eda
                                      • Opcode Fuzzy Hash: 8f4cc3795c9ab27cf3d0b7f139ac561646cbb80b294ef9de35bf11a14e55e1e6
                                      • Instruction Fuzzy Hash: A2C1DBA2E18B9185EB20EB75E8443BCA3A0FB55B68F900335DA5D176D6DF3CE584C320
                                      Function 00007FF7952C8290 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 270COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$Cpp_error@std@@Mtx_lockMtx_unlockThrow_
                                      • String ID: Humanoid$collider$collider
                                      • API String ID: 1935054032-3750795999
                                      • Opcode ID: 958a12945e70dcc11449520fc3074afaa472f0c0da92c6f201e5782f14845d8d
                                      • Instruction ID: 8a372d6b55b9383a49488f13a773813df445c0d29cc20a98073355f5064a75c8
                                      • Opcode Fuzzy Hash: 958a12945e70dcc11449520fc3074afaa472f0c0da92c6f201e5782f14845d8d
                                      • Instruction Fuzzy Hash: 93D1D762E28B9285EB20EB74D8503BDB3A0FB45B98F904235DA5D176E9DF7CD584C320
                                      Function 00007FF7952C708C Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 289COMMON
                                      Download Yara Rule
                                      APIs
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C716D
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C71EE
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C728F
                                        • Part of subcall function 00007FF7952BB5F0: DeviceIoControl.KERNEL32 ref: 00007FF7952BB673
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C733B
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C7376
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C73C0
                                        • Part of subcall function 00007FF7952BFDC8: memcmp.VCRUNTIME140 ref: 00007FF7952BFE42
                                        • Part of subcall function 00007FF7952BFDC8: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BFED2
                                        • Part of subcall function 00007FF7952BFDC8: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BFED9
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C747A
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C74B5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$ControlDevicememcmp
                                      • String ID: 6KZ$Folder$Ghosts$Phantoms$Teams
                                      • API String ID: 368585952-4203763731
                                      • Opcode ID: a29c432a9efa48307a8d938b7c0126346caff9f4a6c409a847e9b845a426e8f7
                                      • Instruction ID: 70a5ace8b171e5ed5bb1f47754cf0a2b50e169c84b7b5d509335c6bf0a6c93fd
                                      • Opcode Fuzzy Hash: a29c432a9efa48307a8d938b7c0126346caff9f4a6c409a847e9b845a426e8f7
                                      • Instruction Fuzzy Hash: 76D1B9A2F18B5289FB20DFB4D8402FCA3A1AF45B68F845379DE2D126D5DE3C9585C360
                                      Function 00007FF7952BBC65 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 118registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: Value$CloseCreate_invalid_parameter_noinfo_noreturnmemmove
                                      • String ID: "$/$ErrorControl$ImagePath$Start$Type
                                      • API String ID: 279633952-760690246
                                      • Opcode ID: bb034d2dfbb2d3414fa03217eeac2845bc1ba1db6f220bbe5daf9608f5a1518e
                                      • Instruction ID: e5274cab45b444bc57d9cff64ec9c0d26d6a219038feac7e3332ba65bd65bc82
                                      • Opcode Fuzzy Hash: bb034d2dfbb2d3414fa03217eeac2845bc1ba1db6f220bbe5daf9608f5a1518e
                                      • Instruction Fuzzy Hash: F3518D62F14A618AFB20EB75E8503ADA7B0BB49B88F904239DE4D52A59DF3CD185C310
                                      Function 00007FF7953996D8 Relevance: 19.7, APIs: 13, Instructions: 154COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: Handle$File$ErrorInformationLast$Close__std_fs_open_handleabort$Create
                                      • String ID:
                                      • API String ID: 503677281-0
                                      • Opcode ID: d7415279aca569c4bf52e6c5dd5ad2082ce81591df571fddd3260597a06928d3
                                      • Instruction ID: 494a0bd1e3f4c78b76ce2c28330a01d0faa52da3c7bf6159e81bd0ec279f6e50
                                      • Opcode Fuzzy Hash: d7415279aca569c4bf52e6c5dd5ad2082ce81591df571fddd3260597a06928d3
                                      • Instruction Fuzzy Hash: 515193B6F28662C9F735AB7294241BDA7E06F44FACF84023DCD1996794DE38D4418760
                                      Function 00007FF7952D580C Relevance: 18.0, APIs: 6, Strings: 4, Instructions: 467stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF7952B5B4C: memmove.VCRUNTIME140 ref: 00007FF7952B5C44
                                        • Part of subcall function 00007FF7952B4B40: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF7952BADB4), ref: 00007FF7952B4BE4
                                        • Part of subcall function 00007FF7952B4B40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FF7952BADB4), ref: 00007FF7952B4C22
                                        • Part of subcall function 00007FF7952B4B40: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF7952BADB4), ref: 00007FF7952B4C2C
                                      • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FF7952D5654), ref: 00007FF7952D5DA8
                                      • strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7952D5DCD
                                      • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952D5DD6
                                      • strtoll.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7952D5E0B
                                      • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952D5E14
                                      • strtod.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7952D5E3B
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _errno$memcpy$_invalid_parameter_noinfo_noreturnmemmovestrtodstrtollstrtoull
                                      • String ID: invalid number; expected '+', '-', or digit after exponent$invalid number; expected digit after '-'$invalid number; expected digit after '.'$invalid number; expected digit after exponent sign
                                      • API String ID: 2681794517-1962259348
                                      • Opcode ID: 55498cb8f2d9ba4cbd7c224f3556808d47c479d552876360e3c33ccca95e4642
                                      • Instruction ID: af363bedb16d6a2ee03fc36c58272f1325fd28dcc4aaa91bee698637c51ca746
                                      • Opcode Fuzzy Hash: 55498cb8f2d9ba4cbd7c224f3556808d47c479d552876360e3c33ccca95e4642
                                      • Instruction Fuzzy Hash: 741275A3B0DA6281EB79BF3D89A407CA7E1EB15F44BE40135CA0E43694CE7DE951C360
                                      Function 00007FF7952BC7C4 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 238stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$_localtime64_mkdir_time64strftime
                                      • String ID: logs$logs\log%Y-%m-%d_%H-%M-%S.txt$remove
                                      • API String ID: 4220211597-197495188
                                      • Opcode ID: 1d1ecb1cc230c3fa0dcbca6d0e79d0cec84ccf96c0707c0214d0f914d05425de
                                      • Instruction ID: e522974ec5152f15ba6f0b1c0acfd28a427070665796d153e767414156873bc6
                                      • Opcode Fuzzy Hash: 1d1ecb1cc230c3fa0dcbca6d0e79d0cec84ccf96c0707c0214d0f914d05425de
                                      • Instruction Fuzzy Hash: 5DB1B4A2A18B8682EB20DF35E840279E3E0FB89F94F945235EA9D53765DF3CD484C750
                                      Function 00007FF7952CA9BC Relevance: 16.6, APIs: 11, Instructions: 132COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7952CA9EB
                                      • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF7952CAA09
                                      • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7952CAA3D
                                      • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7952CAA5C
                                      • ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7952CAAAF
                                      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7952CAABF
                                      • fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7952CAB2C
                                      • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7952CAB4B
                                      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7952CAB82
                                      • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7952CABB9
                                      • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7952CABC3
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: U?$char_traits@$D@std@@@std@@$?setstate@?$basic_ios@Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?clear@?$basic_ios@D@std@@@1@_V?$basic_streambuf@fclose
                                      • String ID:
                                      • API String ID: 2525917531-0
                                      • Opcode ID: 90c146cbc11c42520943e293e207cef5c06fb92029402639cd0332e2d4422f8e
                                      • Instruction ID: 48f6192736632d6d530fd10955a9a39896f758672149a67a784b26a32485d6bc
                                      • Opcode Fuzzy Hash: 90c146cbc11c42520943e293e207cef5c06fb92029402639cd0332e2d4422f8e
                                      • Instruction Fuzzy Hash: F8616973A18B5585EB21DB65E8903A9B7B0FB88B48F84413ADA4D47A68DF3CD109CB10
                                      Function 00007FF7952CABE0 Relevance: 16.6, APIs: 11, Instructions: 128COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7952CAC0F
                                      • ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF7952CAC2D
                                      • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7952CAC61
                                      • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7952CAC80
                                      • ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7952CACD3
                                      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7952CACE3
                                      • fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7952CAD41
                                      • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7952CAD60
                                      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7952CAD97
                                      • ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7952CADCE
                                      • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7952CADD8
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: U?$char_traits@$D@std@@@std@@$?setstate@?$basic_ios@Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_istream@?clear@?$basic_ios@D@std@@@1@_V?$basic_streambuf@fclose
                                      • String ID:
                                      • API String ID: 56852916-0
                                      • Opcode ID: c4a04fef42c682a193527e2a92598e935381ced034af6a340deaa2ce636ba100
                                      • Instruction ID: 0f95248275d60d357d2cfd302824a2ca264c3aab19a4e7cd108603ff92cb7296
                                      • Opcode Fuzzy Hash: c4a04fef42c682a193527e2a92598e935381ced034af6a340deaa2ce636ba100
                                      • Instruction Fuzzy Hash: E3515B73A28B95C6EB21DB64E8943ADB7B0FB84B49F844139DA4D47A68DF3CD104CB10
                                      Function 00007FF7952C27F4 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 314COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: sinf$cosf$memset$fmodf
                                      • String ID: ##Background
                                      • API String ID: 3988030002-465303879
                                      • Opcode ID: 55b3e08be79fee35cd30e119d80a584917d7d48697037ac8b71088a465bc1170
                                      • Instruction ID: fdd6e7bb619b1a079f2855a7a2190c076177cfed97c82f693a7670a3c6ed6552
                                      • Opcode Fuzzy Hash: 55b3e08be79fee35cd30e119d80a584917d7d48697037ac8b71088a465bc1170
                                      • Instruction Fuzzy Hash: D3029723D18BD989E312EB3AD8410E9F3B0FF69748F545725FA8822576DF38A195DB00
                                      Function 00007FF7952BF158 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 225COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$ClientCursorFindScreenWindowmemsetsqrtf
                                      • String ID: Roblox$Torso
                                      • API String ID: 3845016393-1831979288
                                      • Opcode ID: fc64a5a41196843e2de1c389c317c40d147b3a3426b1cc175eccc8ae60759c99
                                      • Instruction ID: 361b7f2bb3da780d39e969c7556f1f7011ac12c4bdbc49d29c5d373beacc5796
                                      • Opcode Fuzzy Hash: fc64a5a41196843e2de1c389c317c40d147b3a3426b1cc175eccc8ae60759c99
                                      • Instruction Fuzzy Hash: 9CB18262E18A9585E621DB79E8002ADB3F0FF99B94F544336EB9C126A4DF3CE581C710
                                      Function 00007FF7952BCBF8 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 141stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF7952B4104: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7952B4139
                                        • Part of subcall function 00007FF7952B4104: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF7952B4158
                                        • Part of subcall function 00007FF7952B4104: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7952B418B
                                        • Part of subcall function 00007FF7952B4104: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7952B41A6
                                        • Part of subcall function 00007FF7952B4104: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7952B41EB
                                      • _time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7952BCC9C
                                      • _localtime64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7952BCCAC
                                      • strftime.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7952BCCE4
                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7952BCD84
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BCDBD
                                      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7952BCDF0
                                      • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7952BCE27
                                      • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7952BCE31
                                        • Part of subcall function 00007FF7952BA278: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7952BA394
                                        • Part of subcall function 00007FF7952BA278: ?uncaught_exceptions@std@@YAHXZ.MSVCP140 ref: 00007FF7952BA39B
                                        • Part of subcall function 00007FF7952BA278: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7952BA3AA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: U?$char_traits@$D@std@@@std@@$?setstate@?$basic_ios@$V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@??6?$basic_ostream@?uncaught_exceptions@std@@D@std@@@1@_Init@?$basic_streambuf@Osfx@?$basic_ostream@V01@@V?$basic_streambuf@_invalid_parameter_noinfo_noreturn_localtime64_time64strftime
                                      • String ID: %Y-%m-%d %X
                                      • API String ID: 2113168112-1113424401
                                      • Opcode ID: 0f016544c4b2f8b26bda208bde48384bd59e5946fb37d6738addafbd2e63295d
                                      • Instruction ID: dfa7c77549ecc768bb60cf7c5e13e3ede6ad7b50cc39b94f35c481a298074753
                                      • Opcode Fuzzy Hash: 0f016544c4b2f8b26bda208bde48384bd59e5946fb37d6738addafbd2e63295d
                                      • Instruction Fuzzy Hash: E961B572A14B9286EB20EF35D8502ADB7A1FB86F98F804236DA5D13699DF3CD544C710
                                      Function 00007FF7952B7AD4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 103libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(?,?,-00001000,00007FF7952B7781), ref: 00007FF7952B7B7F
                                      • GetProcAddress.KERNEL32(?,?,-00001000,00007FF7952B7781), ref: 00007FF7952B7B8F
                                      • GetModuleHandleA.KERNEL32(?,?,-00001000,00007FF7952B7781), ref: 00007FF7952B7C68
                                      • GetProcAddress.KERNEL32(?,?,-00001000,00007FF7952B7781), ref: 00007FF7952B7C78
                                        • Part of subcall function 00007FF795397CF0: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF7952B7C58,?,?,-00001000,00007FF7952B7781), ref: 00007FF795397D00
                                        • Part of subcall function 00007FF7952B6A08: NtQuerySystemInformation.NTDLL ref: 00007FF7952B6A58
                                        • Part of subcall function 00007FF7952B6A08: _stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7952B6B0E
                                        • Part of subcall function 00007FF7952B6A08: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FF7952B6B50
                                        • Part of subcall function 00007FF795397C84: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF7952B7C91,?,?,-00001000,00007FF7952B7781), ref: 00007FF795397C94
                                        • Part of subcall function 00007FF795397C84: ReleaseSRWLockExclusive.KERNEL32(?,?,?,00007FF7952B7C91,?,?,-00001000,00007FF7952B7781), ref: 00007FF795397CD4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: ExclusiveLock$AcquireAddressHandleModuleProc$InformationQueryReleaseSystem_stricmpgetenv
                                      • String ID: NtShutdownSystem$PsGetProcessSectionBaseAddress$PsLookupProcessByProcessId$ntdll.dll
                                      • API String ID: 1430592421-4023252953
                                      • Opcode ID: 266c24e48bf605dfc169b2f1670ead77aabb9266fec4beccf9a50771cb8151a2
                                      • Instruction ID: 6b1b1c2e0a9143b3a266ecbfee984dce5bba1b8ea4c4decf6d4ace8b5a8bb629
                                      • Opcode Fuzzy Hash: 266c24e48bf605dfc169b2f1670ead77aabb9266fec4beccf9a50771cb8151a2
                                      • Instruction Fuzzy Hash: FE51F565A28A2285EAB0FB74E854179F3E0BF45F98FC4413AD96D462B1DF3CE449C720
                                      Function 00007FF7952C10C0 Relevance: 13.6, APIs: 9, Instructions: 111COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7952C10FC
                                      • ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF7952C111B
                                      • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7952C114D
                                      • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7952C1168
                                      • ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z.MSVCP140 ref: 00007FF7952C11A0
                                      • ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7952C11C4
                                      • ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7952C11D9
                                      • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7952C11F1
                                      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7952C1231
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: U?$char_traits@$D@std@@@std@@$Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Fiopen@std@@U_iobuf@@V?$basic_streambuf@Vlocale@2@
                                      • String ID:
                                      • API String ID: 848275212-0
                                      • Opcode ID: 225408cc85c7fceca641908a529f566c1078dcdb36aaa910522226361eb5b14e
                                      • Instruction ID: 02c6654e9ac850924349fca162500535f43baa25756905ce147481d3bc35a3d4
                                      • Opcode Fuzzy Hash: 225408cc85c7fceca641908a529f566c1078dcdb36aaa910522226361eb5b14e
                                      • Instruction Fuzzy Hash: EB5138B2A04B6582EB249F65E994339B7A0FB85F88F848539CA0E47760CF3CE065C711
                                      Function 00007FF7952C935C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 177COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy
                                      • String ID: [json.exception.
                                      • API String ID: 1346393832-791563284
                                      • Opcode ID: 3a02af2239277b594eb3aa56617cd32dbc90feae417857f7d73901e2ba5b052a
                                      • Instruction ID: 3b12c78ca19d16fa3606ea06ce99334b85ffb93db7c20547b62e86c37148933c
                                      • Opcode Fuzzy Hash: 3a02af2239277b594eb3aa56617cd32dbc90feae417857f7d73901e2ba5b052a
                                      • Instruction Fuzzy Hash: 3771DA62F18B5585EB20EB74D8503BCA3A1AB45FA8F804735DA6C167D5DF3CE191C350
                                      Function 00007FF7952CE69C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 112COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7952CE778
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952CE7AD
                                      • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7952CE7F1
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952CE825
                                        • Part of subcall function 00007FF7952B5A68: __std_fs_code_page.MSVCPRT ref: 00007FF7952B5A8B
                                        • Part of subcall function 00007FF7952B5A68: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7952B5ADB
                                        • Part of subcall function 00007FF7952B5A68: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7952B5B13
                                        • Part of subcall function 00007FF7953996D8: __std_fs_open_handle.LIBCPMT ref: 00007FF795399718
                                        • Part of subcall function 00007FF7953996D8: SetFileInformationByHandle.KERNEL32 ref: 00007FF795399742
                                        • Part of subcall function 00007FF7953996D8: CloseHandle.KERNEL32 ref: 00007FF795399794
                                        • Part of subcall function 00007FF7952B3B0C: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FF7952BAEA5), ref: 00007FF7952B3B67
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: V01@$_invalid_parameter_noinfo_noreturn$??6?$basic_ostream@D@std@@@std@@HandleU?$char_traits@V01@@__std_fs_convert_narrow_to_wide$CloseFileInformation__std_fs_code_page__std_fs_open_handle
                                      • String ID: Error deleting file: $File deleted successfully: $File does not exist:
                                      • API String ID: 1588852801-2817151807
                                      • Opcode ID: a0c0f42f905502bd8fce3d19482d5fcbf36cc3df92c467cdb21fefe1b2adc8f6
                                      • Instruction ID: 6db8693c866404d9a9e86437772ec9f1ffcceb223631eae292476fe60da215a0
                                      • Opcode Fuzzy Hash: a0c0f42f905502bd8fce3d19482d5fcbf36cc3df92c467cdb21fefe1b2adc8f6
                                      • Instruction Fuzzy Hash: 595183A2B08B5285EB20EB75D8500ACA3E1FB49F98BC0123ADD5D57799DF3CE585C350
                                      Function 00007FF79532E124 Relevance: 12.1, APIs: 8, Instructions: 125COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: memmove$memset$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                      • String ID:
                                      • API String ID: 1282081513-0
                                      • Opcode ID: 40d9e50c1b8a6d83654dc33404c1533dc9342a35aae7245898d6c139120aa8af
                                      • Instruction ID: dd4fd1468ca3aab00d6089976e71b7b1d60540accbdee1863b288edb19cdb77f
                                      • Opcode Fuzzy Hash: 40d9e50c1b8a6d83654dc33404c1533dc9342a35aae7245898d6c139120aa8af
                                      • Instruction Fuzzy Hash: 0C510561F29A6A84FE20BBB6D4152B8A390AF44FD4FC4453DDA2D07BA5DE7CE5418320
                                      Function 00007FF7952BCE88 Relevance: 10.7, APIs: 7, Instructions: 245stringCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF7952C10C0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7952C10FC
                                        • Part of subcall function 00007FF7952C10C0: ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF7952C111B
                                        • Part of subcall function 00007FF7952C10C0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7952C114D
                                        • Part of subcall function 00007FF7952C10C0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7952C1168
                                        • Part of subcall function 00007FF7952C10C0: ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z.MSVCP140 ref: 00007FF7952C11A0
                                        • Part of subcall function 00007FF7952C10C0: ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7952C11C4
                                        • Part of subcall function 00007FF7952C10C0: ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7952C11D9
                                      • ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z.MSVCP140 ref: 00007FF7952BCF21
                                        • Part of subcall function 00007FF7952C19D0: ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z.MSVCP140 ref: 00007FF7952C1A26
                                        • Part of subcall function 00007FF7952C19D0: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7952C1A59
                                        • Part of subcall function 00007FF7952C19D0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7952C1B30
                                      • memchr.VCRUNTIME140 ref: 00007FF7952BD0BA
                                        • Part of subcall function 00007FF7952B4C60: memcpy.VCRUNTIME140(?,?,00000000,00007FF7952B6AF8), ref: 00007FF7952B4CA2
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BD12D
                                      • strtoull.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 00007FF7952BD16C
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BD1A9
                                      • ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7952BD1FE
                                      • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7952BD208
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: U?$char_traits@$D@std@@@std@@$_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_istream@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@?widen@?$basic_ios@D@std@@@1@_Fiopen@std@@Init@?$basic_streambuf@Ipfx@?$basic_istream@U_iobuf@@V?$basic_streambuf@Vlocale@2@memchrmemcpystrtoull
                                      • String ID:
                                      • API String ID: 2220927959-0
                                      • Opcode ID: 118b85ebf97c03080b2deb7d5059caf2775fb1112d41f75ff934676ba7feb7e1
                                      • Instruction ID: b2a82343f2480d7512cbf45d9c617f12ac3159d98a425cb4b36fc6307cbfb4c2
                                      • Opcode Fuzzy Hash: 118b85ebf97c03080b2deb7d5059caf2775fb1112d41f75ff934676ba7feb7e1
                                      • Instruction Fuzzy Hash: 65B1E763A14BD585EB20DF34D8402E8B3A1FB59B98F804736EA5D17B99DF38E585C310
                                      Function 00007FF7952FDCE4 Relevance: 10.7, APIs: 7, Instructions: 215COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: memcpy
                                      • String ID:
                                      • API String ID: 3510742995-0
                                      • Opcode ID: b65a31c5b7539d30018219e0b353a3915bcf0a0e7aea1be8ed7969e8fe85be37
                                      • Instruction ID: b17cdbc1c6d6bcea3fe66054cc9dfe4c4ec46fa0a1c5f455e59652cc99d672ae
                                      • Opcode Fuzzy Hash: b65a31c5b7539d30018219e0b353a3915bcf0a0e7aea1be8ed7969e8fe85be37
                                      • Instruction Fuzzy Hash: 6F913F62D2879985E223AB36A442178F3D0AF6DB44F58D736FD4933271EF28B4D1C610
                                      Function 00007FF7952B3490 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: fgetc
                                      • String ID:
                                      • API String ID: 2807381905-0
                                      • Opcode ID: 5660b6675f53460ad228acc8335d7f9dfc1e6141104aba280e1d7a99f985f5ef
                                      • Instruction ID: 98c7d0c4c25098dfaa7d29227714703f8d2c8826610ea2882cde7599d2d0d962
                                      • Opcode Fuzzy Hash: 5660b6675f53460ad228acc8335d7f9dfc1e6141104aba280e1d7a99f985f5ef
                                      • Instruction Fuzzy Hash: 21818DA3B18A9189EB20DF75D8502ACA7F0FB59B58F940536CE5E52B98DF38D484C320
                                      Function 00007FF7952BD557 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 105windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: Message_invalid_parameter_noinfo_noreturn
                                      • String ID: )$)2->$cbrh$river
                                      • API String ID: 1500748172-2137112164
                                      • Opcode ID: 69d1a4c56d838d8ae57ff72811af519576231ba4b1aae728e9069ff69797720f
                                      • Instruction ID: e4c4a9f44284f05a67a74eeb1e0b05fc46de858fb52f2fd3632644c8ba4045dc
                                      • Opcode Fuzzy Hash: 69d1a4c56d838d8ae57ff72811af519576231ba4b1aae728e9069ff69797720f
                                      • Instruction Fuzzy Hash: FD419672A157D288E731DF34ED143FD63A0EB49B9CF50523ACE691AA96DF789281C310
                                      Function 00007FF7952B8133 Relevance: 10.6, APIs: 7, Instructions: 80COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: memcpy$_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 2665656946-0
                                      • Opcode ID: 55be70b163613210d8049770e80a131e16dac08585537223abe2a0e636dae8cc
                                      • Instruction ID: f48df7dc0e587661bba16c93dbf2f8c9bc907d489bd2b847d9fcf453b1554a07
                                      • Opcode Fuzzy Hash: 55be70b163613210d8049770e80a131e16dac08585537223abe2a0e636dae8cc
                                      • Instruction Fuzzy Hash: 062198F2B1575681EA10AB76F9541AEA391EB45FC8F80403ADF4D07746DE3CD1918350
                                      Function 00007FF7952D2A6C Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??0_Lockit@std@@QEAA@H@Z.MSVCP140(00000000,?,?,00007FF7952D2DCF), ref: 00007FF7952D2A82
                                      • ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,00007FF7952D2DCF), ref: 00007FF7952D2A9C
                                      • ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,00007FF7952D2DCF), ref: 00007FF7952D2ACE
                                      • ?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,00007FF7952D2DCF), ref: 00007FF7952D2AF9
                                      • std::_Facet_Register.LIBCPMT ref: 00007FF7952D2B12
                                      • ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,00007FF7952D2DCF), ref: 00007FF7952D2B31
                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7952D2B47
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskD@std@@Facet_Getcat@?$ctype@Getgloballocale@locale@std@@Locimp@12@RegisterV42@@Vfacet@locale@2@std::_
                                      • String ID:
                                      • API String ID: 3790006010-0
                                      • Opcode ID: fc47345336fdc162d077c53b1ca09eebdc4eb0867ba9fdacc23fde028ae53a76
                                      • Instruction ID: ee39ba0cf3a8e2ead88be5994ade4f7561d4ef91f5425455432a4a6f64b98947
                                      • Opcode Fuzzy Hash: fc47345336fdc162d077c53b1ca09eebdc4eb0867ba9fdacc23fde028ae53a76
                                      • Instruction Fuzzy Hash: 06219EA6A08A11C1EB25AF35E840279A3A0FB98F98F884535DB5D077A4DF3CD495C320
                                      Function 00007FF7952B489C Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??0_Lockit@std@@QEAA@H@Z.MSVCP140(00000000,?,?,00007FF7952B44F3), ref: 00007FF7952B48B2
                                      • ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,00007FF7952B44F3), ref: 00007FF7952B48CC
                                      • ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,00007FF7952B44F3), ref: 00007FF7952B48FE
                                      • ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,00007FF7952B44F3), ref: 00007FF7952B4929
                                      • std::_Facet_Register.LIBCPMT ref: 00007FF7952B4942
                                      • ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,00007FF7952B44F3), ref: 00007FF7952B4961
                                      • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7952B4977
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
                                      • String ID:
                                      • API String ID: 762505753-0
                                      • Opcode ID: 94ed31fede6666b853b9e59999d20c22c618fb68e0a32eeda437da794be44bf6
                                      • Instruction ID: e4fef52ec6315bc202d0b3f0bf1345553547a188b0be13bfd292a99b1f56f1cf
                                      • Opcode Fuzzy Hash: 94ed31fede6666b853b9e59999d20c22c618fb68e0a32eeda437da794be44bf6
                                      • Instruction Fuzzy Hash: 4421B1A6A08F5281EB25AF25E890179E3A0FB49F94F980535DF6D037A5DF3CE480C310
                                      Function 00007FF7952B11E8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: QueryValue$CloseOpen
                                      • String ID: .Translated$HARDWARE\RESOURCEMAP\System Resources\Physical Memory
                                      • API String ID: 1586453840-4065546320
                                      • Opcode ID: 3468491e686bab3e395910901b765767fb5717b0952ef10726f2650147b1a8fb
                                      • Instruction ID: a448b23610179e67f520cb4762a23c148af3730c5dd1a8db07c93c17725245d2
                                      • Opcode Fuzzy Hash: 3468491e686bab3e395910901b765767fb5717b0952ef10726f2650147b1a8fb
                                      • Instruction Fuzzy Hash: 07215872A28B6593EB209B34E4506AAB3A4FB85B98FC00139E64D07B64DF3CD555CB50
                                      Function 00007FF7952B1038 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 51registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: QueryValue$CloseOpen
                                      • String ID: .Translated$HARDWARE\RESOURCEMAP\System Resources\Physical Memory
                                      • API String ID: 1586453840-4065546320
                                      • Opcode ID: 2b55fd80a3d57eb04069c1781438544d9a0f8fb8d32c2113c945d33e406ab5d1
                                      • Instruction ID: 7fa6890b4f69b4fb864651b4b125d5b2d980b2b8d419c7e6dd3fad2e938a0cd9
                                      • Opcode Fuzzy Hash: 2b55fd80a3d57eb04069c1781438544d9a0f8fb8d32c2113c945d33e406ab5d1
                                      • Instruction Fuzzy Hash: 43218872A28B55D3EB209B34E4506AAF3A4FB85B98FC00139EA4D07B64DF3CD545CB50
                                      Function 00007FF795300D08 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 222COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: memcmpmemcpy$memmove
                                      • String ID: ##Background
                                      • API String ID: 1544231926-465303879
                                      • Opcode ID: b05a496d2e507d18606dc398f2b828cb1d0c9318c5da5673d1ce9578303783cc
                                      • Instruction ID: a73df8e8f1b2a92e08b7f6d19f9197025928ed55193b83cd09eae362b70863d6
                                      • Opcode Fuzzy Hash: b05a496d2e507d18606dc398f2b828cb1d0c9318c5da5673d1ce9578303783cc
                                      • Instruction Fuzzy Hash: A691ACB2A14B9297DB34DF29E54067DA3E0FB54B88B80853ECB4E87784DF38E5918710
                                      Function 00007FF7952BA278 Relevance: 9.1, APIs: 6, Instructions: 107COMMON
                                      Download Yara Rule
                                      APIs
                                      • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF7952BA30F
                                      • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF7952BA336
                                      • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF7952BA356
                                      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7952BA394
                                      • ?uncaught_exceptions@std@@YAHXZ.MSVCP140 ref: 00007FF7952BA39B
                                      • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7952BA3AA
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exceptions@std@@Osfx@?$basic_ostream@
                                      • String ID:
                                      • API String ID: 4063800749-0
                                      • Opcode ID: ed01221e1df9b4abde58db6171c55828e036b1fef5bf75d64baa5a36a163d2d9
                                      • Instruction ID: 2102ad4283b885d85d77fba014c584e9eb22aab54d50a2247e31c48d7774d7a6
                                      • Opcode Fuzzy Hash: ed01221e1df9b4abde58db6171c55828e036b1fef5bf75d64baa5a36a163d2d9
                                      • Instruction Fuzzy Hash: C8415472A08A9182EB359B29D9D023DF7E0FB49F95F948235CE5E43BA4CF39D4568310
                                      Function 00007FF7952C16F8 Relevance: 9.1, APIs: 6, Instructions: 105COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.VCRUNTIME140(?,?,00000000,00007FF7952BAB10,?,00000000,00000000,?,?,00007FF7952BADC1), ref: 00007FF7952C17AC
                                      • memcpy.VCRUNTIME140(?,?,00000000,00007FF7952BAB10,?,00000000,00000000,?,?,00007FF7952BADC1), ref: 00007FF7952C17BA
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00007FF7952BAB10,?,00000000,00000000,?,?,00007FF7952BADC1), ref: 00007FF7952C17F9
                                      • memcpy.VCRUNTIME140(?,?,00000000,00007FF7952BAB10,?,00000000,00000000,?,?,00007FF7952BADC1), ref: 00007FF7952C1803
                                      • memcpy.VCRUNTIME140(?,?,00000000,00007FF7952BAB10,?,00000000,00000000,?,?,00007FF7952BADC1), ref: 00007FF7952C1811
                                      • __std_fs_close_handle.MSVCPRT ref: 00007FF7952C1855
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: memcpy$__std_fs_close_handle_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 1972519782-0
                                      • Opcode ID: 5f2a597062d4cbb8ebe4e1de4e801db4c4958d68d175e8b02c0cbfb2b75c220c
                                      • Instruction ID: e1391ed0462e51a1787c29424c67c9d22291e0387e0122836518dd8f2b489def
                                      • Opcode Fuzzy Hash: 5f2a597062d4cbb8ebe4e1de4e801db4c4958d68d175e8b02c0cbfb2b75c220c
                                      • Instruction Fuzzy Hash: 5B3106A2B18A9591DA20FB72F8040AEA3A1FB48FD4F840536DF5D0B756DF3CE0918300
                                      Function 00007FF7952C1868 Relevance: 9.1, APIs: 6, Instructions: 105COMMON
                                      Download Yara Rule
                                      APIs
                                      • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF7952C18F5
                                      • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF7952C1920
                                      • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF7952C1940
                                      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7952C197E
                                      • ?uncaught_exceptions@std@@YAHXZ.MSVCP140 ref: 00007FF7952C1985
                                      • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7952C1994
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exceptions@std@@Osfx@?$basic_ostream@
                                      • String ID:
                                      • API String ID: 4063800749-0
                                      • Opcode ID: a6f6d061a43f13d93449240fce9fb45e3c6a8e505d638e132cf1ee4fabf39194
                                      • Instruction ID: aef4177de39d2a07732f0ec90f1faa7670d77458bdb0479f5ac116bc560fbcb0
                                      • Opcode Fuzzy Hash: a6f6d061a43f13d93449240fce9fb45e3c6a8e505d638e132cf1ee4fabf39194
                                      • Instruction Fuzzy Hash: 0E418EA2A08E6582EB20EB29D8D123CE7E0FB84F95F958175CA4E47765CE3CD846C310
                                      Function 00007FF7952C128C Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF7952BA460: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,00007FF7952BA2D3,?,?,?,?,?,00007FF7952BCC97), ref: 00007FF7952BA4B3
                                      • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF7952C130F
                                      • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF7952C1336
                                      • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF7952C1363
                                      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7952C139F
                                      • ?uncaught_exceptions@std@@YAHXZ.MSVCP140 ref: 00007FF7952C13A6
                                      • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7952C13B5
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?uncaught_exceptions@std@@Osfx@?$basic_ostream@V12@
                                      • String ID:
                                      • API String ID: 3395113616-0
                                      • Opcode ID: 276072ac3cd168fd38c42b79563554e63ddf31ab2da6ccdf2d34b1eda244c4a7
                                      • Instruction ID: 710c8b3b427439120afed8125be9ec1c6b77268397ce9b5536ad335fad1bf7d9
                                      • Opcode Fuzzy Hash: 276072ac3cd168fd38c42b79563554e63ddf31ab2da6ccdf2d34b1eda244c4a7
                                      • Instruction Fuzzy Hash: 2641A4B6A08A91C6DB209F2AD9D013CF7A0FB85F99F908535CE5E47B61CF38D8568340
                                      Function 00007FF7952B6760 Relevance: 9.1, APIs: 6, Instructions: 101COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: Image$DataDirectoryEntryXbad_function_call@std@@
                                      • String ID:
                                      • API String ID: 1114594208-0
                                      • Opcode ID: 213e5a8882043e421608d5d374fddd623734f742a88f9e2aab2fe39a9a61b992
                                      • Instruction ID: 958f77c889e6b2e6257fde085d67fbe1cb6781ff3fac4eac9f3bae2b13592d80
                                      • Opcode Fuzzy Hash: 213e5a8882043e421608d5d374fddd623734f742a88f9e2aab2fe39a9a61b992
                                      • Instruction Fuzzy Hash: E8419DB6B11A2586EB64DF26E854B29A7A0FB88F84F449035CF4E03B50DF3CE495CB00
                                      Function 00007FF7952C5C8C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195COMMON
                                      Download Yara Rule
                                      APIs
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C5DDA
                                        • Part of subcall function 00007FF7952BFC48: memcmp.VCRUNTIME140 ref: 00007FF7952BFCC2
                                        • Part of subcall function 00007FF7952BFC48: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BFD52
                                        • Part of subcall function 00007FF7952BFC48: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BFD59
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C5D59
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C5F27
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C5F2E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$memcmp
                                      • String ID: Highligh
                                      • API String ID: 807481086-1659150455
                                      • Opcode ID: b65911eea13ca667f3b83868ad808e4907d6f0bdd90355b01e99c56f1d9129e9
                                      • Instruction ID: e9b061c18d9ef189c48027b4e5007f84e4bf2a7e93834fc8a31f0d1d688f73c3
                                      • Opcode Fuzzy Hash: b65911eea13ca667f3b83868ad808e4907d6f0bdd90355b01e99c56f1d9129e9
                                      • Instruction Fuzzy Hash: E281B4A2F18B5284FB20EB75D8502BCA3A1AB46F98F844275DE1D1779ADF3CD581C320
                                      Function 00007FF7952B2340 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 157COMMON
                                      Download Yara Rule
                                      APIs
                                      • __std_fs_code_page.MSVCPRT ref: 00007FF7952B239C
                                        • Part of subcall function 00007FF795398EF8: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FF7952B5A90), ref: 00007FF795398EFC
                                        • Part of subcall function 00007FF795398EF8: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF7952B5A90), ref: 00007FF795398F0B
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF7952B250E
                                        • Part of subcall function 00007FF7952B4B40: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00007FF7952BADB4), ref: 00007FF7952B4BE4
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FF7952B2559
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$ApisFile___lc_codepage_func__std_fs_code_pagememcpy
                                      • String ID: ", "$: "
                                      • API String ID: 2077005984-747220369
                                      • Opcode ID: fac61f05fa6fdcd3b5770ef2ae5f26e00c6a46b40da0fe20c14c73bbe1be1e90
                                      • Instruction ID: f98f654c7d3793f4c8751556134bd111136e9fc11d05917ffce02d4aa490a8d6
                                      • Opcode Fuzzy Hash: fac61f05fa6fdcd3b5770ef2ae5f26e00c6a46b40da0fe20c14c73bbe1be1e90
                                      • Instruction Fuzzy Hash: CE618DB2B14B218AEB10EF75E5903BC63B2EB09B88F804535DF1D17A99DF38D1958390
                                      Function 00007FF7952C74F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 128COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF7952BFC48: memcmp.VCRUNTIME140 ref: 00007FF7952BFCC2
                                        • Part of subcall function 00007FF7952BFC48: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BFD52
                                        • Part of subcall function 00007FF7952BFC48: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BFD59
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C75A8
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C765D
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C76A7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$memcmp
                                      • String ID: Model$Players
                                      • API String ID: 807481086-3408188920
                                      • Opcode ID: c58590b0651ee5ee9949dcaffc1a89eaffba76dbe306fa893bd09db00f5912d6
                                      • Instruction ID: 31bf7c4efea0a3f98a389de61d5f9fde3799d56d06cc7c31e6bf564fe46556a9
                                      • Opcode Fuzzy Hash: c58590b0651ee5ee9949dcaffc1a89eaffba76dbe306fa893bd09db00f5912d6
                                      • Instruction Fuzzy Hash: D7518662F1475284FB20EB79D9401BCA3A1BB45BA8F944379DE6C17BD5DF38A0418360
                                      Function 00007FF7952C9F98 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF7952C935C: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C948F
                                        • Part of subcall function 00007FF7952C935C: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C94D9
                                        • Part of subcall function 00007FF7952B3CCC: memmove.VCRUNTIME140(?,?,?,?,00000000,00007FF7952B1D88), ref: 00007FF7952B3D1E
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952CA076
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952CA0C1
                                      • __std_exception_copy.VCRUNTIME140 ref: 00007FF7952CA10D
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952CA156
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copymemmove
                                      • String ID: ange
                                      • API String ID: 908738561-4159947239
                                      • Opcode ID: 3289e54b15cf7f7668a788ea6a737faa55e3f892cc80d947f4fb9a16c22e443a
                                      • Instruction ID: 4889a2e616a84a137917aff57f82b514335ba1e37b5e8ccdd17348033df1e128
                                      • Opcode Fuzzy Hash: 3289e54b15cf7f7668a788ea6a737faa55e3f892cc80d947f4fb9a16c22e443a
                                      • Instruction Fuzzy Hash: 5051D562F18B9289EB10DF74D8503BC73A0EB59B98F805339DA5D12696DF38E594C350
                                      Function 00007FF7952BF924 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 120COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF7952BFC48: memcmp.VCRUNTIME140 ref: 00007FF7952BFCC2
                                        • Part of subcall function 00007FF7952BFC48: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BFD52
                                        • Part of subcall function 00007FF7952BFC48: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BFD59
                                        • Part of subcall function 00007FF7952BFDC8: memcmp.VCRUNTIME140 ref: 00007FF7952BFE42
                                        • Part of subcall function 00007FF7952BFDC8: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BFED2
                                        • Part of subcall function 00007FF7952BFDC8: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BFED9
                                        • Part of subcall function 00007FF7952BB68C: DeviceIoControl.KERNEL32 ref: 00007FF7952BB70F
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BFA65
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BFAA0
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BFADB
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$memcmp$ControlDevice
                                      • String ID: Camera$Head
                                      • API String ID: 3336234979-2243197927
                                      • Opcode ID: 06e0fb7780b63e38e3d5eaac360b9ca1821926b9159c63561e55b0660980b8cf
                                      • Instruction ID: bca4ffbb2d1058f1719573ba5988432d1484a9748b5241484fed8b8264359478
                                      • Opcode Fuzzy Hash: 06e0fb7780b63e38e3d5eaac360b9ca1821926b9159c63561e55b0660980b8cf
                                      • Instruction Fuzzy Hash: 3451B9A2F14A5289EB20EF74D4502FD63A1EB4AB5CF805739EE5C12689DF7CD185C350
                                      Function 00007FF7952D2D4C Relevance: 7.6, APIs: 5, Instructions: 133COMMON
                                      Download Yara Rule
                                      APIs
                                      • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z.MSVCP140 ref: 00007FF7952D2D9F
                                      • ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7952D2DC0
                                      • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7952D2E35
                                      • ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7952D2EAC
                                      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7952D2EF4
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: D@std@@@std@@U?$char_traits@$?getloc@ios_base@std@@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@Vlocale@2@
                                      • String ID:
                                      • API String ID: 481934583-0
                                      • Opcode ID: 2423eccf7b1441e8dfdbf9c635f271448b5a263b06bed8a48bc0b0d3c312f5ce
                                      • Instruction ID: ed62e37bca233340ec3150e4eee4a2dcaa2db8eca375586cd69d9937a974322e
                                      • Opcode Fuzzy Hash: 2423eccf7b1441e8dfdbf9c635f271448b5a263b06bed8a48bc0b0d3c312f5ce
                                      • Instruction Fuzzy Hash: 815160A3605A9581DB31DF2AD890339ABE0EB85F95F558535CE4E477A0CF3CE446C310
                                      Function 00007FF7952C19D0 Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                      Download Yara Rule
                                      APIs
                                      • ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z.MSVCP140 ref: 00007FF7952C1A26
                                      • ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7952C1A59
                                      • ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7952C1A8A
                                      • ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7952C1AF5
                                      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7952C1B30
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: D@std@@@std@@U?$char_traits@$?sbumpc@?$basic_streambuf@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@
                                      • String ID:
                                      • API String ID: 1457788575-0
                                      • Opcode ID: 55facf7ca194a3384e5b2766e505a0cf5f891ffb525d17eb9198f5eaeef3fe21
                                      • Instruction ID: bb9df714e763bef0eb7d982ae13d4c36d879c78a6ef6b2faad9ebbf964f059fe
                                      • Opcode Fuzzy Hash: 55facf7ca194a3384e5b2766e505a0cf5f891ffb525d17eb9198f5eaeef3fe21
                                      • Instruction Fuzzy Hash: D9417E72608A9181EB31DF2AE891639ABE0FB84F95F558275CE9E437A1CF3DD446C310
                                      Function 00007FF7952B4F9C Relevance: 7.6, APIs: 5, Instructions: 101COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7952B6AF8), ref: 00007FF7952B5048
                                      • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7952B6AF8), ref: 00007FF7952B5056
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7952B6AF8), ref: 00007FF7952B508F
                                      • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7952B6AF8), ref: 00007FF7952B5099
                                      • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7952B6AF8), ref: 00007FF7952B50A7
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: memcpy$_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 2665656946-0
                                      • Opcode ID: a9f2ee2ad2a5190c5f08e0cc438dd143872368e1698f38b38ff13e987f190da6
                                      • Instruction ID: ed464756ea2af5f16e124c3467fa3b634725fd0a704fe3bc71552a8e2e079fc8
                                      • Opcode Fuzzy Hash: a9f2ee2ad2a5190c5f08e0cc438dd143872368e1698f38b38ff13e987f190da6
                                      • Instruction Fuzzy Hash: 6431E5A2718B9195DA24EBA3E8002A9B391FB49FD4F844535EF5C0B786DF7CD1918350
                                      Function 00007FF7952B68AC Relevance: 7.6, APIs: 5, Instructions: 97COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmallocmemmovememsetterminate
                                      • String ID:
                                      • API String ID: 160074834-0
                                      • Opcode ID: da71b3caeab26e1f6621b6fc745aff138c3d6f0787125e8c6f7c35dc0e0cafbc
                                      • Instruction ID: 73a98ad74110f21b533aa059f27f7c0677ee85452e505dcb2a8197c21bb97636
                                      • Opcode Fuzzy Hash: da71b3caeab26e1f6621b6fc745aff138c3d6f0787125e8c6f7c35dc0e0cafbc
                                      • Instruction Fuzzy Hash: 4331F6B2715A9681EE34EF35E440279A3A0EB49F90F944635CBAD0B7D5DE3CE080C300
                                      Function 00007FF7952C1CF4 Relevance: 7.6, APIs: 5, Instructions: 97COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: memcpy$_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 2665656946-0
                                      • Opcode ID: 05dc1062afe3d7241e596b4007a212db7e7091ec22806511d7632aadb1d5141a
                                      • Instruction ID: 6f9d4ef273fc595d117b109651ffba2abb2f2ca8f4dfb68e6ec58ca9bac323ea
                                      • Opcode Fuzzy Hash: 05dc1062afe3d7241e596b4007a212db7e7091ec22806511d7632aadb1d5141a
                                      • Instruction Fuzzy Hash: 8931E4B2714B9191EE24BB76E8410A9A3A1FB45FD4F944536DF5C0BB96CE3CE191C310
                                      Function 00007FF7952B4E5C Relevance: 7.6, APIs: 5, Instructions: 91COMMON
                                      Download Yara Rule
                                      APIs
                                      • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7952B6AF8), ref: 00007FF7952B4F09
                                      • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7952B6AF8), ref: 00007FF7952B4F17
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7952B6AF8), ref: 00007FF7952B4F50
                                      • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7952B6AF8), ref: 00007FF7952B4F5A
                                      • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7952B6AF8), ref: 00007FF7952B4F68
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: memcpymemset$_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 530858481-0
                                      • Opcode ID: c68d5ba3ff1210b473aae87c3ebd041531fff208a140b02ba8338fcfafd04411
                                      • Instruction ID: c9a98ba557a2ce93f2a1a0e8f47b0da7d783c8f7fc1f433affffb014db63fd50
                                      • Opcode Fuzzy Hash: c68d5ba3ff1210b473aae87c3ebd041531fff208a140b02ba8338fcfafd04411
                                      • Instruction Fuzzy Hash: 9C3124A2B08B9195DA20FF62A8401A9A391FB4AFD4F844535EF6C0BB86DF7CD1918350
                                      Function 00007FF7952B4104 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7952B4139
                                      • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF7952B4158
                                      • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7952B418B
                                      • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7952B41A6
                                        • Part of subcall function 00007FF7952B4494: ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140 ref: 00007FF7952B44C0
                                        • Part of subcall function 00007FF7952B4494: ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7952B44E4
                                        • Part of subcall function 00007FF7952B4494: ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7952B44F9
                                      • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7952B41EB
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Fiopen@std@@Init@?$basic_streambuf@U_iobuf@@V?$basic_streambuf@Vlocale@2@
                                      • String ID:
                                      • API String ID: 3805387474-0
                                      • Opcode ID: 6390bf95dd1cc57e7aba682ddf7927554ebdc4c07a712eb548deeab1480a0042
                                      • Instruction ID: b92cc393361a7b7fd8cbe59b5d41ba150db1f9f8af010c65db3d1366a657c1a9
                                      • Opcode Fuzzy Hash: 6390bf95dd1cc57e7aba682ddf7927554ebdc4c07a712eb548deeab1480a0042
                                      • Instruction Fuzzy Hash: 55317E72714B6185EB20DF29E895769BBA4FB89F89F498539CA4D43720DF3CD016C710
                                      Function 00007FF7953995DC Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: Handle$AddressAttributesCloseErrorFileLastModuleProc__std_fs_open_handleabort
                                      • String ID:
                                      • API String ID: 684753192-0
                                      • Opcode ID: ddbe0c37f33a6c1009a987b7517a4a9429eab735a4aeb80fc0136aa8b720d8d0
                                      • Instruction ID: 678fea1eacad0c6c99f2fa2d9feb6ab5715383e4c9dd41ddffbefe63134d08e5
                                      • Opcode Fuzzy Hash: ddbe0c37f33a6c1009a987b7517a4a9429eab735a4aeb80fc0136aa8b720d8d0
                                      • Instruction Fuzzy Hash: 181136B293C551C5E7607736A4A417AE7D1DB84FB8F94023CE56A467E4DE3CD4418B10
                                      Function 00007FF7952D2F28 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: ExceptionThrow$_invalid_parameter_noinfo_noreturnmallocmemcmp
                                      • String ID: cannot use operator[] with a string argument with
                                      • API String ID: 292313590-2766135566
                                      • Opcode ID: 72467d8e4b4a26688cda80093b890723dfde874923ef9e92fca188c9ece96a09
                                      • Instruction ID: 5c9c26801d75dcb9174fb6034b2c550bd91f566b5c6230fcfeb6f79b14aa361f
                                      • Opcode Fuzzy Hash: 72467d8e4b4a26688cda80093b890723dfde874923ef9e92fca188c9ece96a09
                                      • Instruction Fuzzy Hash: 0461E0A3E08A9199EB20EB71D8502ED73A0EB55B9CF848135DE4C17B8ADF39D199C310
                                      Function 00007FF7952C5A80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF7952BFC48: memcmp.VCRUNTIME140 ref: 00007FF7952BFCC2
                                        • Part of subcall function 00007FF7952BFC48: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BFD52
                                        • Part of subcall function 00007FF7952BFC48: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952BFD59
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C5B2E
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C5C0D
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C5C14
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$memcmp
                                      • String ID: Clothes
                                      • API String ID: 807481086-4291071248
                                      • Opcode ID: 8ec896b9cb743eaacd157185d9c501eca63293a58c7df9a4dfbfc83af700fa31
                                      • Instruction ID: 6414c8ac07c115cd25f8ad3960280a25f3f5b32d7e60d2ca23fc642e875d164c
                                      • Opcode Fuzzy Hash: 8ec896b9cb743eaacd157185d9c501eca63293a58c7df9a4dfbfc83af700fa31
                                      • Instruction Fuzzy Hash: 1C5182A2F25A6184EB10DBB5D8402BCA3A1AB45FA8F944375DE2C177D9DF3CE581C320
                                      Function 00007FF7952BC664 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: CreateFile_invalid_parameter_noinfo_noreturnmemmoverand
                                      • String ID: \\.\AsUpdateio
                                      • API String ID: 2202623641-1903023465
                                      • Opcode ID: bd9ec09c1507e492d4ab9fcf786e210153aa77d44e9bdf262e2e3d4d54c5de52
                                      • Instruction ID: 7c061f6898ebe05d2d132362a2b06b1be0289390b938ab1ae0ae0e6c616527af
                                      • Opcode Fuzzy Hash: bd9ec09c1507e492d4ab9fcf786e210153aa77d44e9bdf262e2e3d4d54c5de52
                                      • Instruction Fuzzy Hash: B13193B2B25A52D9EB20AF74D4903A96390EB49B98F805239EA5D06AD9DF3CD584C310
                                      Function 00007FF7952B87C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 42libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF795397CF0: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF7952B7C58,?,?,-00001000,00007FF7952B7781), ref: 00007FF795397D00
                                      • GetModuleHandleA.KERNEL32 ref: 00007FF7952B8814
                                      • GetProcAddress.KERNEL32 ref: 00007FF7952B8824
                                        • Part of subcall function 00007FF795397C84: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF7952B7C91,?,?,-00001000,00007FF7952B7781), ref: 00007FF795397C94
                                        • Part of subcall function 00007FF795397C84: ReleaseSRWLockExclusive.KERNEL32(?,?,?,00007FF7952B7C91,?,?,-00001000,00007FF7952B7781), ref: 00007FF795397CD4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: ExclusiveLock$Acquire$AddressHandleModuleProcRelease
                                      • String ID: NtShutdownSystem$ntdll.dll
                                      • API String ID: 630817722-344172481
                                      • Opcode ID: 3a6154d178725149cb7182649c2d8a14bcaef2fed9fa836904c37b1d30abc871
                                      • Instruction ID: 0724f62fdc7b68020f37b981bd2687af12250bd9000a7e988293d88781945eef
                                      • Opcode Fuzzy Hash: 3a6154d178725149cb7182649c2d8a14bcaef2fed9fa836904c37b1d30abc871
                                      • Instruction Fuzzy Hash: E7114C64A18A6281EAA0EB65E854074F3A0BB89F98FC4413AD96D173B5CF2CE445C720
                                      Function 00007FF7952B7A2E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF795397CF0: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF7952B7C58,?,?,-00001000,00007FF7952B7781), ref: 00007FF795397D00
                                      • GetModuleHandleA.KERNEL32 ref: 00007FF7952B7A6F
                                      • GetProcAddress.KERNEL32 ref: 00007FF7952B7A7F
                                        • Part of subcall function 00007FF795397C84: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF7952B7C91,?,?,-00001000,00007FF7952B7781), ref: 00007FF795397C94
                                        • Part of subcall function 00007FF795397C84: ReleaseSRWLockExclusive.KERNEL32(?,?,?,00007FF7952B7C91,?,?,-00001000,00007FF7952B7781), ref: 00007FF795397CD4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: ExclusiveLock$Acquire$AddressHandleModuleProcRelease
                                      • String ID: NtShutdownSystem$ntdll.dll
                                      • API String ID: 630817722-344172481
                                      • Opcode ID: 6537980b19a6f1c7e8507a29eaac4a04631dbdaa7acf315733f5cdca5a805d1e
                                      • Instruction ID: c790b113806a9fbe32e1b5484b87f948e04748a55c9c0f00583cec78147cf5ea
                                      • Opcode Fuzzy Hash: 6537980b19a6f1c7e8507a29eaac4a04631dbdaa7acf315733f5cdca5a805d1e
                                      • Instruction Fuzzy Hash: 0A112164A18A6391EA60FB75E854074E3F0BF45F94F840636DA5E533B1CF2CE546C720
                                      Function 00007FF795398EA8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: GetTempPath2W$kernel32.dll
                                      • API String ID: 1646373207-1846531799
                                      • Opcode ID: 3ad04351ebf23fece227bc52e5559bd12557b95a65e0abf30dbdd452761aac83
                                      • Instruction ID: 3cd512c7e492d5725a2d65692313d177013cb59282f24aafac2f03deb90db8f7
                                      • Opcode Fuzzy Hash: 3ad04351ebf23fece227bc52e5559bd12557b95a65e0abf30dbdd452761aac83
                                      • Instruction Fuzzy Hash: A4E0E565B28E16C2DF15BB21F9A4075A361BF89F88B84503DC54E07335DE2CD455C710
                                      Function 00007FF7952CA818 Relevance: 6.4, APIs: 5, Instructions: 126COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: memmove$memset
                                      • String ID:
                                      • API String ID: 3790616698-0
                                      • Opcode ID: 1d44d12a0353f397910b2d70e6c1ec3bdcd1109ba9dfc8e5befce52273fafe3b
                                      • Instruction ID: 044561f36b428f0aba15bddfed6780374754a077e5aaad3c14da05a8edd6bd41
                                      • Opcode Fuzzy Hash: 1d44d12a0353f397910b2d70e6c1ec3bdcd1109ba9dfc8e5befce52273fafe3b
                                      • Instruction Fuzzy Hash: B6414966B2879596EB24DF79D8822ADB791EB01F80FC48135C74D47B87EB2DE119C310
                                      Function 00007FF7952C587C Relevance: 6.1, APIs: 4, Instructions: 143COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 2016347663-0
                                      • Opcode ID: 5facb9a215c52eee02527b84e6dd5ac7fcda02718f7d4a4718820860ca644f8c
                                      • Instruction ID: 0e8897ce4b8e82eb0da0862e96d333bde7de913d9f66f9d11189da3d10790a75
                                      • Opcode Fuzzy Hash: 5facb9a215c52eee02527b84e6dd5ac7fcda02718f7d4a4718820860ca644f8c
                                      • Instruction Fuzzy Hash: A851D4B2714A9A96DE24EF26D8542A8A3E0E748FD4F848436DF5D07785DE38E191C340
                                      Function 00007FF7952C9BAC Relevance: 6.1, APIs: 4, Instructions: 131COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF7952C935C: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C948F
                                        • Part of subcall function 00007FF7952C935C: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C94D9
                                        • Part of subcall function 00007FF7952B3CCC: memmove.VCRUNTIME140(?,?,?,?,00000000,00007FF7952B1D88), ref: 00007FF7952B3D1E
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C9C9A
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C9CE5
                                      • __std_exception_copy.VCRUNTIME140 ref: 00007FF7952C9D31
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C9D7A
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copymemmove
                                      • String ID:
                                      • API String ID: 908738561-0
                                      • Opcode ID: 10ea991b2cab806b116356c0d857714c478feaaa3ef46d9bd644a380e6437405
                                      • Instruction ID: a2d9c36b9ecef9d9be54cd46d024e5317ba6bdb1f1084dbe2d249cf7a6a4eb09
                                      • Opcode Fuzzy Hash: 10ea991b2cab806b116356c0d857714c478feaaa3ef46d9bd644a380e6437405
                                      • Instruction Fuzzy Hash: AF51D362F18B5185EB10DF74E8503BC63A1EB99B98F804339DA5D16696EF38E294C350
                                      Function 00007FF7952CA184 Relevance: 6.1, APIs: 4, Instructions: 128COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF7952C935C: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C948F
                                        • Part of subcall function 00007FF7952C935C: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C94D9
                                        • Part of subcall function 00007FF7952B3CCC: memmove.VCRUNTIME140(?,?,?,?,00000000,00007FF7952B1D88), ref: 00007FF7952B3D1E
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952CA270
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952CA2BB
                                      • __std_exception_copy.VCRUNTIME140 ref: 00007FF7952CA30B
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952CA354
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copymemmove
                                      • String ID:
                                      • API String ID: 908738561-0
                                      • Opcode ID: db1884434ea7f22d2b9f210a1e6bd9e3438bf6e6123d8e04b099e26c161cc33e
                                      • Instruction ID: cdb24023c010dcb894c4ab1225edb87ba52a7efec7bc11ec27f7ce3259ae621b
                                      • Opcode Fuzzy Hash: db1884434ea7f22d2b9f210a1e6bd9e3438bf6e6123d8e04b099e26c161cc33e
                                      • Instruction Fuzzy Hash: 0E51C762E18B96C9EB10DF74D8502BC73A0EB59B98F809339DA5C17796EF38E194C310
                                      Function 00007FF7952C9DA8 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00007FF7952C935C: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C948F
                                        • Part of subcall function 00007FF7952C935C: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C94D9
                                        • Part of subcall function 00007FF7952B3CCC: memmove.VCRUNTIME140(?,?,?,?,00000000,00007FF7952B1D88), ref: 00007FF7952B3D1E
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C9E88
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C9ED3
                                      • __std_exception_copy.VCRUNTIME140 ref: 00007FF7952C9F1F
                                      • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7952C9F68
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copymemmove
                                      • String ID:
                                      • API String ID: 908738561-0
                                      • Opcode ID: ac9d22d6f6af7d8a558326bfc04b57fe228c81c5dec4214a765b66131b804633
                                      • Instruction ID: 0de05430a674b0c7933c48995e8ccc8283992009b6bc7da0d59bc9cc5d41760c
                                      • Opcode Fuzzy Hash: ac9d22d6f6af7d8a558326bfc04b57fe228c81c5dec4214a765b66131b804633
                                      • Instruction Fuzzy Hash: 1151C663F18B9289FB10DF74D8503BC63A0EB5AB58F80533ADA5C16696EF38E594C350
                                      Function 00007FF7952C1B64 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                      • String ID:
                                      • API String ID: 2016347663-0
                                      • Opcode ID: e4d31e809bd745176ef52ebd0218e9e1d7a4027eeabc42bf3eb0b3903fc7016d
                                      • Instruction ID: 059ccbcc11ba139ea0a7fad3bd5241fd5b25f312b8920eddf6e4c7c7c2349d76
                                      • Opcode Fuzzy Hash: e4d31e809bd745176ef52ebd0218e9e1d7a4027eeabc42bf3eb0b3903fc7016d
                                      • Instruction Fuzzy Hash: C041E3A3B14AAA81EA24EB71D8151B9A390FB04FE4F948635DB6C077C6CF3CE591C300
                                      Function 00007FF7952B5CC4 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmallocmemmovememset
                                      • String ID:
                                      • API String ID: 2090792099-0
                                      • Opcode ID: 7563e6ceef94e0cc565497fbf682f20a9e56615890e95a62b91c82ff7896ecd7
                                      • Instruction ID: 9a5994a8204d4057e859f49d21afe0e89b078ceb35ab54929fa057225f2c936b
                                      • Opcode Fuzzy Hash: 7563e6ceef94e0cc565497fbf682f20a9e56615890e95a62b91c82ff7896ecd7
                                      • Instruction Fuzzy Hash: D041D5B2705A5285EE34EB75D8442BDA390EB0AFA0F948635DB2D0B7C4EF3DE4918310
                                      Function 00007FF7952B5B4C Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                      • String ID:
                                      • API String ID: 2075926362-0
                                      • Opcode ID: 210a048c123351d6ec8256a0425badc1a8a90612afc0b85dc0065334c6dd12e6
                                      • Instruction ID: 365b74d3ff550b45eede0c5eb9b59d4876f92d3d53a368c99b6c6bd9c50b2481
                                      • Opcode Fuzzy Hash: 210a048c123351d6ec8256a0425badc1a8a90612afc0b85dc0065334c6dd12e6
                                      • Instruction Fuzzy Hash: D44116A3B15AA681EA24EB31D45427DA3A1FB09FD4F944535CB6C07B85DF3CD491C300
                                      Function 00007FF7952B335C Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                      Download Yara Rule
                                      APIs
                                      • ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z.MSVCP140 ref: 00007FF7952B3391
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: ?xsgetn@?$basic_streambuf@D@std@@@std@@U?$char_traits@
                                      • String ID:
                                      • API String ID: 2474753874-0
                                      • Opcode ID: aed5f68f1146ac9b2692f6fcbe2979a1f8bee4d73a2a16c120c2319de688a070
                                      • Instruction ID: 3c9b4aecf75d2433ac9475849765d09890650e26b43c73ce0304c332bf46d499
                                      • Opcode Fuzzy Hash: aed5f68f1146ac9b2692f6fcbe2979a1f8bee4d73a2a16c120c2319de688a070
                                      • Instruction Fuzzy Hash: D6318071714B66C2EA69AF2AD94036CA3A0FB59FC4FA84036CF0D53B55DF38E4658310
                                      Function 00007FF79539908C Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: ByteCharErrorLastMultiWide
                                      • String ID:
                                      • API String ID: 203985260-0
                                      • Opcode ID: f283353a68d882692e16551c3968f37761c7e8bace1ef5b6dc576d69ac0022f3
                                      • Instruction ID: bd20b411afd5c9c0677899ccb85ee1ba9128d44340e7dac1ea2c78acd3bf5d88
                                      • Opcode Fuzzy Hash: f283353a68d882692e16551c3968f37761c7e8bace1ef5b6dc576d69ac0022f3
                                      • Instruction Fuzzy Hash: 6D2137B6A28B95C7E3209F22A45432AB7F4F788F98F64413DDB8853B54DF38D8518B10
                                      Function 00007FF7952B4494 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                      Download Yara Rule
                                      APIs
                                      • ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140 ref: 00007FF7952B44C0
                                        • Part of subcall function 00007FF7952B42CC: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,00000000,00007FF7952B44DC), ref: 00007FF7952B42EA
                                        • Part of subcall function 00007FF7952B42CC: _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7952B4319
                                      • ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7952B44E4
                                        • Part of subcall function 00007FF7952B489C: ??0_Lockit@std@@QEAA@H@Z.MSVCP140(00000000,?,?,00007FF7952B44F3), ref: 00007FF7952B48B2
                                        • Part of subcall function 00007FF7952B489C: ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,00007FF7952B44F3), ref: 00007FF7952B48CC
                                        • Part of subcall function 00007FF7952B489C: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,00007FF7952B44F3), ref: 00007FF7952B48FE
                                        • Part of subcall function 00007FF7952B489C: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,00007FF7952B44F3), ref: 00007FF7952B4929
                                        • Part of subcall function 00007FF7952B489C: std::_Facet_Register.LIBCPMT ref: 00007FF7952B4942
                                        • Part of subcall function 00007FF7952B489C: ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,00007FF7952B44F3), ref: 00007FF7952B4961
                                      • ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7952B44F9
                                      • ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7952B4511
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: D@std@@@std@@U?$char_traits@$Init@?$basic_streambuf@Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
                                      • String ID:
                                      • API String ID: 3911317180-0
                                      • Opcode ID: ee5bac1eb5931890a47fe06060730ffaf38fae3b2d8a39870feadcfa5b97958a
                                      • Instruction ID: bef63e5f1cc895cf321fa5e01dbb537a1684f61dc0e2dc848bad5dec0f6f84be
                                      • Opcode Fuzzy Hash: ee5bac1eb5931890a47fe06060730ffaf38fae3b2d8a39870feadcfa5b97958a
                                      • Instruction Fuzzy Hash: 1D11E3A1B19F1281EF64AB31E894379A3D1AF4AFC8F984038DE0E0B754DE3CE5448390
                                      Function 00007FF795398E30 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: ErrorFileHandleInformationLast
                                      • String ID:
                                      • API String ID: 275135790-0
                                      • Opcode ID: fee0c066ec71cf1c041039e548f23949a19027ab29567ead7e0b696524889f01
                                      • Instruction ID: 6b572cbae3e0d0b3831615a49568c79b5c747c10a6ec01f6a0928deeef0de8ce
                                      • Opcode Fuzzy Hash: fee0c066ec71cf1c041039e548f23949a19027ab29567ead7e0b696524889f01
                                      • Instruction Fuzzy Hash: 4BF0A2B2E28552C2F7756B34D8746B8E7E09F84F1CF84023DCA46425A4DF6DE984C620
                                      Function 00007FF7952B28A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • ?_Xlength_error@std@@YAXPEBD@Z.MSVCP140(?,?,?,?,00007FF7952B87BE), ref: 00007FF7952B28AF
                                      • ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140(?,?,?,?,?,?,?,?,00007FF7952B87BE), ref: 00007FF7952B2904
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: ??1?$basic_istream@D@std@@@std@@U?$char_traits@Xlength_error@std@@
                                      • String ID: map/set too long
                                      • API String ID: 2904289979-558153379
                                      • Opcode ID: 3056b84c33b486585dd82a9aefa44354d687176cad8072ec5cd39a3706cbaf2c
                                      • Instruction ID: 17634a26b2b26430ef442ff333a1f685b0f3923feb30f3b14cb1ea770f5a919c
                                      • Opcode Fuzzy Hash: 3056b84c33b486585dd82a9aefa44354d687176cad8072ec5cd39a3706cbaf2c
                                      • Instruction Fuzzy Hash: 7FF049A2B24E6AD4EB24EF29D49036873A1FB45F49F844039CB0D03610CF38D595CB20
                                      Function 00007FF7952D2BB0 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000009.00000002.3716075593.00007FF7952B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7952B0000, based on PE: true
                                      • Associated: 00000009.00000002.3716015956.00007FF7952B0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716367472.00007FF79539F000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716444269.00007FF7953A0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716548241.00007FF7953E1000.00000004.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716626020.00007FF7953E2000.00000008.00000001.01000000.00000007.sdmpDownload File
                                      • Associated: 00000009.00000002.3716860604.00007FF7954E1000.00000002.00000001.01000000.00000007.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_9_2_7ff7952b0000_freeware.jbxd
                                      Similarity
                                      • API ID: memcpy$memmove
                                      • String ID:
                                      • API String ID: 1283327689-0
                                      • Opcode ID: 0f7dc98607b38e2ccf41560d1b3c8de93af0b4290aecb902914286c045ea8418
                                      • Instruction ID: 8b935637feae5647ab894008a6f97d4daa3e13a1944bb0e5dabb27c800bd3aab
                                      • Opcode Fuzzy Hash: 0f7dc98607b38e2ccf41560d1b3c8de93af0b4290aecb902914286c045ea8418
                                      • Instruction Fuzzy Hash: 72419A73A08B9982DA20EF22E5401A8A3A1F754FC4F648636DF9C0B756DF78E594C340

                                      Executed Functions

                                      Function 00007FFAACCE1289 Relevance: .8, Instructions: 758COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.1379923992.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_7ffaacce0000_edge.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c6b580e0709e6dd033e745fb6e7e8fc5324213aec087c50a0c1fcb0c3afcba0a
                                      • Instruction ID: 9a8c991eb7eebde623e7e314c0d06ee15961cd3f1d09306417fd918051ce30fa
                                      • Opcode Fuzzy Hash: c6b580e0709e6dd033e745fb6e7e8fc5324213aec087c50a0c1fcb0c3afcba0a
                                      • Instruction Fuzzy Hash: 0432B861B19A499FE798FB38C4597B9B6D2FF99300F5445B9E00EC32D7DE28E8018781
                                      Function 00007FFAACCE1BC5 Relevance: .2, Instructions: 199COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.1379923992.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_7ffaacce0000_edge.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 44d833d85583a2cd1d285833d9ae79516fa192ffb9769faa718f8477e398e8d8
                                      • Instruction ID: 325bec91ec2803f426ff105b13940c70dc74cfb6a1a6f538e661a7c44b0cf257
                                      • Opcode Fuzzy Hash: 44d833d85583a2cd1d285833d9ae79516fa192ffb9769faa718f8477e398e8d8
                                      • Instruction Fuzzy Hash: F1515791A0E6C54FE786AB7888656757FD4EF87215B0804FEE08DC71E3DE0C484AC382
                                      Function 00007FFAACCE0BFE Relevance: .8, Instructions: 772COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.1379923992.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_7ffaacce0000_edge.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4e00ad13c53210bc5b5041f8b76613d7abcbfc957141751380e102d7c7be75a9
                                      • Instruction ID: b0e9a3f03d7801872a3449a9f1b1b477ca8ea32c62308a0fc005988bf6641321
                                      • Opcode Fuzzy Hash: 4e00ad13c53210bc5b5041f8b76613d7abcbfc957141751380e102d7c7be75a9
                                      • Instruction Fuzzy Hash: 7A913762A0DA8A4FE756A77CD8665F97FE1EF87210B0440FBD04DC7193DE18A80683D2
                                      Function 00007FFAACCE0DB0 Relevance: .6, Instructions: 564COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.1379923992.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_7ffaacce0000_edge.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fe17583ce2476f3e1896e2aa6dd4904c59befd1b8266dc9e74f9f49ce5b030a5
                                      • Instruction ID: 9ba480718ea8e5b246963ffb625ac6dc7283228aefa05e356f05c57ae674f54c
                                      • Opcode Fuzzy Hash: fe17583ce2476f3e1896e2aa6dd4904c59befd1b8266dc9e74f9f49ce5b030a5
                                      • Instruction Fuzzy Hash: 0731C461D18A8E8FE745DB68C8A61FDBFB1EF87210F4440B6C00EE71A3DE29680587C1
                                      Function 00007FFAACCE04C8 Relevance: .1, Instructions: 136COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.1379923992.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_7ffaacce0000_edge.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9aa98470395cfc27695cb57d28fa767efa7861b8da00e133a20ec2675cc26c50
                                      • Instruction ID: cc390ad108c8ece180c34a6f2649b77d755efa7a589423b99298714c9b9ed189
                                      • Opcode Fuzzy Hash: 9aa98470395cfc27695cb57d28fa767efa7861b8da00e133a20ec2675cc26c50
                                      • Instruction Fuzzy Hash: D731E862B189494FE788FB2CC46A678B6C6EF99315F1405BDE00EC32A3DE689C458381
                                      Function 00007FFAACCE0A91 Relevance: .1, Instructions: 127COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.1379923992.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_7ffaacce0000_edge.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3e4ed0700be6a11f8c61d12b09849b5071a96ffe6462258a995baf6b800ae96c
                                      • Instruction ID: 0955c3150aaeb63ce1b05692ce3029274e21de89d7dd843f2030b2f9eb08e175
                                      • Opcode Fuzzy Hash: 3e4ed0700be6a11f8c61d12b09849b5071a96ffe6462258a995baf6b800ae96c
                                      • Instruction Fuzzy Hash: 5E31B391B18A4A5BF744BBBC885A7BD77D5FF9A301F0442BAE00DC3293DE58980583C1
                                      Function 00007FFAACCE093A Relevance: .1, Instructions: 117COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.1379923992.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_7ffaacce0000_edge.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0415c16f6f662387b45098f9b717b2239d3c36214c4a3507074bba7f35b7e7dd
                                      • Instruction ID: b98363f5beec09c0a657bc6d68a5c5f2bd5e7e3253cdf924a7d59db8a9b541b9
                                      • Opcode Fuzzy Hash: 0415c16f6f662387b45098f9b717b2239d3c36214c4a3507074bba7f35b7e7dd
                                      • Instruction Fuzzy Hash: 2E41E470A1964D9FEB44EBB8C4596F9BBA1FF99310F9045B9D00DD3282DE389841C791
                                      Function 00007FFAACCE1D81 Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000E.00000002.1379923992.00007FFAACCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_14_2_7ffaacce0000_edge.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3c8e2713a704982bbc1ef882336c55c1e592a7df7fc6caaf6723679f1423a344
                                      • Instruction ID: 8e5438fb956431915ee34b8ff497dcad72566625a8cfc888346052eadc1989fb
                                      • Opcode Fuzzy Hash: 3c8e2713a704982bbc1ef882336c55c1e592a7df7fc6caaf6723679f1423a344
                                      • Instruction Fuzzy Hash: BC116B61A0D6958FFB42AB3CA891471BFE0DF93221B0801E7F48DC70A7DA18DA4583C1

                                      Executed Functions

                                      Function 00007FFAACCD1289 Relevance: .8, Instructions: 759COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.1604495129.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffaaccd0000_edge.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3249c9f26a56f7d086cd438b6b717d7e2f69db8abb647399009e72a9ad237d5c
                                      • Instruction ID: f3f0d8e91b98bb0352143d091fcfd6f6471062852b6f009262e6a8c278b0400f
                                      • Opcode Fuzzy Hash: 3249c9f26a56f7d086cd438b6b717d7e2f69db8abb647399009e72a9ad237d5c
                                      • Instruction Fuzzy Hash: DD32A5A1B2DA094FE795EB7DC4597B9B6D2FF99310F4445BDE00EC3292DE28E8418381
                                      Function 00007FFAACCD1BC5 Relevance: .2, Instructions: 199COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.1604495129.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffaaccd0000_edge.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 564749d1b76ca284e108ace5ebd75676202575f8c08bb795d1c2c8b3ae898e1c
                                      • Instruction ID: 5d4daa024e98d9429bcee2c3b42a62359be7dccce5471112750192818429846c
                                      • Opcode Fuzzy Hash: 564749d1b76ca284e108ace5ebd75676202575f8c08bb795d1c2c8b3ae898e1c
                                      • Instruction Fuzzy Hash: D6514791A0E6C94FE786AB7898646757FD5DF87225B0804FFE08DC71D3DD188806C382
                                      Function 00007FFAACCD0BFE Relevance: .8, Instructions: 773COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.1604495129.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffaaccd0000_edge.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5c6a6eec692ad18f1840016ec29a8dd76caaf9b8a780117b6becb35548066722
                                      • Instruction ID: 4f87ea40ba210a08a557d7940fd36ed858250959089b193caece0e8d4a0443ea
                                      • Opcode Fuzzy Hash: 5c6a6eec692ad18f1840016ec29a8dd76caaf9b8a780117b6becb35548066722
                                      • Instruction Fuzzy Hash: 6B913762A0D68A4FE756AB7CD8656F97FE1EF87220B0841FBD04DC7193DD18980A8391
                                      Function 00007FFAACCD0DB0 Relevance: .6, Instructions: 565COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.1604495129.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffaaccd0000_edge.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f37436929fe4d5cf8a36b844429c2d68df379a84c53973194086bf30c1d01a3a
                                      • Instruction ID: d94d841a47866b874a4c9637079ff04836803efcf27c47ec033c5247271c6d28
                                      • Opcode Fuzzy Hash: f37436929fe4d5cf8a36b844429c2d68df379a84c53973194086bf30c1d01a3a
                                      • Instruction Fuzzy Hash: 5531C861E1D68D8FE742DB68C8652FDBFB1EF46220F4441BBC00DD71D2DD2458058381
                                      Function 00007FFAACCD04C8 Relevance: .1, Instructions: 137COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.1604495129.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffaaccd0000_edge.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d660a58e9a82394c76aee82ddd5d93c05a19aa9ba08be3587067852c03bb8384
                                      • Instruction ID: 36210ef9fd594b057076e5c186fbb40e0ef13df28d71851db8ab4a92fc98ab5d
                                      • Opcode Fuzzy Hash: d660a58e9a82394c76aee82ddd5d93c05a19aa9ba08be3587067852c03bb8384
                                      • Instruction Fuzzy Hash: 4031D362B189484FE788FB2CD46A778B6C6EFD9315F0405BEE00EC3293DE649C468380
                                      Function 00007FFAACCD0A91 Relevance: .1, Instructions: 125COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.1604495129.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffaaccd0000_edge.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b7c95830539f4c03e19dda70265e635234b377a9b4d76f32b0dc59a1683b5b7f
                                      • Instruction ID: 5d053efa16bb195f5b4633748bd3c657f8a0d6b8cf2cfc043ae3a3aa35462fed
                                      • Opcode Fuzzy Hash: b7c95830539f4c03e19dda70265e635234b377a9b4d76f32b0dc59a1683b5b7f
                                      • Instruction Fuzzy Hash: FE31D291B19A495FE785BBBC885A7FD77D2EF99301F0442BAE00DC3293DE68D8058381
                                      Function 00007FFAACCD0949 Relevance: .1, Instructions: 112COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.1604495129.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffaaccd0000_edge.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 54d297f186c9b95b58160f9b0bdca1a68603fc23d74340f505e2633d85b6ee63
                                      • Instruction ID: bb09d838cf5414969953354a6cd7fb07a0f4b963f5f463dfb8fd40d7c7cdf7cb
                                      • Opcode Fuzzy Hash: 54d297f186c9b95b58160f9b0bdca1a68603fc23d74340f505e2633d85b6ee63
                                      • Instruction Fuzzy Hash: 72319FB1A58A0A8FEB44EBBCC4596F9BBA1FF99310F5445B9D00DD7282DE38A801C741
                                      Function 00007FFAACCD1D81 Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000010.00000002.1604495129.00007FFAACCD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCD0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_16_2_7ffaaccd0000_edge.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 78096d1a90cbc30afd8873c6e45b81552cb8943f63191f18843e3cd6373ebd0b
                                      • Instruction ID: c482771ae6062f152c05ef95c5ea2e85295667e754c61e3015d3908e2eb1bd12
                                      • Opcode Fuzzy Hash: 78096d1a90cbc30afd8873c6e45b81552cb8943f63191f18843e3cd6373ebd0b
                                      • Instruction Fuzzy Hash: C4114861A0D7958FF783AF2CA8515717FE0DF97231B0805EBE48DCB0A7DA14D9598381