Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1544033
MD5:f01ed03b7a786c24ebd92eab9b441b9d
SHA1:891c8ef7b9ef32e9d4de3ee473186cd4ba66059f
SHA256:6dc5fcbd3d05cb11dc4731aea996c7cbc213253c4d4b119799c5ddedebe537fb
Tags:exeuser-Bitsight
Infos:

Detection

DarkVision Rat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DarkVision Rat
AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Creates autostart registry keys with suspicious names
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for dropped file
Machine Learning detection for sample
Potentially malicious time measurement code found
Switches to a custom stack to bypass stack traces
Uses dynamic DNS services
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found evasive API chain (may stop execution after accessing registry keys)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Stores large binary data to the registry
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3776 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F01ED03B7A786C24EBD92EAB9B441B9D)
    • Edge.exe (PID: 7020 cmdline: "C:\Users\user\AppData\Roaming\Edge\Edge.exe" {6B387F7B-F5A9-4597-ABB2-EB1AC679F320} MD5: F01ED03B7A786C24EBD92EAB9B441B9D)
  • Edge.exe (PID: 3192 cmdline: "C:\Users\user\AppData\Roaming\Edge\Edge.exe" {5E0DB032-E9D6-4C1D-A145-C083BA9C5AAA} MD5: F01ED03B7A786C24EBD92EAB9B441B9D)
  • Edge.exe (PID: 6052 cmdline: "C:\Users\user\AppData\Roaming\Edge\Edge.exe" {5E0DB032-E9D6-4C1D-A145-C083BA9C5AAA} MD5: F01ED03B7A786C24EBD92EAB9B441B9D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2434983215.000000C000180000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x6e518:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x71a4e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000002.00000002.3409842091.000000C000180000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x6e518:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x71a4e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000005.00000002.2435764747.0000018F78460000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x6ed68:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x7229e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000004.00000002.2350558821.00000261E5450000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x6ed68:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x7229e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000002.00000002.3410605768.0000026679980000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_Donutloader_f40e3759unknownunknown
  • 0x6ed68:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49
  • 0x7229e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Click to see the 7 entries

Sigma Signatures

System Summary

barindex
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Edge\Edge.exe {5E0DB032-E9D6-4C1D-A145-C083BA9C5AAA}, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\Edge\Edge.exe, ProcessId: 7020, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34}

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-28T18:27:14.832287+010020456181A Network Trojan was detected192.168.2.649705178.215.224.2415589TCP
2024-10-28T18:27:15.267682+010020456181A Network Trojan was detected192.168.2.649705178.215.224.2415589TCP
2024-10-28T18:27:21.568738+010020456181A Network Trojan was detected192.168.2.649708178.215.224.2415589TCP
2024-10-28T18:27:24.579334+010020456181A Network Trojan was detected192.168.2.649708178.215.224.2415589TCP
2024-10-28T18:27:25.814191+010020456181A Network Trojan was detected192.168.2.649710178.215.224.2415589TCP
2024-10-28T18:27:26.904465+010020456181A Network Trojan was detected192.168.2.649717178.215.224.2415589TCP
2024-10-28T18:27:27.990523+010020456181A Network Trojan was detected192.168.2.649726178.215.224.2415589TCP
2024-10-28T18:27:29.065178+010020456181A Network Trojan was detected192.168.2.649735178.215.224.2415589TCP
2024-10-28T18:27:30.241808+010020456181A Network Trojan was detected192.168.2.649742178.215.224.2415589TCP
2024-10-28T18:28:25.021247+010020456181A Network Trojan was detected192.168.2.649908178.215.224.2415589TCP
2024-10-28T18:28:26.665782+010020456181A Network Trojan was detected192.168.2.649918178.215.224.2415589TCP
2024-10-28T18:28:27.934942+010020456181A Network Trojan was detected192.168.2.649924178.215.224.2415589TCP
2024-10-28T18:28:29.007585+010020456181A Network Trojan was detected192.168.2.649932178.215.224.2415589TCP
2024-10-28T18:28:30.079258+010020456181A Network Trojan was detected192.168.2.649940178.215.224.2415589TCP
2024-10-28T18:28:31.161043+010020456181A Network Trojan was detected192.168.2.649948178.215.224.2415589TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-28T18:27:18.876125+010020456191A Network Trojan was detected192.168.2.649705178.215.224.2415589TCP
2024-10-28T18:28:26.309555+010020456191A Network Trojan was detected192.168.2.649908178.215.224.2415589TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeReversingLabs: Detection: 15%
Multi AV Scanner detection for submitted file
Source: file.exeReversingLabs: Detection: 15%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exeJoe Sandbox ML: detected

Bitcoin Miner

barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A23100 LoadLibraryExW,0_2_00A23100
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AD3100 LoadLibraryExW,2_2_00AD3100
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AD3100 LoadLibraryExW,5_2_00AD3100
Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp rdx, 40h0_2_00A103B1
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp rdx, 40h0_2_00A103C0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then shr r10, 0Dh0_2_00A1B5E0
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then shr r10, 0Dh0_2_00A1CA60
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then lock or byte ptr [rdx], dil0_2_00A10B00
Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then cmp rdx, rbx0_2_009FBEA0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4x nop then cmp rdx, 40h2_2_00AC03B1
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4x nop then cmp rdx, 40h2_2_00AC03C0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4x nop then shr r10, 0Dh2_2_00ACB5E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4x nop then shr r10, 0Dh2_2_00ACCA60
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4x nop then lock or byte ptr [rdx], dil2_2_00AC0B00
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4x nop then cmp rdx, rbx2_2_00AABEA0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4x nop then cmp rdx, 40h5_2_00AC03B1
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4x nop then cmp rdx, 40h5_2_00AC03C0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4x nop then shr r10, 0Dh5_2_00ACB5E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4x nop then shr r10, 0Dh5_2_00ACCA60
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4x nop then lock or byte ptr [rdx], dil5_2_00AC0B00
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4x nop then cmp rdx, rbx5_2_00AABEA0

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49708 -> 178.215.224.241:5589
Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49705 -> 178.215.224.241:5589
Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49710 -> 178.215.224.241:5589
Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49717 -> 178.215.224.241:5589
Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49726 -> 178.215.224.241:5589
Source: Network trafficSuricata IDS: 2045619 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M3 : 192.168.2.6:49705 -> 178.215.224.241:5589
Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49735 -> 178.215.224.241:5589
Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49940 -> 178.215.224.241:5589
Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49932 -> 178.215.224.241:5589
Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49918 -> 178.215.224.241:5589
Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49924 -> 178.215.224.241:5589
Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49908 -> 178.215.224.241:5589
Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49948 -> 178.215.224.241:5589
Source: Network trafficSuricata IDS: 2045618 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M1 : 192.168.2.6:49742 -> 178.215.224.241:5589
Source: Network trafficSuricata IDS: 2045619 - Severity 1 - ET MALWARE Win32/DarkVision RAT CnC Checkin M3 : 192.168.2.6:49908 -> 178.215.224.241:5589
Uses dynamic DNS services
Source: unknownDNS query: name: fishcrabs99.ddns.net
Source: global trafficTCP traffic: 192.168.2.6:49705 -> 178.215.224.241:5589
Source: Joe Sandbox ViewASN Name: LVLT-10753US LVLT-10753US
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1C1B70 recv,2_2_000002667B1C1B70
Source: global trafficDNS traffic detected: DNS query: fishcrabs99.ddns.net

System Summary

barindex
Malicious sample detected (through community Yara rule)
Source: 00000005.00000002.2434983215.000000C000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000002.00000002.3409842091.000000C000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000005.00000002.2435764747.0000018F78460000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2350558821.00000261E5450000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000002.00000002.3410605768.0000026679980000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000004.00000002.2349782661.000000C000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2177332111.000000C000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: 00000000.00000002.2178027279.000001B278C10000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B278C80808 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,0_2_000001B278C80808
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00000266799F0808 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,2_2_00000266799F0808
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E54C0808 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,4_2_00000261E54C0808
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F784D0808 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtUnmapViewOfSection,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,5_2_0000018F784D0808
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F20200_2_009F2020
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A253200_2_00A25320
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009FD9600_2_009FD960
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A18AC00_2_00A18AC0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2EA000_2_00A2EA00
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A17CC00_2_00A17CC0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A35D800_2_00A35D80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009FCDC00_2_009FCDC0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A05E800_2_00A05E80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A281A00_2_00A281A0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3F1600_2_00A3F160
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A0E1400_2_00A0E140
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A403800_2_00A40380
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A643200_2_00A64320
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2F4800_2_00A2F480
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A0A4200_2_00A0A420
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A1B5E00_2_00A1B5E0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A155C00_2_00A155C0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009FE5200_2_009FE520
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2C6E00_2_00A2C6E0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A536E90_2_00A536E9
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A126600_2_00A12660
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A306400_2_00A30640
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F39800_2_009F3980
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A1F9E00_2_00A1F9E0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A289E00_2_00A289E0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A0A9400_2_00A0A940
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A1BAA00_2_00A1BAA0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A04A800_2_00A04A80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A16A000_2_00A16A00
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A1CA600_2_00A1CA60
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A64B400_2_00A64B40
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A1EC600_2_00A1EC60
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A10D800_2_00A10D80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2BD800_2_00A2BD80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A4AD200_2_00A4AD20
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A09D600_2_00A09D60
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A1DE400_2_00A1DE40
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3BE400_2_00A3BE40
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009F9F800_2_009F9F80
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A08FC00_2_00A08FC0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B278C808080_2_000001B278C80808
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B278C7FFFC0_2_000001B278C7FFFC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B278C803D80_2_000001B278C803D8
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B278C83AB40_2_000001B278C83AB4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B278C7F1200_2_000001B278C7F120
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B278C812BC0_2_000001B278C812BC
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B27A4CF1A00_2_000001B27A4CF1A0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B27A4C10000_2_000001B27A4C1000
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B27A4D2EF00_2_000001B27A4D2EF0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B27A4CE7000_2_000001B27A4CE700
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B27A4D03A00_2_000001B27A4D03A0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B27A4DACD00_2_000001B27A4DACD0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B27A4DAD510_2_000001B27A4DAD51
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B27A4C7D700_2_000001B27A4C7D70
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B27A4E45200_2_000001B27A4E4520
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B27A4E0A100_2_000001B27A4E0A10
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B27A4D4AC00_2_000001B27A4D4AC0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B27A4D92E00_2_000001B27A4D92E0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B27A4E0A860_2_000001B27A4E0A86
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B27A4D8AA00_2_000001B27A4D8AA0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B27A4D82B00_2_000001B27A4D82B0
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B27A4CB3400_2_000001B27A4CB340
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B27A4E83700_2_000001B27A4E8370
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B27A4EDFC40_2_000001B27A4EDFC4
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B27A4ED01C0_2_000001B27A4ED01C
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B27A4EB0300_2_000001B27A4EB030
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_000001B27A4DB8800_2_000001B27A4DB880
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AA20202_2_00AA2020
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AD53202_2_00AD5320
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AAD9602_2_00AAD960
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AC8AC02_2_00AC8AC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00ADEA002_2_00ADEA00
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AC7CC02_2_00AC7CC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AE5D802_2_00AE5D80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AACDC02_2_00AACDC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AB5E802_2_00AB5E80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AD81A02_2_00AD81A0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AEF1602_2_00AEF160
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00ABE1402_2_00ABE140
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AF03802_2_00AF0380
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00B143202_2_00B14320
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00ADF4802_2_00ADF480
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00ABA4202_2_00ABA420
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00ACB5E02_2_00ACB5E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AC55C02_2_00AC55C0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AAE5202_2_00AAE520
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00ADC6E02_2_00ADC6E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00B036E92_2_00B036E9
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AC26602_2_00AC2660
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AE06402_2_00AE0640
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AA39802_2_00AA3980
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00ACF9E02_2_00ACF9E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AD89E02_2_00AD89E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00ABA9402_2_00ABA940
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00ACBAA02_2_00ACBAA0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AB4A802_2_00AB4A80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AC6A002_2_00AC6A00
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00ACCA602_2_00ACCA60
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00B14B402_2_00B14B40
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00ACEC602_2_00ACEC60
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AC0D802_2_00AC0D80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00ADBD802_2_00ADBD80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AFAD202_2_00AFAD20
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AB9D602_2_00AB9D60
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00ACDE402_2_00ACDE40
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AEBE402_2_00AEBE40
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AA9F802_2_00AA9F80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00AB8FC02_2_00AB8FC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00000266799EFFFC2_2_00000266799EFFFC
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00000266799F08082_2_00000266799F0808
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00000266799EF1202_2_00000266799EF120
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00000266799F12BC2_2_00000266799F12BC
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00000266799F03D82_2_00000266799F03D8
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00000266799F3AB42_2_00000266799F3AB4
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1AF1A02_2_000002667B1AF1A0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1A10002_2_000002667B1A1000
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1C45202_2_000002667B1C4520
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1C0A102_2_000002667B1C0A10
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1CDFC42_2_000002667B1CDFC4
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1CD01C2_2_000002667B1CD01C
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1CB0302_2_000002667B1CB030
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1BB8802_2_000002667B1BB880
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1AE7002_2_000002667B1AE700
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1B2EF02_2_000002667B1B2EF0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1C0E602_2_000002667B1C0E60
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1BACD02_2_000002667B1BACD0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1BAD512_2_000002667B1BAD51
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1A7D702_2_000002667B1A7D70
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1B4AC02_2_000002667B1B4AC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1B82B02_2_000002667B1B82B0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1B92E02_2_000002667B1B92E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1AB3402_2_000002667B1AB340
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1C83702_2_000002667B1C8370
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1B03A02_2_000002667B1B03A0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1B8AA02_2_000002667B1B8AA0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1C0A862_2_000002667B1C0A86
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E54C08084_2_00000261E54C0808
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E54BFFFC4_2_00000261E54BFFFC
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E54C12BC4_2_00000261E54C12BC
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E54C3AB44_2_00000261E54C3AB4
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E54BF1204_2_00000261E54BF120
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E54C03D84_2_00000261E54C03D8
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E6CEF1A04_2_00000261E6CEF1A0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E6CE10004_2_00000261E6CE1000
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E6D045204_2_00000261E6D04520
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E6CFACD04_2_00000261E6CFACD0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E6CFB8804_2_00000261E6CFB880
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E6D00A104_2_00000261E6D00A10
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E6CFAD514_2_00000261E6CFAD51
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E6CE7D704_2_00000261E6CE7D70
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E6CEB3404_2_00000261E6CEB340
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E6CF92E04_2_00000261E6CF92E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E6CF2EF04_2_00000261E6CF2EF0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E6CEE7004_2_00000261E6CEE700
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E6CF8AA04_2_00000261E6CF8AA0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E6D00A864_2_00000261E6D00A86
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E6CF82B04_2_00000261E6CF82B0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E6CF4AC04_2_00000261E6CF4AC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E6D0D01C4_2_00000261E6D0D01C
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E6D0B0304_2_00000261E6D0B030
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E6D0DFC44_2_00000261E6D0DFC4
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E6CF03A04_2_00000261E6CF03A0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 4_2_00000261E6D083704_2_00000261E6D08370
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AA20205_2_00AA2020
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AD53205_2_00AD5320
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AAD9605_2_00AAD960
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AC8AC05_2_00AC8AC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00ADEA005_2_00ADEA00
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AC7CC05_2_00AC7CC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AE5D805_2_00AE5D80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AACDC05_2_00AACDC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AB5E805_2_00AB5E80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AD81A05_2_00AD81A0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AEF1605_2_00AEF160
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00ABE1405_2_00ABE140
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AF03805_2_00AF0380
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00B143205_2_00B14320
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00ADF4805_2_00ADF480
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00ABA4205_2_00ABA420
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00ACB5E05_2_00ACB5E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AC55C05_2_00AC55C0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AAE5205_2_00AAE520
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00ADC6E05_2_00ADC6E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00B036E95_2_00B036E9
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AC26605_2_00AC2660
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AE06405_2_00AE0640
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AA39805_2_00AA3980
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00ACF9E05_2_00ACF9E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AD89E05_2_00AD89E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00ABA9405_2_00ABA940
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00ACBAA05_2_00ACBAA0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AB4A805_2_00AB4A80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AC6A005_2_00AC6A00
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00ACCA605_2_00ACCA60
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00B14B405_2_00B14B40
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00ACEC605_2_00ACEC60
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AC0D805_2_00AC0D80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00ADBD805_2_00ADBD80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AFAD205_2_00AFAD20
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AB9D605_2_00AB9D60
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00ACDE405_2_00ACDE40
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AEBE405_2_00AEBE40
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AA9F805_2_00AA9F80
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00AB8FC05_2_00AB8FC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F784D08085_2_0000018F784D0808
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F784CFFFC5_2_0000018F784CFFFC
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F784D3AB45_2_0000018F784D3AB4
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F784CF1205_2_0000018F784CF120
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F784D12BC5_2_0000018F784D12BC
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F784D03D85_2_0000018F784D03D8
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F79CFF1A05_2_0000018F79CFF1A0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F79CF10005_2_0000018F79CF1000
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F79D0B8805_2_0000018F79D0B880
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F79D1B0305_2_0000018F79D1B030
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F79D1D01C5_2_0000018F79D1D01C
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F79D1DFC45_2_0000018F79D1DFC4
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F79D183705_2_0000018F79D18370
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F79D003A05_2_0000018F79D003A0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F79CFB3405_2_0000018F79CFB340
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F79D04AC05_2_0000018F79D04AC0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F79D082B05_2_0000018F79D082B0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F79D092E05_2_0000018F79D092E0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F79D10A865_2_0000018F79D10A86
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F79D08AA05_2_0000018F79D08AA0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F79D10A105_2_0000018F79D10A10
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F79CF7D705_2_0000018F79CF7D70
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F79D0AD515_2_0000018F79D0AD51
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F79D145205_2_0000018F79D14520
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F79D0ACD05_2_0000018F79D0ACD0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F79CFE7005_2_0000018F79CFE700
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_0000018F79D02EF05_2_0000018F79D02EF0
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: String function: 00AD8F00 appears 176 times
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: String function: 00AD9720 appears 1386 times
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: String function: 00AEFC60 appears 38 times
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: String function: 00AD7400 appears 1016 times
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: String function: 00AEFBA0 appears 32 times
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: String function: 00AEFB00 appears 32 times
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: String function: 00AD74E0 appears 52 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00A27400 appears 508 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00A28F00 appears 88 times
Source: C:\Users\user\Desktop\file.exeCode function: String function: 00A29720 appears 693 times
Source: 00000005.00000002.2434983215.000000C000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000002.00000002.3409842091.000000C000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000005.00000002.2435764747.0000018F78460000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.2350558821.00000261E5450000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000002.00000002.3410605768.0000026679980000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000004.00000002.2349782661.000000C000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2177332111.000000C000180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: 00000000.00000002.2178027279.000001B278C10000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
Source: classification engineClassification label: mal100.troj.evad.mine.winEXE@5/1@2/1
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Edge\Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeMutant created: \Sessions\1\BaseNamedObjects\{F8DE3DC4-75BA-41B5-AAA0-72BEB2254E92}
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeMutant created: \Sessions\1\BaseNamedObjects\{201D2E18-90F7-4B7A-B82B-6FF56BC5C891}
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeMutant created: \Sessions\1\BaseNamedObjects\{D2F471D6-04FC-452D-BFE5-E6CA5D7676C4}
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeMutant created: \Sessions\1\BaseNamedObjects\{9559844D-7F94-49DE-971B-013ECDA3550E}
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeMutant created: \Sessions\1\BaseNamedObjects\{2BCF8665-0CFD-491A-9C88-1B848948EC08}
Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\system32\1540f5beb3236a6a3ae461a727ff5cab6cda68073f5022edeecd799d7b90531dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeFile opened: C:\Windows\system32\cd7370b541f81c6e63571b7c4178dc3fd003c0098fefb3d855eb17b20e3164bcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeFile opened: C:\Windows\system32\0ddda059f12607f1fa5eb7d94f3736249f72f462429f6c2bfd59b67060fe32f1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeFile opened: C:\Windows\system32\e4b43d036c60d98b37efca81f08fd9a3fa61ae198d475cb67cccfb92dddf7fc8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJump to behavior
Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: file.exeReversingLabs: Detection: 15%
Source: file.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: file.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: file.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: file.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: file.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: file.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: file.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: file.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: file.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: file.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: file.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: file.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: file.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: file.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: file.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: file.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: file.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: file.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: file.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: file.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: file.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: file.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: file.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: file.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: file.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: file.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: file.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: file.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: Edge.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: Edge.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: Edge.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: Edge.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: Edge.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: Edge.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: Edge.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: Edge.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: Edge.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: Edge.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: Edge.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: Edge.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: Edge.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: Edge.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: Edge.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: Edge.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: Edge.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: Edge.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: Edge.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: Edge.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: Edge.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: Edge.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: Edge.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: Edge.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: Edge.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: Edge.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: Edge.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: Edge.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: Edge.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: Edge.exeString found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: Edge.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: Edge.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: Edge.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: Edge.exeString found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime:
Source: Edge.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: Edge.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime:
Source: Edge.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: Edge.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable t
Source: Edge.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: Edge.exeString found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: Edge.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: Edge.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: Edge.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: Edge.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: Edge.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: Edge.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: Edge.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: Edge.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: Edge.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: Edge.exeString found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: Edge.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: Edge.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: Edge.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: Edge.exeString found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: Edge.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: Edge.exeString found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: file.exeString found in binary or memory: unsafe.String: len out of rangeCertDuplicateCertificateContextSetupDiGetDeviceInfoListDetailW11368683772161602973937988281255684341886080801486968994140625resource temporarily unavailablesoftware caused connection abortnumerical argument out of domainCertAddCertificateContextToStoreCertVerifyCertificateChainPolicyMapIter.Value called before Nextslice bounds out of range [::%x]slice bounds out of range [:%x:]slice bounds out of range [%x::] (types from different packages)end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoneduse of closed network connectionGetVolumePathNamesForVolumeNameWfail to seek to string table: %vfail to seek to symbol table: %v28421709430404007434844970703125crypto/aes: input not full block" not supported for cpu option "too many levels of symbolic linksInitializeProcThreadAttributeListreflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangebytes.Reader.Seek: invalid whenceskip everything and stop the walkGetVolumeNameForVolumeMountPointWslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangewaiting for unsupported file typeCryptAcquireCertificatePrivateKeySetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWfail to read relocation block: %v142108547152020037174224853515625710542735760100185871124267578125crypto/aes: output not full blockGODEBUG: no value specified for "leafCounts[maxBits][maxBits] != ntoo many references: cannot spliceSetFileCompletionNotificationModesreflect: Field of non-struct type reflect: Field index out of boundsreflect: string index out of rangeillegal
Source: file.exeString found in binary or memory: unsafe.String: len out of rangeCertDuplicateCertificateContextSetupDiGetDeviceInfoListDetailW11368683772161602973937988281255684341886080801486968994140625resource temporarily unavailablesoftware caused connection abortnumerical argument out of domainCertAddCertificateContextToStoreCertVerifyCertificateChainPolicyMapIter.Value called before Nextslice bounds out of range [::%x]slice bounds out of range [:%x:]slice bounds out of range [%x::] (types from different packages)end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandoneduse of closed network connectionGetVolumePathNamesForVolumeNameWfail to seek to string table: %vfail to seek to symbol table: %v28421709430404007434844970703125crypto/aes: input not full block" not supported for cpu option "too many levels of symbolic linksInitializeProcThreadAttributeListreflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of rangebytes.Reader.Seek: invalid whenceskip everything and stop the walkGetVolumeNameForVolumeMountPointWslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangewaiting for unsupported file typeCryptAcquireCertificatePrivateKeySetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWfail to read relocation block: %v142108547152020037174224853515625710542735760100185871124267578125crypto/aes: output not full blockGODEBUG: no value specified for "leafCounts[maxBits][maxBits] != ntoo many references: cannot spliceSetFileCompletionNotificationModesreflect: Field of non-struct type reflect: Field index out of boundsreflect: string index out of rangeillegal
Source: file.exeString found in binary or memory: net/addrselect.go
Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\Edge\Edge.exe "C:\Users\user\AppData\Roaming\Edge\Edge.exe" {6B387F7B-F5A9-4597-ABB2-EB1AC679F320}
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Edge\Edge.exe "C:\Users\user\AppData\Roaming\Edge\Edge.exe" {5E0DB032-E9D6-4C1D-A145-C083BA9C5AAA}
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Edge\Edge.exe "C:\Users\user\AppData\Roaming\Edge\Edge.exe" {5E0DB032-E9D6-4C1D-A145-C083BA9C5AAA}
Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Roaming\Edge\Edge.exe "C:\Users\user\AppData\Roaming\Edge\Edge.exe" {6B387F7B-F5A9-4597-ABB2-EB1AC679F320}Jump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: amsi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeSection loaded: sspicli.dllJump to behavior
Source: file.exeStatic file information: File size 2482176 > 1048576
Source: file.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x175000
Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: file.exeStatic PE information: section name: .xdata
Source: file.exeStatic PE information: section name: .symtab
Source: Edge.exe.0.drStatic PE information: section name: .xdata
Source: Edge.exe.0.drStatic PE information: section name: .symtab
Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Edge\Edge.exeJump to dropped file

Boot Survival

barindex
Creates autostart registry keys with suspicious names
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {AB1F3E47-AEF1-400E-A108-233A046C3A34}Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {AB1F3E47-AEF1-400E-A108-233A046C3A34}Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {AB1F3E47-AEF1-400E-A108-233A046C3A34}Jump to behavior
Source: C:\Users\user\Desktop\file.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\{68A1BBBA-1552-44A8-955F-BE6CBFD1BFA8} {5CD9FA9E-C629-40A5-B53C-5627575F9471}Jump to behavior
Source: C:\Users\user\Desktop\file.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: AAE94B
Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: AAEA0D
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeAPI/Special instruction interceptor: Address: B5E94B
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeAPI/Special instruction interceptor: Address: B5EA0D
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A56440 rdtscp0_2_00A56440
Source: C:\Users\user\Desktop\file.exeEvasive API call chain: RegOpenKey,DecisionNodes,ExitProcessgraph_0-57295
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe TID: 776Thread sleep count: 55 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exe TID: 776Thread sleep time: -55000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A23240 GetProcessAffinityMask,GetSystemInfo,0_2_00A23240
Source: file.exe, 00000000.00000002.2177552989.000001B233845000.00000004.00000020.00020000.00000000.sdmp, Edge.exe, 00000002.00000002.3409909564.0000026654384000.00000004.00000020.00020000.00000000.sdmp, Edge.exe, 00000004.00000002.2349979823.00000261DFE8E000.00000004.00000020.00020000.00000000.sdmp, Edge.exe, 00000005.00000002.2435167248.0000018F72FAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

barindex
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A56440 Start: 00A56449 End: 00A5645F0_2_00A56440
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_00B06440 Start: 00B06449 End: 00B0645F2_2_00B06440
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 5_2_00B06440 Start: 00B06449 End: 00B0645F5_2_00B06440
Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A56440 rdtscp0_2_00A56440

HIPS / PFW / Operating System Protection Evasion

barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\file.exeNtMapViewOfSection: Indirect: 0x1B278C80F03Jump to behavior
Source: C:\Users\user\Desktop\file.exeNtMapViewOfSection: Indirect: 0x1B278C809C6Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeNtUnmapViewOfSection: Indirect: 0x266799F0E97Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeNtMapViewOfSection: Indirect: 0x261E54C0F03Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeNtDelayExecution: Direct from: 0xB5EA0DJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeNtMapViewOfSection: Indirect: 0x261E54C09C6Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeNtMapViewOfSection: Indirect: 0x266799F0F03Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeNtMapViewOfSection: Indirect: 0x266799F09C6Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeNtMapViewOfSection: Indirect: 0x18F784D0F03Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeNtMapViewOfSection: Indirect: 0x18F784D09C6Jump to behavior
Source: C:\Users\user\Desktop\file.exeNtUnmapViewOfSection: Indirect: 0x1B278C80E97Jump to behavior
Source: C:\Users\user\Desktop\file.exeNtDelayExecution: Direct from: 0xAAE94BJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeNtDelayExecution: Direct from: 0xB5E94BJump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeNtUnmapViewOfSection: Indirect: 0x261E54C0E97Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeNtUnmapViewOfSection: Indirect: 0x18F784D0E97Jump to behavior
Source: C:\Users\user\AppData\Roaming\Edge\Edge.exeCode function: 2_2_000002667B1C41A0 GetUserGeoID,gethostname,gethostbyname,GetUserNameW,2_2_000002667B1C41A0

Stealing of Sensitive Information

barindex
Yara detected DarkVision Rat
Source: Yara matchFile source: Process Memory Space: file.exe PID: 3776, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: Edge.exe PID: 7020, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: Edge.exe PID: 3192, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: Edge.exe PID: 6052, type: MEMORYSTR

Remote Access Functionality

barindex
Yara detected DarkVision Rat
Source: Yara matchFile source: Process Memory Space: file.exe PID: 3776, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: Edge.exe PID: 7020, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: Edge.exe PID: 3192, type: MEMORYSTR
Source: Yara matchFile source: Process Memory Space: Edge.exe PID: 6052, type: MEMORYSTR

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		11
Registry Run Keys / Startup Folder		1
Process Injection		1
Masquerading		OS Credential Dumping211
Security Software Discovery		Remote Services1
Archive Collected Data		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
Abuse Elevation Control Mechanism		1
Modify Registry		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)11
Registry Run Keys / Startup Folder		1
Virtualization/Sandbox Evasion		Security Account Manager1
Account Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		1
Process Injection		NTDS1
System Owner/User Discovery		Distributed Component Object ModelInput Capture1
Non-Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets12
System Information Discovery		SSHKeylogging11
Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Abuse Elevation Control Mechanism		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
Obfuscated Files or Information		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
file.exe16%ReversingLabs
file.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Edge\Edge.exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\Edge\Edge.exe16%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
fishcrabs99.ddns.net
178.215.224.241
truetrue
    		unknown

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    178.215.224.241
    		fishcrabs99.ddns.netGermany
    		10753LVLT-10753UStrue

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1544033
    Start date and time:2024-10-28 18:26:08 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 6m 17s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:7
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:file.exe
    Detection:MAL
    Classification:mal100.troj.evad.mine.winEXE@5/1@2/1
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 108
    • Number of non-executed functions: 116
    Cookbook Comments:
    • Found application associated with file extension: .exe

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
    • Report size exceeded maximum capacity and may have missing disassembly code.
    • Report size getting too big, too many NtReadVirtualMemory calls found.
    • VT rate limit hit for: file.exe

    Simulations

    Behavior and APIs

    TimeTypeDescription
    13:27:52API Interceptor96x Sleep call for process: Edge.exe modified
    18:27:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run {AB1F3E47-AEF1-400E-A108-233A046C3A34} C:\Users\user\AppData\Roaming\Edge\Edge.exe {5E0DB032-E9D6-4C1D-A145-C083BA9C5AAA}
    18:27:21AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run {AB1F3E47-AEF1-400E-A108-233A046C3A34} C:\Users\user\AppData\Roaming\Edge\Edge.exe {5E0DB032-E9D6-4C1D-A145-C083BA9C5AAA}

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    LVLT-10753USnabspc.elfGet hashmaliciousUnknownBrowse
    • 217.22.7.30
    splsh4.elfGet hashmaliciousUnknownBrowse
    • 168.215.79.153
    la.bot.m68k.elfGet hashmaliciousUnknownBrowse
    • 148.57.98.32
    la.bot.sh4.elfGet hashmaliciousUnknownBrowse
    • 212.87.197.98
    w18Ys8qKuX.elfGet hashmaliciousUnknownBrowse
    • 168.215.50.172
    keldRUiaay.elfGet hashmaliciousMiraiBrowse
    • 147.207.101.215
    ai3eCONS9Q.elfGet hashmaliciousMiraiBrowse
    • 94.154.174.114
    i686.elfGet hashmaliciousUnknownBrowse
    • 178.215.238.10
    oodforme.docGet hashmaliciousRemcosBrowse
    • 178.215.224.176
    172966320624e13c69130942cdd5d6acfaaa0a3c37caf1b0782206d6657ac60035e08c695d630.dat-decoded.exeGet hashmaliciousRemcosBrowse
    • 178.215.224.176

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Roaming\Edge\Edge.exe

    Download File
    Process:C:\Users\user\Desktop\file.exe
    File Type:PE32+ executable (GUI) x86-64, for MS Windows
    Category:dropped
    Size (bytes):2482176
    Entropy (8bit):6.547362799877085
    Encrypted:false
    SSDEEP:24576:VmbfFJN3P6yM97l2cMPdjjy/ZIbRCTtM+UcI6TRq3jUN6DMhQKjyJ9IFz1uXy:k7N3P6ykZ2cmjjalM+E3SMQJW
    MD5:F01ED03B7A786C24EBD92EAB9B441B9D
    SHA1:891C8EF7B9EF32E9D4DE3EE473186CD4BA66059F
    SHA-256:6DC5FCBD3D05CB11DC4731AEA996C7CBC213253C4D4B119799C5DDEDEBE537FB
    SHA-512:A8041C03E9FD9AB1C2BF4BB6FDE3948C803B1592E24FDD112387249B83DFF0309D14BE6D7BDD19A4D1C5FEE3B931E45B13C361E38AC15358AFA7B82652CF55E4
    Malicious:true
    Antivirus:
    • Antivirus: Joe Sandbox ML, Detection: 100%
    • Antivirus: ReversingLabs, Detection: 16%
    Reputation:low
    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........%......."......P...........{........@...........................................`... ..............................................P..T.............-..O...........`..PE....................................................#..............................text...VO.......P.................. ..`.rdata..HN...`...P...V..............@..@.data....9....#.......#.............@....pdata...O....-..P...@%.............@..@.xdata.......@........%.............@..@.idata..T....P........%.............@....reloc..PE...`...F....%.............@..B.symtab...............%................B................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:PE32+ executable (GUI) x86-64, for MS Windows
    Entropy (8bit):6.547362799877085
    TrID:
    • Win64 Executable GUI (202006/5) 92.65%
    • Win64 Executable (generic) (12005/4) 5.51%
    • Generic Win/DOS Executable (2004/3) 0.92%
    • DOS Executable Generic (2002/1) 0.92%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:file.exe
    File size:2'482'176 bytes
    MD5:f01ed03b7a786c24ebd92eab9b441b9d
    SHA1:891c8ef7b9ef32e9d4de3ee473186cd4ba66059f
    SHA256:6dc5fcbd3d05cb11dc4731aea996c7cbc213253c4d4b119799c5ddedebe537fb
    SHA512:a8041c03e9fd9ab1c2bf4bb6fde3948c803b1592e24fdd112387249b83dff0309d14be6d7bdd19a4d1c5fee3b931e45b13c361e38ac15358afa7b82652cf55e4
    SSDEEP:24576:VmbfFJN3P6yM97l2cMPdjjy/ZIbRCTtM+UcI6TRq3jUN6DMhQKjyJ9IFz1uXy:k7N3P6ykZ2cmjjalM+E3SMQJW
    TLSH:1FB58D0BBDE448B5D0AA9332896691567A31BC544F3263D73B90B3BC3FB2BD06A75704
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........%......."......P...........{........@...........................................`... ............................

    File Icon

    Icon Hash:00928e8e8686b000

    Static PE Info

    General

    Entrypoint:0x467b80
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Time Stamp:0x0 [Thu Jan 1 00:00:00 1970 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:1
    File Version Major:6
    File Version Minor:1
    Subsystem Version Major:6
    Subsystem Version Minor:1
    Import Hash:c2d457ad8ac36fc9f18d45bffcd450c2

    Entrypoint Preview

    Instruction
    jmp 00007EFC84B21F00h
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    int3
    push ebp
    dec eax
    mov ebp, esp
    pushfd
    cld
    dec eax
    sub esp, 000000E0h
    dec eax
    mov dword ptr [esp], edi
    dec eax
    mov dword ptr [esp+08h], esi
    dec eax
    mov dword ptr [esp+10h], ebp
    dec eax
    mov dword ptr [esp+18h], ebx
    dec esp
    mov dword ptr [esp+20h], esp
    dec esp
    mov dword ptr [esp+28h], ebp
    dec esp
    mov dword ptr [esp+30h], esi
    dec esp
    mov dword ptr [esp+38h], edi
    movups dqword ptr [esp+40h], xmm6
    movups dqword ptr [esp+50h], xmm7
    inc esp
    movups dqword ptr [esp+60h], xmm0
    inc esp
    movups dqword ptr [esp+70h], xmm1
    inc esp
    movups dqword ptr [esp+00000080h], xmm2
    inc esp
    movups dqword ptr [esp+00000090h], xmm3
    inc esp
    movups dqword ptr [esp+000000A0h], xmm4
    inc esp
    movups dqword ptr [esp+000000B0h], xmm5
    inc esp
    movups dqword ptr [esp+000000C0h], xmm6
    inc esp
    movups dqword ptr [esp+000000D0h], xmm7
    inc ebp
    xorps xmm7, xmm7
    dec ebp
    xor esi, esi
    dec eax
    mov eax, dword ptr [00273292h]
    dec eax
    mov eax, dword ptr [eax]
    dec eax
    cmp eax, 00000000h
    je 00007EFC84B257A5h
    dec esp
    mov esi, dword ptr [eax]
    dec eax
    sub esp, 10h
    dec eax
    mov eax, ecx
    dec eax
    mov ebx, edx
    call 00007EFC84B2897Bh

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x2e50000x554.idata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2df0000x4f80.pdata
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e60000x4550.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x23b2c00x180.data
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000xc4f560xc5000f85ed6485f5f341b3bfbfb5ae146eb33False0.45797311230964466data6.328756615813412IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0xc60000x174e480x17500080890c89e7b14da192af4f0d2176e2bbFalse0.5579961618213807data6.275020134818021IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x23b0000xa39a00x19a00509af2b069c52edeca952f993de59ff7False0.3520865091463415data3.8801574277109085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .pdata0x2df0000x4f800x5000a25d14af5f938a1b681ef469fec4e055False0.404931640625data5.202052188261448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .xdata0x2e40000xb40x2002a441ced7959d453af803daaa7e3d98aFalse0.2265625shared library1.787112262798912IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .idata0x2e50000x5540x600caf70aed9e8209f6f72fbe542260dad3False0.380859375data4.006464998139286IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .reloc0x2e60000x45500x4600aa41c0b0e4d4eed7b16333031ee89fedFalse0.32042410714285713data5.426941412781997IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
    .symtab0x2eb0000x40x20007b5472d347d42780469fb2654b7fc54False0.02734375data0.020393135236084953IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

    Imports

    DLLImport
    kernel32.dllWriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, RtlVirtualUnwind, RtlLookupFunctionEntry, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateFileA, CreateEventA, CloseHandle, AddVectoredExceptionHandler, AddVectoredContinueHandler

    Network Behavior

    Suricata IDS Alerts

    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
    2024-10-28T18:27:14.832287+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649705178.215.224.2415589TCP
    2024-10-28T18:27:15.267682+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649705178.215.224.2415589TCP
    2024-10-28T18:27:18.876125+01002045619ET MALWARE Win32/DarkVision RAT CnC Checkin M31192.168.2.649705178.215.224.2415589TCP
    2024-10-28T18:27:21.568738+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649708178.215.224.2415589TCP
    2024-10-28T18:27:24.579334+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649708178.215.224.2415589TCP
    2024-10-28T18:27:25.814191+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649710178.215.224.2415589TCP
    2024-10-28T18:27:26.904465+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649717178.215.224.2415589TCP
    2024-10-28T18:27:27.990523+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649726178.215.224.2415589TCP
    2024-10-28T18:27:29.065178+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649735178.215.224.2415589TCP
    2024-10-28T18:27:30.241808+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649742178.215.224.2415589TCP
    2024-10-28T18:28:25.021247+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649908178.215.224.2415589TCP
    2024-10-28T18:28:26.309555+01002045619ET MALWARE Win32/DarkVision RAT CnC Checkin M31192.168.2.649908178.215.224.2415589TCP
    2024-10-28T18:28:26.665782+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649918178.215.224.2415589TCP
    2024-10-28T18:28:27.934942+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649924178.215.224.2415589TCP
    2024-10-28T18:28:29.007585+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649932178.215.224.2415589TCP
    2024-10-28T18:28:30.079258+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649940178.215.224.2415589TCP
    2024-10-28T18:28:31.161043+01002045618ET MALWARE Win32/DarkVision RAT CnC Checkin M11192.168.2.649948178.215.224.2415589TCP

    Network Port Distribution

    TCP Packets

    TimestampSource PortDest PortSource IPDest IP
    Oct 28, 2024 18:27:14.689480066 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:14.831177950 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:14.831446886 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:14.832287073 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:15.267682076 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:15.428659916 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:16.239568949 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:16.239722967 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:16.381685019 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:16.841222048 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:16.841412067 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:17.236537933 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:17.642654896 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:17.909189939 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:17.909488916 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:18.439502001 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:18.598802090 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:18.827305079 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:18.876125097 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:19.009028912 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:19.009128094 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:19.361388922 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:19.705156088 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:19.849839926 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:20.079778910 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:20.126991034 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:20.192632914 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:20.194881916 CET497085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:20.236464977 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:20.303309917 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:20.345844984 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:21.205194950 CET497085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:21.273988962 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:21.327788115 CET558949708178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:21.328063965 CET497085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:21.330877066 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:21.568737984 CET497085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:22.289984941 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:22.330245972 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:22.933101892 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:22.933262110 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:23.306171894 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:23.351057053 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:24.357512951 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:24.402779102 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:24.579334021 CET497085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:24.792223930 CET497085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:24.796257973 CET497105589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:24.959230900 CET558949708178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:25.199403048 CET558949708178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:25.199512959 CET497085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:25.346029043 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:25.402019978 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:25.653131008 CET558949708178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:25.653301001 CET497085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:25.808329105 CET497105589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:25.813808918 CET558949710178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:25.813992023 CET497105589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:25.814191103 CET497105589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:25.819999933 CET558949710178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:26.346551895 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:26.402163029 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:26.663857937 CET558949710178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:26.664001942 CET497105589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:26.669687986 CET558949710178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:26.896924019 CET558949710178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:26.897639990 CET497175589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:26.903309107 CET558949717178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:26.903402090 CET497175589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:26.904464960 CET497175589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:26.910185099 CET558949717178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:26.964536905 CET497105589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:27.355581045 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:27.417587042 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:27.741226912 CET558949717178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:27.741411924 CET497175589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:27.747673988 CET558949717178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:27.983715057 CET558949717178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:27.984764099 CET497265589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:27.990276098 CET558949726178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:27.990369081 CET497265589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:27.990523100 CET497265589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:27.996923923 CET558949726178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:28.026999950 CET497175589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:28.358155012 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:28.402066946 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:28.820591927 CET558949726178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:28.820775032 CET497265589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:28.826173067 CET558949726178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:29.056844950 CET558949726178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:29.058490992 CET497355589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:29.063834906 CET558949735178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:29.065063953 CET497355589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:29.065177917 CET497355589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:29.070974112 CET558949735178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:29.105067015 CET497265589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:29.368536949 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:29.417638063 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:29.903242111 CET558949735178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:29.905298948 CET497355589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:29.910677910 CET558949735178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:30.146635056 CET558949735178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:30.198837042 CET497355589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:30.228883028 CET497425589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:30.234239101 CET558949742178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:30.236885071 CET497425589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:30.241807938 CET497425589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:30.247247934 CET558949742178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:30.383208990 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:30.437218904 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:31.105932951 CET558949742178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:31.110033035 CET497425589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:31.115721941 CET558949742178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:31.351700068 CET558949742178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:31.383163929 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:31.393049955 CET497425589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:31.433485031 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:32.399024010 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:32.449424982 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:33.415095091 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:33.455825090 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:34.429920912 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:34.471522093 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:35.430073023 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:35.471498966 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:36.445051908 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:36.487066031 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:37.445830107 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:37.487027884 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:38.462260008 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:38.518325090 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:39.461194992 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:39.502769947 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:40.525562048 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:40.565392971 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:41.481220007 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:41.533922911 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:42.493305922 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:42.533951998 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:43.492679119 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:43.533979893 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:44.510588884 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:44.565287113 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:46.368372917 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:46.369472027 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:46.369529963 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:46.524373055 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:46.566747904 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:47.524209023 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:47.565196991 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:48.524020910 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:48.565176964 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:49.540486097 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:49.580957890 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:50.539943933 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:50.580846071 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:51.556627989 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:51.598866940 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:52.570476055 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:52.612065077 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:53.571187019 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:53.612107038 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:54.587594986 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:54.627814054 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:55.604367018 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:55.658926964 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:56.601628065 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:56.643335104 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:57.602473974 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:57.643296003 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:58.617187023 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:58.658921003 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:27:59.633025885 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:27:59.674635887 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:00.635874987 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:00.690227985 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:01.633419037 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:01.674621105 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:02.649240017 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:02.703191042 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:03.664702892 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:03.707063913 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:04.681329012 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:04.721416950 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:05.680108070 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:05.721498966 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:06.680365086 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:06.721429110 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:07.760174036 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:07.815207005 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:08.785900116 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:08.830818892 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:09.774708986 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:09.815190077 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:10.790467024 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:10.831407070 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:11.804884911 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:11.847191095 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:12.806659937 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:12.850898981 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:13.821386099 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:13.862648010 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:14.836899042 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:14.878449917 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:15.837251902 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:15.878309011 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:16.851234913 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:16.893914938 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:17.978156090 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:18.034544945 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:18.992527962 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:19.034548044 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:19.992419958 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:20.034684896 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:20.972212076 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:20.972345114 CET497105589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:20.972431898 CET497175589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:20.972471952 CET497265589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:20.972510099 CET497355589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:20.972537041 CET497425589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:20.978884935 CET558949705178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:20.978950977 CET497055589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:20.978981972 CET558949710178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:20.978993893 CET558949717178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:20.979007959 CET558949726178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:20.979029894 CET497105589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:20.979062080 CET497175589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:20.979063988 CET558949735178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:20.979074955 CET558949742178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:20.979074955 CET497265589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:20.979129076 CET497355589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:20.979141951 CET497425589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:25.015336037 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:25.020996094 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:25.021104097 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:25.021246910 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:25.026690006 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:25.836482048 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:25.836922884 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:25.842734098 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:26.070249081 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:26.070422888 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:26.075965881 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:26.076060057 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:26.082035065 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:26.309365988 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:26.309555054 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:26.315123081 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:26.315196037 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:26.320626020 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:26.549150944 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:26.597068071 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:26.657862902 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:26.659817934 CET499185589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:26.665505886 CET558949918178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:26.665595055 CET499185589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:26.665781975 CET499185589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:26.671451092 CET558949918178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:26.706427097 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:27.069051981 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:27.112688065 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:27.495012045 CET558949918178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:27.530141115 CET499185589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:27.535898924 CET558949918178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:27.928512096 CET558949918178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:27.929379940 CET499245589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:27.934745073 CET558949924178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:27.934808969 CET499245589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:27.934942007 CET499245589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:27.940359116 CET558949924178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:27.972059011 CET499185589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:28.069526911 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:28.112662077 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:28.761718988 CET558949924178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:28.761914968 CET499245589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:28.767379999 CET558949924178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:29.001065969 CET558949924178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:29.001853943 CET499325589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:29.007389069 CET558949932178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:29.007466078 CET499325589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:29.007585049 CET499325589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:29.012962103 CET558949932178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:29.050167084 CET499245589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:29.084770918 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:29.128292084 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:29.833540916 CET558949932178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:29.833678007 CET499325589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:29.839143991 CET558949932178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:30.072923899 CET558949932178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:30.073683977 CET499405589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:30.079081059 CET558949940178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:30.079171896 CET499405589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:30.079257965 CET499405589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:30.084958076 CET558949940178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:30.085247993 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:30.128319025 CET499325589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:30.128463984 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:30.913430929 CET558949940178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:30.913738012 CET499405589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:30.919199944 CET558949940178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:31.100595951 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:31.143923044 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:31.154639006 CET558949940178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:31.155428886 CET499485589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:31.160873890 CET558949948178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:31.160950899 CET499485589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:31.161042929 CET499485589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:31.166605949 CET558949948178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:31.206440926 CET499405589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:31.973566055 CET558949948178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:31.989115000 CET499485589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:31.994673967 CET558949948178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:32.103739023 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:32.143929958 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:32.320755959 CET558949948178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:32.362730026 CET499485589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:33.222168922 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:33.268925905 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:34.210621119 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:34.253325939 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:35.228840113 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:35.268949032 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:36.240828037 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:36.284532070 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:37.242064953 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:37.284569025 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:38.257520914 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:38.300208092 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:39.273041964 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:39.315830946 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:40.288667917 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:40.331418991 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:41.289789915 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:41.331434965 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:42.303534985 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:42.347078085 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:43.319921970 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:43.362684011 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:44.428685904 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:44.472099066 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:45.414299965 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:45.456439972 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:46.592811108 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:46.643938065 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:47.444144964 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:47.487674952 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:49.049392939 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:49.050095081 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:49.050177097 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:49.050518990 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:49.050573111 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:49.444339991 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:49.487710953 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:50.447957039 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:50.503348112 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:52.415832996 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:52.416486025 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:52.416548967 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:52.417016983 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:52.417064905 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:52.600887060 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:52.643937111 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:53.607338905 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:53.659578085 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:54.617733002 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:54.659584045 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:55.632427931 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:55.675184965 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:56.647730112 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:56.690874100 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:57.665004969 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:57.706537962 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:58.665138006 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:58.706461906 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:28:59.679851055 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:28:59.722109079 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:29:00.694411039 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:29:00.737793922 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:29:01.711178064 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:29:01.753343105 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:29:02.714598894 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:29:02.769015074 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:29:03.727596998 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:29:03.769025087 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:29:04.888395071 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:29:04.940840960 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:29:05.192584991 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:29:05.192682981 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:29:05.897360086 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:29:05.940908909 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:29:06.897284031 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:29:06.941035032 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:29:07.897619009 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:29:07.940831900 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:29:08.912900925 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:29:08.956511021 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:29:09.916237116 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:29:09.972115993 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:29:10.928601980 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:29:10.972738981 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:29:11.934185982 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:29:11.988421917 CET499085589192.168.2.6178.215.224.241
    Oct 28, 2024 18:29:12.944536924 CET558949908178.215.224.241192.168.2.6
    Oct 28, 2024 18:29:12.988365889 CET499085589192.168.2.6178.215.224.241

    UDP Packets

    TimestampSource PortDest PortSource IPDest IP
    Oct 28, 2024 18:27:14.498375893 CET4987953192.168.2.61.1.1.1
    Oct 28, 2024 18:27:14.651345015 CET53498791.1.1.1192.168.2.6
    Oct 28, 2024 18:28:25.004865885 CET5597153192.168.2.61.1.1.1
    Oct 28, 2024 18:28:25.014700890 CET53559711.1.1.1192.168.2.6

    DNS Queries

    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Oct 28, 2024 18:27:14.498375893 CET192.168.2.61.1.1.10x6475Standard query (0)fishcrabs99.ddns.netA (IP address)IN (0x0001)false
    Oct 28, 2024 18:28:25.004865885 CET192.168.2.61.1.1.10x9507Standard query (0)fishcrabs99.ddns.netA (IP address)IN (0x0001)false

    DNS Answers

    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Oct 28, 2024 18:27:14.651345015 CET1.1.1.1192.168.2.60x6475No error (0)fishcrabs99.ddns.net178.215.224.241A (IP address)IN (0x0001)false
    Oct 28, 2024 18:28:25.014700890 CET1.1.1.1192.168.2.60x9507No error (0)fishcrabs99.ddns.net178.215.224.241A (IP address)IN (0x0001)false

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:13:27:04
    Start date:28/10/2024
    Path:C:\Users\user\Desktop\file.exe
    Wow64 process (32bit):false
    Commandline:"C:\Users\user\Desktop\file.exe"
    Imagebase:0x9f0000
    File size:2'482'176 bytes
    MD5 hash:F01ED03B7A786C24EBD92EAB9B441B9D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Go lang
    Yara matches:
    • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2177332111.000000C000180000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
    • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2178027279.000001B278C10000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
    Reputation:low
    Has exited:true

    General

    Target ID:2
    Start time:13:27:06
    Start date:28/10/2024
    Path:C:\Users\user\AppData\Roaming\Edge\Edge.exe
    Wow64 process (32bit):false
    Commandline:"C:\Users\user\AppData\Roaming\Edge\Edge.exe" {6B387F7B-F5A9-4597-ABB2-EB1AC679F320}
    Imagebase:0xaa0000
    File size:2'482'176 bytes
    MD5 hash:F01ED03B7A786C24EBD92EAB9B441B9D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Go lang
    Yara matches:
    • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000002.00000002.3409842091.000000C000180000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
    • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000002.00000002.3410605768.0000026679980000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
    Antivirus matches:
    • Detection: 100%, Joe Sandbox ML
    • Detection: 16%, ReversingLabs
    Reputation:low
    Has exited:false

    General

    Target ID:4
    Start time:13:27:21
    Start date:28/10/2024
    Path:C:\Users\user\AppData\Roaming\Edge\Edge.exe
    Wow64 process (32bit):false
    Commandline:"C:\Users\user\AppData\Roaming\Edge\Edge.exe" {5E0DB032-E9D6-4C1D-A145-C083BA9C5AAA}
    Imagebase:0xaa0000
    File size:2'482'176 bytes
    MD5 hash:F01ED03B7A786C24EBD92EAB9B441B9D
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:Go lang
    Yara matches:
    • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000004.00000002.2350558821.00000261E5450000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
    • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000004.00000002.2349782661.000000C000180000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
    Reputation:low
    Has exited:true

    General

    Target ID:5
    Start time:13:27:29
    Start date:28/10/2024
    Path:C:\Users\user\AppData\Roaming\Edge\Edge.exe
    Wow64 process (32bit):false
    Commandline:"C:\Users\user\AppData\Roaming\Edge\Edge.exe" {5E0DB032-E9D6-4C1D-A145-C083BA9C5AAA}
    Imagebase:0xaa0000
    File size:2'482'176 bytes
    MD5 hash:F01ED03B7A786C24EBD92EAB9B441B9D
    Has elevated privileges:false
    Has administrator privileges:false
    Programmed in:Go lang
    Yara matches:
    • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000005.00000002.2434983215.000000C000180000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
    • Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000005.00000002.2435764747.0000018F78460000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
    Reputation:low
    Has exited:true

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:2.9%
      Dynamic/Decrypted Code Coverage:21.7%
      Signature Coverage:20.5%
      Total number of Nodes:1128
      Total number of Limit Nodes:101
      execution_graph 56151 1b27a4d805f 56153 1b27a4d806f 56151->56153 56152 1b27a4d8167 LoadLibraryExW 56156 1b27a4d80fc 56152->56156 56153->56152 56154 1b27a4d80b8 GetProcAddressForCaller 56153->56154 56155 1b27a4d8103 56153->56155 56154->56155 56154->56156 56155->56152 56155->56156 56157 a2cda0 56158 a2cdb3 56157->56158 56163 a2ce20 56158->56163 56162 a2ce14 56165 a2ce2a 56163->56165 56164 a2ce49 56178 a246a0 56164->56178 56165->56163 56165->56164 56227 a27400 WriteFile 56165->56227 56168 a2ce85 56169 a2ce9c 56168->56169 56225 a2cf20 WriteFile 56168->56225 56171 a2cebd 56169->56171 56194 a35d80 56169->56194 56175 a2cede 56171->56175 56226 a354a0 WriteFile 56171->56226 56211 a31200 56175->56211 56177 a2cf60 WriteFile 56177->56162 56191 a246af 56178->56191 56182 a29720 WriteFile 56182->56191 56186 a290e0 WriteFile 56186->56191 56187 a2488c 56187->56168 56188 a28ea0 WriteFile 56188->56191 56189 a29460 WriteFile 56189->56191 56190 a295a0 WriteFile 56190->56191 56191->56178 56191->56182 56191->56186 56191->56187 56191->56188 56191->56189 56191->56190 56192 a27400 WriteFile 56191->56192 56193 a28f00 WriteFile 56191->56193 56228 a25000 56191->56228 56231 9fc120 WriteFile 56191->56231 56232 a24c20 56191->56232 56236 a24e80 56191->56236 56239 9fc380 WriteFile 56191->56239 56240 a24e00 56191->56240 56192->56191 56193->56191 56197 a35d8a 56194->56197 56197->56194 56199 a56180 WriteFile 56197->56199 56205 a30ec0 WriteFile 56197->56205 56206 a23340 WriteFile 56197->56206 56207 9fc120 WriteFile 56197->56207 56208 a358e0 WriteFile 56197->56208 56210 9fc380 WriteFile 56197->56210 56257 a54580 56197->56257 56265 a36320 56197->56265 56278 a35940 WriteFile 56197->56278 56279 a454a0 WriteFile 56197->56279 56280 9fc8c0 WriteFile 56197->56280 56281 a227e0 WriteFile 56197->56281 56282 a12a80 WriteFile 56197->56282 56283 a09c60 WriteFile 56197->56283 56284 a36720 WriteFile 56197->56284 56199->56197 56205->56197 56206->56197 56207->56197 56208->56197 56210->56197 56218 a3120a 56211->56218 56213 a27400 WriteFile 56213->56218 56216 9fc120 WriteFile 56216->56218 56218->56211 56218->56213 56218->56216 56219 a2ed60 WriteFile 56218->56219 56220 a31437 56218->56220 56224 9fc380 WriteFile 56218->56224 56883 a2eea0 56218->56883 56899 a30e40 56218->56899 56905 a2f2c0 56218->56905 56915 a2f120 WriteFile 56218->56915 56916 a2f480 WriteFile 56218->56916 56219->56218 56221 a2f2c0 WriteFile 56220->56221 56223 a2ce0a 56221->56223 56223->56177 56224->56218 56225->56169 56226->56175 56227->56165 56229 a24c20 WriteFile 56228->56229 56230 a25056 56229->56230 56230->56191 56231->56191 56233 a24c3c 56232->56233 56243 a56180 56233->56243 56235 a24c9b 56235->56191 56237 a24c20 WriteFile 56236->56237 56238 a24ed6 56237->56238 56238->56191 56239->56191 56241 a24c20 WriteFile 56240->56241 56242 a24e56 56241->56242 56242->56191 56244 a561a5 56243->56244 56245 a56207 56243->56245 56244->56245 56247 a561ba 56244->56247 56246 a56160 WriteFile 56245->56246 56248 a56221 56246->56248 56251 a56160 56247->56251 56248->56235 56254 a57ce0 56251->56254 56252 a5616d 56252->56235 56256 a57d00 WriteFile 56254->56256 56256->56252 56258 a545ff 56257->56258 56259 a545a1 56257->56259 56258->56197 56259->56258 56285 a09680 56259->56285 56290 a4f040 56259->56290 56294 a336e0 56259->56294 56302 a186a0 56259->56302 56260 a545c9 56260->56197 56266 a3632a 56265->56266 56266->56265 56769 9fc120 WriteFile 56266->56769 56268 a36427 56770 9fc380 WriteFile 56268->56770 56270 a36435 56270->56197 56273 a358e0 WriteFile 56276 a36345 56273->56276 56276->56268 56276->56273 56765 a36680 56276->56765 56771 9fc380 WriteFile 56276->56771 56772 a47e80 WriteFile 56276->56772 56773 a2ea00 56276->56773 56819 9fc120 WriteFile 56276->56819 56278->56197 56279->56197 56280->56197 56281->56197 56282->56197 56283->56197 56284->56197 56287 a09686 56285->56287 56287->56285 56288 a096b3 56287->56288 56308 a1a100 56287->56308 56330 a27400 WriteFile 56287->56330 56288->56260 56292 a4f046 56290->56292 56292->56290 56399 a2e180 56292->56399 56293 a4f065 56293->56260 56295 a336e6 56294->56295 56295->56294 56551 a33740 WriteFile 56295->56551 56297 a336ff 56552 a37760 WriteFile 56297->56552 56299 a3371a 56300 a33728 56299->56300 56537 a2ed60 56299->56537 56300->56260 56304 a186a6 56302->56304 56303 a186e6 56587 a18ac0 56303->56587 56304->56302 56304->56303 56621 a17e40 WriteFile 56304->56621 56307 a186fc 56307->56260 56309 a1a10a 56308->56309 56309->56308 56343 9fc120 WriteFile 56309->56343 56311 a1a139 56331 a09840 56311->56331 56313 a1a145 56344 9fc380 WriteFile 56313->56344 56315 a1a158 56345 a19d20 WriteFile 56315->56345 56317 a1a1d6 56318 a1a290 56317->56318 56319 a1a1de 56317->56319 56349 9fc120 WriteFile 56318->56349 56329 a1a255 56319->56329 56346 a03c20 WriteFile 56319->56346 56321 a1a29e 56350 9fc380 WriteFile 56321->56350 56324 a1a1fa 56326 a1a231 56324->56326 56347 a0fe20 WriteFile 56324->56347 56325 a1a2d8 56325->56287 56348 a0fca0 WriteFile 56326->56348 56329->56287 56330->56287 56332 a0984a 56331->56332 56332->56331 56335 a0985e 56332->56335 56361 a28ea0 WriteFile 56332->56361 56362 a29720 WriteFile 56332->56362 56363 a28f00 WriteFile 56332->56363 56364 a27400 WriteFile 56332->56364 56334 a09867 56334->56313 56335->56334 56336 a098b7 56335->56336 56351 9fe640 56335->56351 56338 a098e7 56336->56338 56355 a17a60 56336->56355 56338->56313 56343->56311 56344->56315 56345->56317 56346->56324 56347->56326 56348->56329 56349->56321 56350->56325 56352 9fe646 56351->56352 56352->56351 56353 a54580 WriteFile 56352->56353 56354 9fe69c 56353->56354 56354->56336 56359 a17a6a 56355->56359 56357 a17bbc 56357->56338 56359->56355 56359->56357 56365 a06840 56359->56365 56370 a068e0 WriteFile 56359->56370 56371 a27400 WriteFile 56359->56371 56361->56332 56362->56332 56363->56332 56364->56332 56372 a218e0 56365->56372 56368 a24e80 WriteFile 56369 a068a5 56368->56369 56369->56359 56370->56359 56371->56359 56373 a21905 56372->56373 56374 a0685b 56373->56374 56391 a28ea0 WriteFile 56373->56391 56374->56368 56376 a21925 56392 a29720 WriteFile 56376->56392 56378 a21936 56393 a29460 WriteFile 56378->56393 56380 a21945 56394 a29720 WriteFile 56380->56394 56382 a21956 56395 a29540 WriteFile 56382->56395 56384 a21965 56396 a290e0 WriteFile 56384->56396 56386 a2196a 56397 a28f00 WriteFile 56386->56397 56388 a2196f 56398 a27400 WriteFile 56388->56398 56390 a21985 56391->56376 56392->56378 56393->56380 56394->56382 56395->56384 56396->56386 56397->56388 56398->56390 56400 a2e18a 56399->56400 56400->56399 56402 a2e287 56400->56402 56406 a2e212 56400->56406 56412 a2d6a0 56400->56412 56452 9fc120 WriteFile 56400->56452 56455 a27400 WriteFile 56400->56455 56435 a2e300 56402->56435 56404 a2e28c 56404->56293 56407 a2e249 56406->56407 56453 9fc480 WriteFile 56406->56453 56454 9fc380 WriteFile 56407->56454 56411 a2e257 56411->56293 56414 a2d6aa 56412->56414 56414->56412 56460 a39940 WriteFile 56414->56460 56415 a2d6cd 56416 a2d6fa 56415->56416 56461 a354a0 WriteFile 56415->56461 56428 a2d725 56416->56428 56462 9fc120 WriteFile 56416->56462 56420 a2d731 56463 a2afa0 WriteFile 56420->56463 56421 a2d912 56473 9fc380 WriteFile 56421->56473 56423 a2d765 56464 a33540 WriteFile 56423->56464 56425 a2d712 56425->56421 56429 a54580 WriteFile 56425->56429 56472 a482c0 WriteFile 56425->56472 56456 9fe380 56428->56456 56429->56425 56430 a2d76f 56431 a2d7d5 56430->56431 56465 a35700 56430->56465 56471 a39a60 WriteFile 56431->56471 56434 a2d816 56434->56400 56436 a2e30a 56435->56436 56436->56435 56437 a2e3a3 56436->56437 56439 a2e33c 56436->56439 56525 a27400 WriteFile 56436->56525 56523 a39940 WriteFile 56437->56523 56521 a39940 WriteFile 56439->56521 56440 a2e3b4 56507 a24500 56440->56507 56444 a2e365 56446 a56180 WriteFile 56444->56446 56448 a2e37f 56446->56448 56522 a39a60 WriteFile 56448->56522 56449 a2e3ca 56449->56404 56451 a2e39d 56451->56404 56452->56400 56453->56407 56454->56411 56455->56400 56458 9fe386 56456->56458 56458->56456 56474 9fd960 56458->56474 56459 9fe3a5 56459->56420 56460->56415 56461->56416 56462->56425 56463->56423 56464->56430 56466 a3570a 56465->56466 56466->56465 56470 a35745 56466->56470 56505 a46de0 WriteFile 56466->56505 56469 a35785 56469->56431 56506 a357a0 WriteFile 56470->56506 56471->56434 56472->56425 56473->56428 56481 9fd96a 56474->56481 56475 a27400 WriteFile 56475->56481 56477 9fe640 WriteFile 56479 9fd9f9 56477->56479 56478 9fd9ab 56478->56477 56479->56459 56481->56474 56481->56475 56481->56478 56482 9fdb36 56481->56482 56485 9fd760 WriteFile 56481->56485 56487 9fe0d8 56481->56487 56489 9fe0c9 56481->56489 56496 9fe260 WriteFile 56481->56496 56497 a059c0 WriteFile 56481->56497 56498 a05400 WriteFile 56481->56498 56499 a10b00 WriteFile 56481->56499 56500 9fe460 WriteFile 56481->56500 56482->56459 56485->56481 56488 9fe106 56487->56488 56502 a204a0 WriteFile 56487->56502 56492 9fe174 56488->56492 56503 a09c60 WriteFile 56488->56503 56501 9fe2e0 WriteFile 56489->56501 56492->56459 56494 9fe165 56494->56492 56504 a09d60 WriteFile 56494->56504 56496->56481 56497->56481 56498->56481 56499->56481 56500->56481 56501->56487 56502->56488 56503->56494 56504->56492 56505->56470 56506->56469 56526 a24f80 56507->56526 56510 a24551 56529 a24d00 56510->56529 56512 9fc120 WriteFile 56514 a2457e 56512->56514 56514->56512 56517 a29720 WriteFile 56514->56517 56532 a28ea0 WriteFile 56514->56532 56533 a29540 WriteFile 56514->56533 56534 a29460 WriteFile 56514->56534 56535 a28f00 WriteFile 56514->56535 56536 a27400 WriteFile 56514->56536 56517->56514 56521->56444 56522->56451 56523->56440 56524 a39a60 WriteFile 56524->56449 56525->56436 56527 a24c20 WriteFile 56526->56527 56528 a24535 56527->56528 56528->56510 56528->56514 56530 a24c20 WriteFile 56529->56530 56531 a24566 56530->56531 56531->56524 56532->56514 56533->56514 56534->56514 56535->56514 56536->56514 56540 a2ed6a 56537->56540 56538 a2ed95 56538->56300 56540->56537 56540->56538 56542 a2ee28 56540->56542 56543 a2ede8 56540->56543 56574 9fc120 WriteFile 56540->56574 56575 a37700 WriteFile 56540->56575 56578 a27400 WriteFile 56540->56578 56577 9fc380 WriteFile 56542->56577 56576 9fc380 WriteFile 56543->56576 56546 a2ee3b 56553 a2e720 56546->56553 56548 a2edf6 56548->56300 56550 a2ee4c 56550->56300 56551->56297 56552->56299 56566 a2e72a 56553->56566 56555 a2e82c 56582 a2af40 WriteFile 56555->56582 56559 a2e831 56583 9fc380 WriteFile 56559->56583 56560 a2e8c4 56561 a2e8db 56560->56561 56585 9fc380 WriteFile 56560->56585 56561->56550 56563 a2e825 56586 9fc480 WriteFile 56563->56586 56565 a2e851 56567 a2e180 WriteFile 56565->56567 56566->56553 56566->56555 56566->56560 56566->56563 56566->56566 56573 a27400 WriteFile 56566->56573 56579 9fc120 WriteFile 56566->56579 56580 a37560 WriteFile 56566->56580 56581 9fc380 WriteFile 56566->56581 56569 a2e878 56567->56569 56570 a2e892 56569->56570 56584 9fc120 WriteFile 56569->56584 56570->56550 56571 a2e929 56571->56550 56573->56566 56574->56540 56575->56540 56576->56548 56577->56546 56578->56540 56579->56566 56580->56566 56581->56566 56582->56559 56583->56565 56584->56570 56585->56561 56586->56571 56596 a18acf 56587->56596 56588 9fc120 WriteFile 56588->56596 56589 a18c1d 56591 a18cde 56589->56591 56658 a189c0 56589->56658 56685 9fc380 WriteFile 56591->56685 56596->56587 56596->56588 56596->56589 56597 a18c74 56596->56597 56599 a1c7a0 WriteFile 56596->56599 56607 a18bd0 56596->56607 56622 a19360 56596->56622 56682 a1de40 WriteFile 56596->56682 56683 9fc380 WriteFile 56596->56683 56690 a27400 WriteFile 56596->56690 56684 9fc380 WriteFile 56597->56684 56599->56596 56600 a18c85 56600->56307 56602 a18eb6 56666 a19080 56602->56666 56604 a18f05 56605 a18f58 56604->56605 56672 a06b00 56604->56672 56608 a218e0 WriteFile 56605->56608 56607->56602 56686 a13040 WriteFile 56607->56686 56609 a18f74 56608->56609 56612 a18f95 56609->56612 56614 a218e0 WriteFile 56609->56614 56688 a219a0 WriteFile 56612->56688 56613 a218e0 WriteFile 56613->56605 56614->56612 56616 a18e67 56616->56602 56687 a0d1a0 WriteFile 56616->56687 56618 a18fa5 56689 a21a80 WriteFile 56618->56689 56620 a19014 56620->56307 56621->56303 56623 a1936a 56622->56623 56623->56622 56653 a193f6 56623->56653 56691 9fcdc0 56623->56691 56626 a218e0 WriteFile 56630 a195a9 56626->56630 56627 a194dc 56718 a28ea0 WriteFile 56627->56718 56628 a193df 56635 a218e0 WriteFile 56628->56635 56628->56653 56725 a219a0 WriteFile 56630->56725 56631 a19505 56719 a29720 WriteFile 56631->56719 56634 a195b5 56726 a21a80 WriteFile 56634->56726 56638 a19446 56635->56638 56636 a19516 56720 a29460 WriteFile 56636->56720 56716 a219a0 WriteFile 56638->56716 56640 a195cc 56707 a1ac60 56640->56707 56642 a19452 56717 a21a80 WriteFile 56642->56717 56643 a19525 56721 a29720 WriteFile 56643->56721 56647 a195e5 56647->56596 56648 a19469 56651 a1ac60 WriteFile 56648->56651 56649 a19536 56722 a29460 WriteFile 56649->56722 56651->56653 56652 a19548 56723 a29720 WriteFile 56652->56723 56653->56626 56655 a19559 56724 a28f00 WriteFile 56655->56724 56657 a1955e 56657->56596 56659 a189ca 56658->56659 56659->56658 56660 a189fd 56659->56660 56664 a189e5 56659->56664 56661 a09840 WriteFile 56660->56661 56662 a18a08 56661->56662 56662->56591 56663 a18a29 56663->56591 56664->56663 56665 a09840 WriteFile 56664->56665 56665->56664 56668 a1908a 56666->56668 56668->56666 56669 a1a620 WriteFile 56668->56669 56670 a1928b 56668->56670 56671 a26040 WriteFile 56668->56671 56764 a18860 WriteFile 56668->56764 56669->56668 56670->56604 56671->56668 56678 a06b0a 56672->56678 56673 a06b73 56673->56613 56674 a24e80 WriteFile 56674->56678 56675 a28ea0 WriteFile 56675->56678 56676 a29460 WriteFile 56676->56678 56677 a29720 WriteFile 56677->56678 56678->56672 56678->56673 56678->56674 56678->56675 56678->56676 56678->56677 56679 a290e0 WriteFile 56678->56679 56680 a28f00 WriteFile 56678->56680 56681 a27400 WriteFile 56678->56681 56679->56678 56680->56678 56681->56678 56682->56596 56683->56596 56684->56600 56685->56607 56686->56616 56687->56602 56688->56618 56689->56620 56690->56596 56693 9fcdcf 56691->56693 56692 9fea00 WriteFile 56692->56693 56693->56691 56693->56692 56696 9fd119 56693->56696 56699 a24e80 WriteFile 56693->56699 56700 a09840 WriteFile 56693->56700 56701 a295a0 WriteFile 56693->56701 56702 9fe640 WriteFile 56693->56702 56703 a27400 WriteFile 56693->56703 56704 a29720 WriteFile 56693->56704 56727 a06e40 56693->56727 56734 a06d60 WriteFile 56693->56734 56735 9fd580 WriteFile 56693->56735 56736 a28ea0 WriteFile 56693->56736 56737 a290e0 WriteFile 56693->56737 56738 a28f00 WriteFile 56693->56738 56696->56627 56696->56628 56699->56693 56700->56693 56701->56693 56702->56693 56703->56693 56704->56693 56715 a1ac6a 56707->56715 56712 a1ae8c 56712->56647 56713 a06840 WriteFile 56713->56715 56715->56707 56715->56712 56715->56713 56739 a1d0c0 56715->56739 56754 a13da0 WriteFile 56715->56754 56755 a20960 WriteFile 56715->56755 56756 a20d40 WriteFile 56715->56756 56757 a27400 WriteFile 56715->56757 56716->56642 56717->56648 56718->56631 56719->56636 56720->56643 56721->56649 56722->56652 56723->56655 56724->56657 56725->56634 56726->56640 56728 a06e4a 56727->56728 56728->56727 56729 a24e80 WriteFile 56728->56729 56730 a06e85 56729->56730 56731 a06ea5 56730->56731 56732 a24e80 WriteFile 56730->56732 56731->56693 56733 a06ee5 56732->56733 56733->56693 56734->56693 56735->56693 56736->56693 56737->56693 56738->56693 56747 a1d0cf 56739->56747 56741 a29720 WriteFile 56741->56747 56742 a1d447 56759 a1d660 WriteFile 56742->56759 56743 a295a0 WriteFile 56743->56747 56746 a1d475 56746->56715 56747->56739 56747->56741 56747->56742 56747->56743 56751 a209e0 WriteFile 56747->56751 56752 a218e0 WriteFile 56747->56752 56753 a06b00 WriteFile 56747->56753 56758 a20960 WriteFile 56747->56758 56760 a28ea0 WriteFile 56747->56760 56761 a290e0 WriteFile 56747->56761 56762 a28f00 WriteFile 56747->56762 56763 a27400 WriteFile 56747->56763 56751->56747 56752->56747 56753->56747 56754->56715 56755->56715 56756->56715 56757->56715 56758->56747 56759->56746 56760->56747 56761->56747 56762->56747 56763->56747 56764->56668 56766 a36686 56765->56766 56766->56765 56767 a366d5 56766->56767 56820 a25320 56766->56820 56767->56276 56769->56276 56770->56270 56771->56276 56772->56276 56775 a2ea0a 56773->56775 56774 a2ed2d 56776 a2e720 WriteFile 56774->56776 56775->56773 56775->56774 56778 a2ea56 56775->56778 56777 a2ed36 56776->56777 56777->56276 56784 a2ead4 56778->56784 56788 a2eac5 56778->56788 56779 a2eb42 56780 a2eb96 56779->56780 56782 a2eb75 56779->56782 56874 9fc120 WriteFile 56780->56874 56785 a2e720 WriteFile 56782->56785 56783 a2eba5 56786 a2ebaf 56783->56786 56799 a2ebef 56783->56799 56784->56779 56787 a2eb33 56784->56787 56789 a2eb90 56785->56789 56790 a2ebdb 56786->56790 56875 9fc480 WriteFile 56786->56875 56791 a2e720 WriteFile 56787->56791 56792 a2e720 WriteFile 56788->56792 56789->56276 56876 9fc380 WriteFile 56790->56876 56795 a2eb3c 56791->56795 56796 a2eace 56792->56796 56795->56276 56796->56276 56797 a2ebe9 56797->56276 56798 a2ec51 56800 a2ec66 56798->56800 56801 a2ed0b 56798->56801 56799->56798 56877 9fc480 WriteFile 56799->56877 56802 a2ecab 56800->56802 56804 a2ec85 56800->56804 56882 9fc380 WriteFile 56801->56882 56879 a373c0 WriteFile 56802->56879 56878 9fc380 WriteFile 56804->56878 56805 a2ed19 56808 a2e720 WriteFile 56805->56808 56812 a2ed27 56808->56812 56810 a2ece5 56880 9fc380 WriteFile 56810->56880 56811 a2ec93 56814 a2e720 WriteFile 56811->56814 56812->56276 56816 a2eca5 56814->56816 56815 a2ecf3 56817 a2ed05 56815->56817 56881 a30de0 WriteFile 56815->56881 56816->56276 56817->56276 56819->56276 56842 a25332 56820->56842 56821 a27400 WriteFile 56821->56842 56822 a25745 56822->56767 56824 a25397 56860 9fc380 WriteFile 56824->56860 56826 a25000 WriteFile 56826->56842 56827 a253a6 56827->56767 56828 a25446 56861 9fc380 WriteFile 56828->56861 56830 a25455 56862 9fc120 WriteFile 56830->56862 56833 a25490 56834 a24d00 WriteFile 56833->56834 56836 a254ad 56834->56836 56837 a256e1 56836->56837 56838 a254cd 56836->56838 56868 9fc380 WriteFile 56837->56868 56863 a24d80 56838->56863 56842->56820 56842->56821 56842->56822 56842->56824 56842->56826 56842->56828 56859 9fc120 WriteFile 56842->56859 56869 a28ea0 WriteFile 56842->56869 56870 a29720 WriteFile 56842->56870 56871 a29460 WriteFile 56842->56871 56872 a290e0 WriteFile 56842->56872 56873 a28f00 WriteFile 56842->56873 56844 a256ef 56846 a24d00 WriteFile 56844->56846 56849 a2570c 56846->56849 56849->56767 56850 a25517 56851 a25645 56850->56851 56867 a289e0 WriteFile 56850->56867 56853 a24d00 WriteFile 56851->56853 56855 a25692 56853->56855 56854 a255ed 56854->56851 56858 a24d80 WriteFile 56854->56858 56856 a24d00 WriteFile 56855->56856 56857 a256c5 56856->56857 56857->56767 56858->56851 56859->56842 56860->56827 56861->56830 56862->56833 56864 a24c20 WriteFile 56863->56864 56865 a24dd6 56864->56865 56866 9fc380 WriteFile 56865->56866 56866->56850 56867->56854 56868->56844 56869->56842 56870->56842 56871->56842 56872->56842 56873->56842 56874->56783 56875->56790 56876->56797 56877->56798 56878->56811 56879->56810 56880->56815 56881->56817 56882->56805 56891 a2eeaa 56883->56891 56885 a35700 WriteFile 56885->56891 56886 a2ea00 WriteFile 56886->56891 56888 a2ef4a 56919 a354a0 WriteFile 56888->56919 56890 a2ef5a 56890->56218 56891->56883 56891->56885 56891->56886 56891->56888 56892 a29720 WriteFile 56891->56892 56893 a296a0 WriteFile 56891->56893 56894 a29460 WriteFile 56891->56894 56895 a290e0 WriteFile 56891->56895 56896 a28ea0 WriteFile 56891->56896 56897 a28f00 WriteFile 56891->56897 56898 a27400 WriteFile 56891->56898 56917 a358e0 WriteFile 56891->56917 56918 9fc500 WriteFile 56891->56918 56892->56891 56893->56891 56894->56891 56895->56891 56896->56891 56897->56891 56898->56891 56900 a30e46 56899->56900 56900->56899 56901 a30e79 56900->56901 56902 a27400 WriteFile 56900->56902 56903 a2ed60 WriteFile 56901->56903 56902->56900 56904 a30e7e 56903->56904 56904->56218 56906 a2f2ca 56905->56906 56906->56905 56908 a2f2f9 56906->56908 56920 a200c0 WriteFile 56906->56920 56921 a2bd80 WriteFile 56908->56921 56910 a2f35b 56912 a2f3b3 56910->56912 56922 a25240 WriteFile 56910->56922 56913 a2f3e5 56912->56913 56923 a47640 WriteFile 56912->56923 56913->56218 56915->56218 56916->56218 56917->56891 56918->56891 56919->56890 56920->56908 56921->56910 56922->56912 56923->56913 56924 a2abe0 56943 a2abea 56924->56943 56943->56924 56944 a2ade9 56943->56944 56948 9fca40 56943->56948 56963 9f1a80 56943->56963 56969 a23900 56943->56969 56984 a391a0 56943->56984 57000 a38920 WriteFile 56943->57000 57001 a413a0 WriteFile 56943->57001 57002 a38420 WriteFile 56943->57002 57003 9f4ee0 WriteFile 56943->57003 57004 a2afa0 WriteFile 56943->57004 57005 a41180 WriteFile 56943->57005 57006 a4d640 WriteFile 56943->57006 57007 9faf20 WriteFile 56943->57007 57008 a3f7c0 WriteFile 56943->57008 57009 a09980 WriteFile 56943->57009 57010 a3cc60 56943->57010 57019 9fc120 WriteFile 56943->57019 57020 9f8340 WriteFile 56943->57020 57021 a34b00 WriteFile 56943->57021 57023 a27400 WriteFile 56943->57023 57022 9fc380 WriteFile 56944->57022 56947 a2adf7 56959 9fca4a 56948->56959 56949 a28ea0 WriteFile 56949->56959 56950 a29460 WriteFile 56950->56959 56951 a29720 WriteFile 56951->56959 56952 9fcb0b 57024 a17cc0 56952->57024 56954 a29540 WriteFile 56954->56959 56957 a28f00 WriteFile 56957->56959 56958 a27400 WriteFile 56958->56959 56959->56948 56959->56949 56959->56950 56959->56951 56959->56952 56959->56954 56959->56957 56959->56958 56960 9fcba2 56960->56943 56961 9fcb1c 56961->56960 56962 a09840 WriteFile 56961->56962 56962->56961 56965 9f1a86 56963->56965 56965->56963 57084 9f2020 56965->57084 56966 9f1a9d 57094 9f1ae0 WriteFile 56966->57094 56968 9f1aac 56968->56943 56972 a2390a 56969->56972 56970 a24c20 WriteFile 56970->56972 56972->56969 56972->56970 56973 a23a5c 56972->56973 56983 a23b0b 56972->56983 57110 a3bd60 WriteFile 56972->57110 57111 a40620 WriteFile 56972->57111 56974 a24d00 WriteFile 56973->56974 56976 a23a71 56974->56976 57112 a52a00 WriteFile 56976->57112 56978 a23aaf 56979 a24d80 WriteFile 56978->56979 56980 a23acd 56979->56980 57098 a23100 56980->57098 56982 a23ae5 56982->56943 56983->56943 56985 a391aa 56984->56985 56985->56984 57115 9f8340 WriteFile 56985->57115 56987 a391eb 56988 9fe380 WriteFile 56987->56988 56989 a39205 56988->56989 57116 a50f80 WriteFile 56989->57116 56992 a39245 57117 a394a0 WriteFile 56992->57117 56993 a3929e 57118 a394a0 WriteFile 56993->57118 56995 a392af 57119 9f8340 WriteFile 56995->57119 56997 a392db 57120 a522c0 WriteFile 56997->57120 56999 a392e5 56999->56943 57000->56943 57001->56943 57002->56943 57003->56943 57004->56943 57005->56943 57006->56943 57007->56943 57008->56943 57009->56943 57015 a3cc6a 57010->57015 57011 a06840 WriteFile 57011->57015 57012 9fc120 WriteFile 57012->57015 57014 9fc380 WriteFile 57014->57015 57015->57010 57015->57011 57015->57012 57015->57014 57017 a3ccf1 57015->57017 57018 a27400 WriteFile 57015->57018 57121 a18720 57015->57121 57127 a19aa0 WriteFile 57015->57127 57017->56943 57018->57015 57019->56943 57020->56943 57021->56943 57022->56947 57023->56943 57025 a17cca 57024->57025 57025->57024 57058 a09720 WriteFile 57025->57058 57027 a17cfe 57059 a09720 WriteFile 57027->57059 57029 a17d25 57060 a09720 WriteFile 57029->57060 57031 a17d49 57061 a09720 WriteFile 57031->57061 57033 a17d6d 57062 a09720 WriteFile 57033->57062 57035 a17d91 57063 a09720 WriteFile 57035->57063 57037 a17db5 57064 a09720 WriteFile 57037->57064 57039 a17dd9 57043 a1aaa0 57039->57043 57042 a05620 WriteFile 57042->56961 57056 a1aaaa 57043->57056 57044 a1aaca 57065 a20ac0 57044->57065 57046 a29720 WriteFile 57046->57056 57047 a1ab16 57069 a1cf80 57047->57069 57049 a29540 WriteFile 57049->57056 57050 a1ab25 57074 a13cc0 57050->57074 57052 a28f00 WriteFile 57052->57056 57054 a28ea0 WriteFile 57054->57056 57055 a290e0 WriteFile 57055->57056 57056->57043 57056->57044 57056->57046 57056->57049 57056->57052 57056->57054 57056->57055 57078 a27400 WriteFile 57056->57078 57058->57027 57059->57029 57060->57031 57061->57033 57062->57035 57063->57037 57064->57039 57066 a20ac6 57065->57066 57066->57065 57067 9fe640 WriteFile 57066->57067 57068 a20afa 57067->57068 57068->57047 57072 a1cf8a 57069->57072 57070 a1d085 57070->57050 57071 a06e40 WriteFile 57071->57072 57072->57069 57072->57070 57072->57071 57079 a27400 WriteFile 57072->57079 57075 a13cca 57074->57075 57075->57074 57080 a1d960 57075->57080 57077 9fcb17 57077->57042 57078->57056 57079->57072 57081 a1d966 57080->57081 57081->57080 57082 a06e40 WriteFile 57081->57082 57083 a1d985 57082->57083 57083->57077 57086 9f202a 57084->57086 57085 9fe380 WriteFile 57087 9f203e 57085->57087 57086->57084 57086->57085 57091 9f219b 57087->57091 57095 a3be40 WriteFile 57087->57095 57092 9f23ad 57091->57092 57096 a3be40 WriteFile 57091->57096 57093 9f25ba 57092->57093 57097 a3be40 WriteFile 57092->57097 57093->56966 57094->56968 57095->57091 57096->57092 57097->57093 57099 a2310a 57098->57099 57099->57098 57100 a24e00 WriteFile 57099->57100 57101 a23145 57100->57101 57102 a2321a 57101->57102 57113 a22c40 WriteFile 57101->57113 57102->56982 57104 a2317d 57105 a23214 57104->57105 57114 a52a00 WriteFile 57104->57114 57105->56982 57107 a231ba 57108 a24e00 WriteFile 57107->57108 57109 a231fc 57108->57109 57109->56982 57110->56972 57111->56972 57112->56978 57113->57104 57114->57107 57115->56987 57116->56992 57117->56993 57118->56995 57119->56997 57120->56999 57126 a18726 57121->57126 57122 a18732 57123 a18ac0 WriteFile 57122->57123 57125 a18739 57123->57125 57125->57015 57126->57121 57126->57122 57128 a27400 WriteFile 57126->57128 57127->57015 57128->57126 57129 1b278c7fffc 57152 1b278c81aa4 57129->57152 57132 1b278c81aa4 LoadLibraryA 57133 1b278c80038 57132->57133 57134 1b278c81aa4 LoadLibraryA 57133->57134 57135 1b278c8004e 57134->57135 57136 1b278c80060 VirtualAlloc 57135->57136 57150 1b278c80079 57135->57150 57137 1b278c800a5 57136->57137 57136->57150 57138 1b278c81aa4 LoadLibraryA 57137->57138 57137->57150 57139 1b278c80119 57138->57139 57140 1b278c80170 57139->57140 57139->57150 57190 1b278c81814 57139->57190 57141 1b278c81aa4 LoadLibraryA 57140->57141 57142 1b278c801b0 57140->57142 57140->57150 57141->57140 57142->57150 57151 1b278c80238 57142->57151 57194 1b278c7ef64 VirtualProtect VirtualProtect VirtualProtect VirtualProtect LoadLibraryA 57142->57194 57145 1b278c8020e 57146 1b278c80212 57145->57146 57156 1b278c7f090 57145->57156 57146->57145 57146->57150 57151->57150 57165 1b278c80808 57151->57165 57153 1b278c81adb 57152->57153 57154 1b278c80025 57153->57154 57195 1b278c7f5b0 LoadLibraryA 57153->57195 57154->57132 57157 1b278c81814 LoadLibraryA 57156->57157 57158 1b278c7f0ae 57157->57158 57196 1b278c818fc 57158->57196 57161 1b278c7f0cb VirtualProtect 57162 1b278c7f10d 57161->57162 57163 1b278c7f0e5 57161->57163 57162->57150 57162->57151 57164 1b278c7f0f7 VirtualProtect 57163->57164 57164->57162 57166 1b278c8085c 57165->57166 57167 1b278c808b4 NtCreateSection 57166->57167 57169 1b278c808e3 57166->57169 57189 1b278c81090 57166->57189 57167->57169 57167->57189 57168 1b278c80989 NtMapViewOfSection 57176 1b278c809dd 57168->57176 57169->57168 57169->57189 57170 1b278c80d58 VirtualAlloc 57178 1b278c80e0f 57170->57178 57171 1b278c81814 LoadLibraryA 57171->57176 57173 1b278c81814 LoadLibraryA 57174 1b278c80cb9 57173->57174 57174->57170 57174->57173 57181 1b278c818fc LoadLibraryA 57174->57181 57175 1b278c80f0b VirtualProtect 57177 1b278c8101e VirtualProtect 57175->57177 57185 1b278c80f33 57175->57185 57176->57171 57176->57174 57179 1b278c818fc LoadLibraryA 57176->57179 57176->57189 57184 1b278c8105a 57177->57184 57178->57175 57180 1b278c80e87 NtUnmapViewOfSection 57178->57180 57179->57176 57182 1b278c80e9f NtMapViewOfSection 57180->57182 57180->57189 57181->57174 57182->57175 57182->57189 57183 1b278c81011 57183->57177 57184->57189 57201 1b278c815b8 LoadLibraryA 57184->57201 57185->57183 57188 1b278c80fe4 VirtualProtect 57185->57188 57188->57185 57189->57150 57193 1b278c81832 57190->57193 57191 1b278c818dd LoadLibraryA 57192 1b278c818e5 57191->57192 57192->57139 57193->57191 57193->57192 57194->57145 57195->57153 57197 1b278c81932 57196->57197 57199 1b278c7f0c3 57196->57199 57197->57199 57200 1b278c7f768 LoadLibraryA 57197->57200 57199->57161 57199->57162 57200->57199 57201->57189 57202 1b27a4c1000 57203 1b27a4c101f 57202->57203 57245 1b27a4d6dc0 57203->57245 57205 1b27a4c104b CreateMutexExW 57207 1b27a4c10e3 57205->57207 57269 1b27a4c91e0 57207->57269 57209 1b27a4c1190 57273 1b27a4cf1a0 57209->57273 57214 1b27a4c12b5 CreateMutexExW 57218 1b27a4c12dc CreateMutexExW 57214->57218 57215 1b27a4c120b 57215->57214 57219 1b27a4c1326 57218->57219 57277 1b27a4dca80 ConvertStringSecurityDescriptorToSecurityDescriptorW 57219->57277 57222 1b27a4dca80 ConvertStringSecurityDescriptorToSecurityDescriptorW 57228 1b27a4c138e _LDint 57222->57228 57279 1b27a4e1b30 57228->57279 57232 1b27a4c1609 57320 1b27a4d01b0 57232->57320 57235 1b27a4c1651 57236 1b27a4c165a 57235->57236 57244 1b27a4c1669 _snprintf 57235->57244 57334 1b27a4dbe50 ConvertStringSecurityDescriptorToSecurityDescriptorW 57236->57334 57241 1b27a4c1649 ExitProcess 57243 1b27a4c165f 57244->57243 57335 1b27a4d03a0 CreateFileW LocalAlloc ReadFile CloseHandle _Mtx_guard::~_Mtx_guard 57244->57335 57247 1b27a4d6dd8 57245->57247 57246 1b27a4d73f1 LoadLibraryExW 57251 1b27a4d7412 57246->57251 57268 1b27a4d6deb 57246->57268 57247->57246 57248 1b27a4d733c GetProcAddressForCaller 57247->57248 57249 1b27a4d738a 57247->57249 57247->57268 57248->57249 57248->57268 57249->57246 57249->57268 57250 1b27a4d7793 LoadLibraryExW 57253 1b27a4d77ba 57250->57253 57250->57268 57251->57250 57251->57268 57252 1b27a4d78d5 LoadLibraryExW 57254 1b27a4d78f6 57252->57254 57252->57268 57253->57252 57253->57268 57255 1b27a4d7b4d LoadLibraryExW 57254->57255 57254->57268 57257 1b27a4d7b6e 57255->57257 57255->57268 57256 1b27a4d7c83 LoadLibraryExW 57259 1b27a4d7caa 57256->57259 57256->57268 57257->57256 57257->57268 57258 1b27a4d7efb LoadLibraryExW 57261 1b27a4d7f1c 57258->57261 57258->57268 57259->57258 57259->57268 57260 1b27a4d8031 LoadLibraryExW 57265 1b27a4d8052 57260->57265 57260->57268 57261->57260 57263 1b27a4d7f82 GetProcAddressForCaller 57261->57263 57264 1b27a4d7fcd 57261->57264 57262 1b27a4d8167 LoadLibraryExW 57262->57268 57263->57264 57263->57268 57264->57260 57264->57268 57265->57262 57266 1b27a4d80b8 GetProcAddressForCaller 57265->57266 57267 1b27a4d8103 57265->57267 57266->57267 57266->57268 57267->57262 57267->57268 57268->57205 57270 1b27a4c9214 57269->57270 57271 1b27a4c934b StrCmpIW 57270->57271 57272 1b27a4c10fe 57270->57272 57271->57272 57272->57209 57333 1b27a4dbe50 ConvertStringSecurityDescriptorToSecurityDescriptorW 57272->57333 57274 1b27a4cf1ad lstrcmpiW 57273->57274 57276 1b27a4c119d CreateMutexExW 57274->57276 57276->57215 57278 1b27a4c133a 57277->57278 57278->57222 57280 1b27a4e1b3d CreateMutexExW 57279->57280 57281 1b27a4c15c1 57279->57281 57280->57281 57282 1b27a4c8d30 57281->57282 57336 1b27a4e6c1c 57282->57336 57284 1b27a4c8d54 RegCreateKeyExW 57285 1b27a4c8da0 RegCloseKey 57284->57285 57290 1b27a4c15d2 57284->57290 57286 1b27a4c8dbd _snprintf 57285->57286 57338 1b27a4c8e20 57286->57338 57291 1b27a4c8f60 57290->57291 57292 1b27a4c8fab 57291->57292 57297 1b27a4c15e3 57292->57297 57347 1b27a4dc980 CreateFileW 57292->57347 57294 1b27a4c8fc5 57295 1b27a4c8ffc RegOpenKeyW 57294->57295 57294->57297 57296 1b27a4c901d RegSetValueExW 57295->57296 57295->57297 57296->57297 57298 1b27a4c9057 LocalFree 57296->57298 57300 1b27a4c76c0 57297->57300 57298->57297 57301 1b27a4c76f4 57300->57301 57302 1b27a4c771c RegOpenKeyW 57301->57302 57305 1b27a4c15f4 57301->57305 57303 1b27a4c773d RegSetValueExW 57302->57303 57302->57305 57303->57305 57305->57232 57306 1b27a4cf740 57305->57306 57307 1b27a4cf766 57306->57307 57308 1b27a4cf777 CreateDirectoryW 57307->57308 57317 1b27a4cf940 57307->57317 57309 1b27a4cf79a LocalAlloc 57308->57309 57310 1b27a4cf789 57308->57310 57311 1b27a4cf7bb 57309->57311 57309->57317 57310->57309 57310->57317 57312 1b27a4dc980 4 API calls 57311->57312 57311->57317 57313 1b27a4cf827 57312->57313 57314 1b27a4cf83e CreateFileW 57313->57314 57313->57317 57315 1b27a4cf887 57314->57315 57316 1b27a4cf8b5 WriteFile 57315->57316 57315->57317 57319 1b27a4cf8b1 LocalFree 57315->57319 57316->57317 57316->57319 57317->57232 57319->57317 57321 1b27a4d01d0 57320->57321 57322 1b27a4d023f CreateDirectoryW 57321->57322 57325 1b27a4c1621 57321->57325 57323 1b27a4d026e 57322->57323 57324 1b27a4d0286 LocalFree 57323->57324 57323->57325 57324->57325 57325->57235 57326 1b27a4d2000 57325->57326 57327 1b27a4d2018 57326->57327 57328 1b27a4d2029 LocalAlloc 57327->57328 57329 1b27a4c1644 57327->57329 57328->57329 57330 1b27a4d2053 _snprintf 57328->57330 57329->57235 57329->57241 57330->57329 57331 1b27a4d2137 CreateProcessW 57330->57331 57331->57329 57332 1b27a4d2194 LocalFree LocalFree 57331->57332 57332->57329 57333->57209 57334->57243 57335->57244 57337 1b27a4e6c4e _invalid_parameter_noinfo write_char _errno _snprintf 57336->57337 57337->57284 57339 1b27a4e6c1c 57338->57339 57340 1b27a4c8e49 RegGetValueW 57339->57340 57341 1b27a4c8dc7 57340->57341 57341->57290 57342 1b27a4c8eb0 57341->57342 57343 1b27a4e6c1c 57342->57343 57344 1b27a4c8ed9 RegOpenKeyW 57343->57344 57345 1b27a4c8ef8 RegSetValueExW 57344->57345 57346 1b27a4c8ef4 57344->57346 57345->57346 57346->57290 57348 1b27a4dc9d1 57347->57348 57349 1b27a4dca55 57347->57349 57348->57349 57350 1b27a4dc9e9 LocalAlloc 57348->57350 57349->57294 57350->57349 57351 1b27a4dca07 ReadFile 57350->57351 57351->57349 57352 1b27a4dca2e 57351->57352 57352->57349 57353 1b27a4dca38 CloseHandle 57352->57353 57353->57349 57354 a23760 57355 a2376a 57354->57355 57355->57354 57376 a22da0 57355->57376 57365 a237b6 57406 a22d00 57365->57406 57369 a237ca 57428 a23240 57369->57428 57371 a237cf 57372 a24d00 WriteFile 57371->57372 57373 a23805 57372->57373 57374 a24d80 WriteFile 57373->57374 57375 a23845 57374->57375 57377 a22daa 57376->57377 57377->57376 57378 a24e00 WriteFile 57377->57378 57379 a22c40 WriteFile 57377->57379 57380 a23070 57377->57380 57381 a27400 WriteFile 57377->57381 57378->57377 57379->57377 57382 a3abe0 57380->57382 57381->57377 57385 a3abea 57382->57385 57383 a24c20 WriteFile 57384 a3ac0a 57383->57384 57386 a24d00 WriteFile 57384->57386 57385->57382 57385->57383 57387 a3ac25 57386->57387 57388 a24d80 WriteFile 57387->57388 57389 a3ac65 57388->57389 57390 a24d00 WriteFile 57389->57390 57391 a237a5 57390->57391 57392 a3ad40 57391->57392 57395 a3ad4a 57392->57395 57393 a24d80 WriteFile 57394 a3ad77 57393->57394 57396 a24d80 WriteFile 57394->57396 57395->57392 57395->57393 57397 a3adae 57396->57397 57398 a24d80 WriteFile 57397->57398 57399 a237aa 57398->57399 57400 a23400 57399->57400 57402 a2340a 57400->57402 57401 a24e80 WriteFile 57403 a2343b 57401->57403 57402->57400 57402->57401 57404 a23473 57403->57404 57405 a24d00 WriteFile 57403->57405 57435 a23340 WriteFile 57404->57435 57405->57404 57407 a22d0a 57406->57407 57407->57406 57408 a24d80 WriteFile 57407->57408 57409 a22d5b 57407->57409 57436 a27400 WriteFile 57407->57436 57408->57407 57411 a234a0 57409->57411 57417 a234aa 57411->57417 57412 a24e00 WriteFile 57412->57417 57413 a235ce 57413->57369 57414 a24c20 WriteFile 57414->57417 57417->57411 57417->57412 57417->57413 57417->57414 57418 a23679 57417->57418 57437 a23880 WriteFile 57417->57437 57438 a385c0 WriteFile 57417->57438 57419 a25000 WriteFile 57418->57419 57420 a236b3 57419->57420 57421 a23710 57420->57421 57439 a28ea0 WriteFile 57420->57439 57421->57369 57423 a236f3 57440 a29720 WriteFile 57423->57440 57425 a23705 57441 a28f00 WriteFile 57425->57441 57427 a2370a 57427->57369 57429 a2324a 57428->57429 57429->57428 57430 a24e00 WriteFile 57429->57430 57431 a23291 57430->57431 57432 a24d00 WriteFile 57431->57432 57434 a2332b 57431->57434 57433 a232dd 57432->57433 57433->57371 57434->57371 57435->57365 57436->57407 57437->57417 57438->57417 57439->57423 57440->57425 57441->57427 57442 a3dd80 57446 a3dd92 57442->57446 57443 a28ea0 WriteFile 57443->57446 57445 a29720 WriteFile 57445->57446 57446->57442 57446->57443 57446->57445 57448 a3e106 57446->57448 57458 a3e151 57446->57458 57477 a290e0 WriteFile 57446->57477 57479 a4a840 WriteFile 57446->57479 57480 a27400 WriteFile 57446->57480 57481 a295a0 WriteFile 57446->57481 57485 a296a0 WriteFile 57446->57485 57486 a28f00 WriteFile 57446->57486 57517 a29460 WriteFile 57446->57517 57518 a41be0 WriteFile 57446->57518 57447 a3e11b 57451 a3e13e 57447->57451 57505 a31cc0 WriteFile 57447->57505 57448->57447 57504 a3ea40 WriteFile 57448->57504 57449 a3e262 57482 a3e2aa 57449->57482 57510 a28ea0 WriteFile 57449->57510 57506 a318c0 WriteFile 57451->57506 57453 a3e1ed 57508 a2bd80 WriteFile 57453->57508 57456 a3e18f 57456->57449 57456->57453 57458->57456 57507 a42a20 WriteFile 57458->57507 57459 a28ea0 WriteFile 57459->57482 57461 a3e209 57487 a3d940 57461->57487 57462 a3e274 57511 a29720 WriteFile 57462->57511 57467 a3e285 57512 a29460 WriteFile 57467->57512 57471 a3e291 57513 a29720 WriteFile 57471->57513 57472 a3e232 57473 a29720 WriteFile 57473->57482 57475 a3e2a5 57514 a28f00 WriteFile 57475->57514 57477->57446 57478 a295a0 WriteFile 57478->57482 57479->57446 57480->57446 57481->57446 57482->57459 57482->57473 57482->57478 57483 a28f00 WriteFile 57482->57483 57515 a27400 WriteFile 57482->57515 57516 a29460 WriteFile 57482->57516 57483->57482 57485->57446 57486->57446 57488 a3d94f 57487->57488 57488->57487 57489 a27400 WriteFile 57488->57489 57490 a3d972 57488->57490 57489->57488 57491 a3cc60 WriteFile 57490->57491 57492 a3da25 57491->57492 57495 a3da9a 57492->57495 57496 a3dacd 57492->57496 57523 a27400 WriteFile 57492->57523 57524 a3d7e0 WriteFile 57495->57524 57519 a48e00 WriteFile 57496->57519 57500 a3dc16 57503 a3dc3c 57500->57503 57520 a3d440 WriteFile 57500->57520 57521 a49440 WriteFile 57500->57521 57502 a3dc71 57509 a2bd80 WriteFile 57502->57509 57522 a3cf40 WriteFile 57503->57522 57504->57447 57505->57451 57506->57458 57507->57456 57508->57461 57509->57472 57510->57462 57511->57467 57512->57471 57513->57475 57514->57482 57515->57482 57516->57482 57517->57446 57518->57446 57519->57500 57520->57500 57521->57500 57522->57502 57523->57495 57524->57496 57525 a36240 57526 a3624a 57525->57526 57526->57525 57527 a362a7 57526->57527 57529 a24f80 WriteFile 57526->57529 57528 a24d80 WriteFile 57527->57528 57530 a362fa 57528->57530 57529->57527 57531 a542e0 57532 a54300 57531->57532 57535 a5b140 57532->57535 57534 a54449 57538 a33660 57535->57538 57539 a33666 57538->57539 57539->57538 57540 a54580 WriteFile 57539->57540 57541 a336ab 57540->57541 57541->57534 57542 a54500 57543 a54534 57542->57543 57544 a5452f 57542->57544 57551 a316a0 57543->57551 57565 a2a800 WriteFile 57544->57565 57552 a316aa 57551->57552 57552->57551 57567 a2bd80 WriteFile 57552->57567 57554 a316f8 57559 a31725 57554->57559 57568 a47940 WriteFile 57554->57568 57556 a31887 57557 a31200 WriteFile 57556->57557 57558 a3188c 57557->57558 57566 a2a840 WriteFile 57558->57566 57559->57556 57569 a2bd80 WriteFile 57559->57569 57561 a3181d 57562 a3183b 57561->57562 57570 a47a80 WriteFile 57561->57570 57564 a2f2c0 WriteFile 57562->57564 57564->57556 57567->57554 57568->57559 57569->57561 57570->57562 57571 1b278c7efd3 VirtualProtect 57572 1b278c7ef8b 57571->57572 57573 1b278c7efeb 57571->57573 57574 1b278c7eff9 VirtualProtect 57573->57574 57575 1b278c818fc LoadLibraryA 57574->57575 57576 1b278c7f021 57575->57576 57576->57572 57577 1b278c7f03c VirtualProtect 57576->57577 57577->57572 57578 1b278c7f055 57577->57578 57579 1b278c7f063 VirtualProtect 57578->57579 57579->57572 57580 1b27a4d768b 57582 1b27a4d769b 57580->57582 57581 1b27a4d7793 LoadLibraryExW 57584 1b27a4d77ba 57581->57584 57599 1b27a4d7728 57581->57599 57582->57581 57582->57599 57583 1b27a4d78d5 LoadLibraryExW 57586 1b27a4d78f6 57583->57586 57583->57599 57584->57583 57584->57599 57585 1b27a4d7b4d LoadLibraryExW 57588 1b27a4d7b6e 57585->57588 57585->57599 57586->57585 57586->57599 57587 1b27a4d7c83 LoadLibraryExW 57590 1b27a4d7caa 57587->57590 57587->57599 57588->57587 57588->57599 57589 1b27a4d7efb LoadLibraryExW 57592 1b27a4d7f1c 57589->57592 57589->57599 57590->57589 57590->57599 57591 1b27a4d8031 LoadLibraryExW 57596 1b27a4d8052 57591->57596 57591->57599 57592->57591 57594 1b27a4d7f82 GetProcAddressForCaller 57592->57594 57595 1b27a4d7fcd 57592->57595 57593 1b27a4d8167 LoadLibraryExW 57593->57599 57594->57595 57594->57599 57595->57591 57595->57599 57596->57593 57597 1b27a4d80b8 GetProcAddressForCaller 57596->57597 57598 1b27a4d8103 57596->57598 57597->57598 57597->57599 57598->57593 57598->57599 57600 1b27a4d7f29 57602 1b27a4d7f39 57600->57602 57601 1b27a4d8031 LoadLibraryExW 57606 1b27a4d8052 57601->57606 57609 1b27a4d7fc6 57601->57609 57602->57601 57604 1b27a4d7f82 GetProcAddressForCaller 57602->57604 57605 1b27a4d7fcd 57602->57605 57603 1b27a4d8167 LoadLibraryExW 57603->57609 57604->57605 57604->57609 57605->57601 57605->57609 57606->57603 57607 1b27a4d80b8 GetProcAddressForCaller 57606->57607 57608 1b27a4d8103 57606->57608 57607->57608 57607->57609 57608->57603 57608->57609 57610 1b27a4d72e3 57612 1b27a4d72f3 57610->57612 57611 1b27a4d73f1 LoadLibraryExW 57615 1b27a4d7412 57611->57615 57633 1b27a4d7383 57611->57633 57612->57611 57613 1b27a4d733c GetProcAddressForCaller 57612->57613 57614 1b27a4d738a 57612->57614 57613->57614 57613->57633 57614->57611 57614->57633 57616 1b27a4d7793 LoadLibraryExW 57615->57616 57615->57633 57618 1b27a4d77ba 57616->57618 57616->57633 57617 1b27a4d78d5 LoadLibraryExW 57620 1b27a4d78f6 57617->57620 57617->57633 57618->57617 57618->57633 57619 1b27a4d7b4d LoadLibraryExW 57622 1b27a4d7b6e 57619->57622 57619->57633 57620->57619 57620->57633 57621 1b27a4d7c83 LoadLibraryExW 57624 1b27a4d7caa 57621->57624 57621->57633 57622->57621 57622->57633 57623 1b27a4d7efb LoadLibraryExW 57626 1b27a4d7f1c 57623->57626 57623->57633 57624->57623 57624->57633 57625 1b27a4d8031 LoadLibraryExW 57630 1b27a4d8052 57625->57630 57625->57633 57626->57625 57628 1b27a4d7f82 GetProcAddressForCaller 57626->57628 57629 1b27a4d7fcd 57626->57629 57627 1b27a4d8167 LoadLibraryExW 57627->57633 57628->57629 57628->57633 57629->57625 57629->57633 57630->57627 57631 1b27a4d80b8 GetProcAddressForCaller 57630->57631 57632 1b27a4d8103 57630->57632 57631->57632 57631->57633 57632->57627 57632->57633 57634 9fe700 57637 9fe706 57634->57637 57636 9fe728 57637->57634 57638 9fe740 57637->57638 57639 9fe74a 57638->57639 57639->57638 57640 a27400 WriteFile 57639->57640 57641 9fe785 57639->57641 57640->57639 57642 9fe85b 57641->57642 57643 9fe796 57641->57643 57644 a06840 WriteFile 57642->57644 57646 9fe7ca 57643->57646 57660 9fc120 WriteFile 57643->57660 57645 9fe865 57644->57645 57645->57636 57648 a06840 WriteFile 57646->57648 57651 9fe856 57646->57651 57649 9fe845 57648->57649 57649->57651 57652 9fe970 57649->57652 57650 9fe8c9 57654 9fe905 57650->57654 57657 a218e0 WriteFile 57650->57657 57651->57650 57661 9fc380 WriteFile 57651->57661 57662 a27400 WriteFile 57652->57662 57663 9fc380 WriteFile 57652->57663 57654->57636 57658 9fe8f0 57657->57658 57659 a218e0 WriteFile 57658->57659 57659->57654 57660->57646 57661->57650 57662->57652 57663->57652

      Executed Functions

      Function 000001B278C80808 Relevance: 16.8, APIs: 8, Strings: 1, Instructions: 1070memorynativeCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2178027279.000001B278C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 000001B278C10000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b278c10000_file.jbxd
      Yara matches
      Similarity
      • API ID: SectionVirtual$ProtectView$AllocCreateUnmap
      • String ID: @
      • API String ID: 1653215272-2766056989
      • Opcode ID: c637d99d209d1ca9699a6f6406458f9f86e5ddc939b9afbe853fcc5f8e29eda5
      • Instruction ID: 976ae001585e16b1e5c21a47c28f2f022087f06777f6181779b7885937eb4734
      • Opcode Fuzzy Hash: c637d99d209d1ca9699a6f6406458f9f86e5ddc939b9afbe853fcc5f8e29eda5
      • Instruction Fuzzy Hash: F672A830658B488FEB6DDF29C88A7E973D1FB68314F14462DD88ACB281DF70E9458B45
      Function 009FCDC0 Relevance: 14.1, Strings: 11, Instructions: 384COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 796 9fcdc0-9fcdc9 797 9fcdcf-9fce12 796->797 798 9fd546-9fd573 call a546a0 796->798 799 9fce1b-9fce39 call 9fea00 797->799 800 9fce14-9fce16 797->800 798->796 808 9fce3b-9fce60 799->808 809 9fce65 799->809 802 9fd1e7-9fd1ed 800->802 806 9fd1f3-9fd214 802->806 807 9fd312-9fd321 802->807 811 9fd216-9fd223 806->811 812 9fd225-9fd247 806->812 810 9fd324-9fd327 807->810 808->802 816 9fce6a-9fcee3 809->816 817 9fd32d-9fd343 call 9fd580 810->817 818 9fd3eb-9fd3f5 810->818 813 9fd2a1-9fd2a7 811->813 814 9fd24e-9fd260 call a06e40 812->814 815 9fd249-9fd24c 812->815 820 9fd2fe-9fd310 813->820 821 9fd2a9-9fd2ac 813->821 826 9fd265-9fd299 814->826 815->813 832 9fcee9-9fcef4 816->832 833 9fd145-9fd150 816->833 835 9fd349-9fd3e1 call a09840 * 2 817->835 836 9fd485-9fd491 817->836 822 9fd3f7-9fd40e 818->822 823 9fd410-9fd429 818->823 820->810 827 9fd1b6-9fd1e4 821->827 828 9fd2b2-9fd2f9 call a06d60 821->828 829 9fd46a-9fd46d 822->829 830 9fd42b-9fd438 823->830 831 9fd43a-9fd466 823->831 826->813 827->802 828->827 838 9fd46f-9fd476 829->838 839 9fd4a5-9fd545 call a28ea0 call a29720 call a295a0 call a29720 call a295a0 call a29720 * 2 call a290e0 call a28f00 call a27400 829->839 830->829 831->829 840 9fcefa-9fcf0a 832->840 841 9fd1a9-9fd1b1 call a569a0 832->841 835->818 846 9fd478-9fd480 838->846 847 9fd492-9fd4a0 call a27400 838->847 839->798 848 9fcfb7-9fcfc8 840->848 849 9fcf10-9fcf45 call a24e80 840->849 841->827 846->816 847->839 852 9fcfce-9fcffb call 9fea00 848->852 853 9fd187-9fd193 call a27400 848->853 856 9fcf4a-9fcf64 849->856 870 9fcffd-9fd016 call 9fe640 852->870 871 9fd01c-9fd027 852->871 862 9fd198-9fd1a4 call a27400 853->862 861 9fcf6a-9fcf79 856->861 856->862 866 9fcf7e 861->866 867 9fcf7b-9fcf7c 861->867 862->841 872 9fcf7f-9fcfad 866->872 867->872 870->871 884 9fd176-9fd182 call a27400 870->884 875 9fd12e-9fd13b 871->875 876 9fd02d-9fd047 871->876 872->848 875->833 879 9fd04d-9fd059 876->879 880 9fd0f6-9fd10b 876->880 885 9fd05b 879->885 886 9fd062-9fd083 call 9fe640 879->886 882 9fd10d-9fd117 880->882 883 9fd15c-9fd160 call a56a00 880->883 891 9fd119-9fd129 882->891 892 9fd151-9fd157 call a56980 882->892 893 9fd165-9fd171 call a27400 883->893 884->853 885->886 886->893 898 9fd089-9fd0ce 886->898 892->883 893->884 900 9fd0e1-9fd0ee 898->900 901 9fd0d0-9fd0d9 call a57300 898->901 900->880 901->900
      Strings
      • ) not in usable address space: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: , xrefs: 009FD505
      • out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbi, xrefs: 009FD176
      • out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning wit, xrefs: 009FD165
      • , )(M [("")) ) @s -> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgallprootitabsbrkidled, xrefs: 009FD4E5
      • , xrefs: 009FD44F
      • arena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p , xrefs: 009FD187
      • base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-c, xrefs: 009FD431
      • out of memory allocating heap arena map/cpu/classes/gc/mark/assist:cpu-seconds/cpu/classes/scavenge/total:cpu-seconds/memory/classes/profiling/buckets:bytesmspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResume, xrefs: 009FD198
      • memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memory (bad use of unsafe.Pointer? try -d=checkptr)sysGrow bounds not aligned to pallocChunkBytesruntime: failed to create new , xrefs: 009FD532
      • region exceeds uintptr range/gc/heap/frees-by-size:bytes/gc/heap/tiny/allocs:objects/sched/goroutines:goroutinesgcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: m, xrefs: 009FD407
      • end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremo, xrefs: 009FD45F
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: $) not in usable address space: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: $, )(M [("")) ) @s -> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgallprootitabsbrkidled$arena already initialized to unused region of span bytes failed with errno=runtime: VirtualAlloc of /sched/gomaxprocs:threadsremaining pointer buffersslice bounds out of range_cgo_thread_start missingallgadd: bad status Gidleruntime: program exceeds startm: p $base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-c$end outside usable address spaceGCProg for type that isn't largeruntime: failed to release pagesruntime: fixalloc size too largeinvalid limiter event type foundscanstack: goroutine not stoppedscavenger state is already wiredsweep increased allocation countremo$memory reservation exceeds address space limittried to park scavenger from another goroutinereleased less than one physical page of memory (bad use of unsafe.Pointer? try -d=checkptr)sysGrow bounds not aligned to pallocChunkBytesruntime: failed to create new $out of memory allocating allArenas/memory/classes/heap/objects:bytesruntime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning wit$out of memory allocating heap arena map/cpu/classes/gc/mark/assist:cpu-seconds/cpu/classes/scavenge/total:cpu-seconds/memory/classes/profiling/buckets:bytesmspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResume$out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbi$region exceeds uintptr range/gc/heap/frees-by-size:bytes/gc/heap/tiny/allocs:objects/sched/goroutines:goroutinesgcBgMarkWorker: mode not setmspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: m
      • API String ID: 0-1345119885
      • Opcode ID: 700bc75013b752d390000daae56adac780d21d9f7be87efe6d8e797ecaec1c91
      • Instruction ID: 3785d66e78ce50daaec74d0d590b33e3119330a4c835be626bc8b21b2fdab6f4
      • Opcode Fuzzy Hash: 700bc75013b752d390000daae56adac780d21d9f7be87efe6d8e797ecaec1c91
      • Instruction Fuzzy Hash: 2E029A62309BC882EB64CB55F4407AAB765F78AB94F848226EF9D57799CF3CC444C740
      Function 000001B27A4C1000 Relevance: 12.8, APIs: 8, Instructions: 790synchronizationCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: CreateMutex$Dint$ExitProcess
      • String ID:
      • API String ID: 1692871624-0
      • Opcode ID: f98d3638bcb4881571893d0b64532fb7071e35af9423874bbb812e626070e764
      • Instruction ID: 2254e8a4bda405b6246ea12a0a364adaf23816b67e4c1fa3edcc2afe050a7c29
      • Opcode Fuzzy Hash: f98d3638bcb4881571893d0b64532fb7071e35af9423874bbb812e626070e764
      • Instruction Fuzzy Hash: 3F7274701096448FF7B4EB68D8687EA73E2FBA5315F60052DE18FC21A0DFB98584CB19
      Function 009FD960 Relevance: 9.3, Strings: 7, Instructions: 547COMMON
      Download Yara Rule
      Strings
      • !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 009FDCF3
      • mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= , xrefs: 009FE1E5
      • malloc during signalclose of nil channelinconsistent lockedmnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=, xrefs: 009FE1F6
      • delayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablepe32 optional header has unexpected Magic of 0x%xnot enough sign, xrefs: 009FE19D
      • unexpected malloc header in delayed zeroing of large objectreflect: call of reflect.Value.Len on ptr to non-array Valuemanual span allocation called with non-manually-managed typeaddr range base and limit are not in the same memory segmentruntime: netpoll: Pos, xrefs: 009FE18C
      • malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no , xrefs: 009FE207
      • mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largepe32+ optional header has unexpected Magic of 0x%xlimiterEve, xrefs: 009FE218
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC$delayed zeroing on data that may contain pointerssweeper left outstanding across sweep generationsfully empty unfreed span set block found in resetcasgstatus: waiting for Gwaiting but is Grunnablepe32 optional header has unexpected Magic of 0x%xnot enough sign$malloc deadlockruntime error: with GC progscan missed a gmisaligned maskruntime: min = runtime: inUse=runtime: max = bad panic stackrecovery failedstopm holding pstartm: m has ppreempt SPWRITEmissing mcache?ms: gomaxprocs=randinit missed]morebuf={pc:: no $malloc during signalclose of nil channelinconsistent lockedmnotetsleep not on g0bad system page size to unallocated span/gc/scan/stack:bytes/gc/scan/total:bytes/gc/heap/frees:bytes/gc/gomemlimit:bytesp mcache not flushed markroot jobs donepacer: assist ratio=$mallocgc called with gcphase == _GCmarkterminationrecursive call during initialization - linker skewattempt to execute system stack code on user stackcompileCallback: function argument frame too largepe32+ optional header has unexpected Magic of 0x%xlimiterEve$mallocgc called without a P or outside bootstrappingruntime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= $unexpected malloc header in delayed zeroing of large objectreflect: call of reflect.Value.Len on ptr to non-array Valuemanual span allocation called with non-manually-managed typeaddr range base and limit are not in the same memory segmentruntime: netpoll: Pos
      • API String ID: 0-4152454558
      • Opcode ID: 1c07a9087ef7c3bb9bd022a14b2628ef4e69f7e3abee94bcd684101d588a91df
      • Instruction ID: 4147b6dc3a26ee61eda3be64818b4a334084d49eaba23320d6d47c27e8052617
      • Opcode Fuzzy Hash: 1c07a9087ef7c3bb9bd022a14b2628ef4e69f7e3abee94bcd684101d588a91df
      • Instruction Fuzzy Hash: 4632F272319798C2DB248F11E4407BABB6AF785B94F489615EF9D07BA5CF78C885CB00
      Function 009F2020 Relevance: 8.0, Strings: 6, Instructions: 474COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1673 9f2020-9f2024 1674 9f202a-9f2039 call 9fe380 1673->1674 1675 9f2962-9f2967 call a546a0 1673->1675 1678 9f203e-9f2120 1674->1678 1675->1673 1680 9f2135-9f2163 call 9f29c0 1678->1680 1681 9f2122-9f2131 call a565e0 1678->1681 1686 9f2169-9f2185 1680->1686 1687 9f2372-9f2375 1680->1687 1681->1680 1690 9f21cc-9f21f7 1686->1690 1691 9f2187-9f21a9 call a3be40 1686->1691 1688 9f237b-9f2397 1687->1688 1689 9f2582-9f2585 1687->1689 1696 9f2399-9f23bb call a3be40 1688->1696 1697 9f23e1-9f240c 1688->1697 1694 9f258b-9f25a7 1689->1694 1695 9f26d3-9f2702 call 9f2980 1689->1695 1692 9f21f9-9f220d call a565e0 1690->1692 1693 9f2211-9f2244 1690->1693 1719 9f21be-9f21c8 1691->1719 1720 9f21ab-9f21ba call a565e0 1691->1720 1692->1693 1702 9f225c-9f2290 1693->1702 1703 9f2246-9f2258 call a565e0 1693->1703 1704 9f25a9-9f25c8 call a3be40 1694->1704 1705 9f25e4-9f260d 1694->1705 1732 9f295c-9f2961 1695->1732 1733 9f2708-9f27c8 call 9f2980 * 2 1695->1733 1737 9f23bd-9f23cf call a565e0 1696->1737 1738 9f23d3-9f23dd 1696->1738 1699 9f240e-9f241f call a565e0 1697->1699 1700 9f2423-9f2456 1697->1700 1699->1700 1710 9f2458-9f246d call a565e0 1700->1710 1711 9f2471-9f24a5 1700->1711 1715 9f22a8-9f22dc 1702->1715 1716 9f2292-9f22a4 call a565e0 1702->1716 1703->1702 1754 9f25dd 1704->1754 1755 9f25ca-9f25d9 call a565e0 1704->1755 1721 9f260f-9f2620 call a565e0 1705->1721 1722 9f2624-9f2655 1705->1722 1710->1711 1728 9f24bd-9f24f1 1711->1728 1729 9f24a7-9f24b9 call a565e0 1711->1729 1734 9f22de-9f22f0 call a565e0 1715->1734 1735 9f22f4-9f2331 1715->1735 1716->1715 1719->1690 1720->1719 1721->1722 1725 9f2657-9f266d call a565e0 1722->1725 1726 9f2671-9f26a3 1722->1726 1725->1726 1743 9f26bb-9f26ce 1726->1743 1744 9f26a5-9f26b7 call a565e0 1726->1744 1747 9f2509-9f2546 1728->1747 1748 9f24f3-9f2505 call a565e0 1728->1748 1729->1728 1776 9f27ca-9f27ce 1733->1776 1777 9f27d0-9f27f2 call 9f29a0 1733->1777 1734->1735 1752 9f2354-9f236a 1735->1752 1753 9f2333-9f2350 call a565e0 1735->1753 1737->1738 1738->1697 1743->1695 1744->1743 1762 9f2548-9f2560 call a565e0 1747->1762 1763 9f2564-9f257a 1747->1763 1748->1747 1752->1687 1753->1752 1754->1705 1755->1754 1762->1763 1763->1689 1778 9f2821-9f2837 1776->1778 1784 9f27fd-9f27ff 1777->1784 1785 9f27f4-9f27fb 1777->1785 1780 9f283d-9f28d9 call 9f2980 1778->1780 1781 9f2956-9f295b 1778->1781 1788 9f28db-9f28ea 1780->1788 1789 9f28f1-9f2919 call 9f2980 1780->1789 1787 9f2800-9f2802 1784->1787 1785->1787 1790 9f2819 1787->1790 1791 9f2804-9f2808 1787->1791 1788->1789 1797 9f291b-9f2920 1789->1797 1798 9f2921-9f2955 call 9f2980 1789->1798 1794 9f281b-9f281d 1790->1794 1791->1790 1793 9f280a-9f280e 1791->1793 1793->1790 1796 9f2810-9f2817 1793->1796 1794->1778 1796->1794
      Strings
      • rdtscppopcntcmd/gonetdnsheaderAnswer%s: %xconsoleCopySidWSARecvWSASendconnectfloat32float64invaliduintptrChanDir Value>forcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingUNKNOWN:events, goid= s=nil (scan MB in pacer: % CPU ( zombie, j0 = , xrefs: 009F20C0
      • adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgallprootitabsbrkidledead is LEAFbase of ) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125Atoiermssse3avx2bmi1bmi2icmpig, xrefs: 009F2046
      • avx512fos/execruntime#internno anodeCancelIoReadFileAcceptExWSAIoctlshutdownGoStringscavengepollDesctraceBufdeadlockraceFinipanicnilcgocheckrunnable procid rax rbx rcx rdx rdi rsi rbp rsp r8 r9 r10 r11 r12 , xrefs: 009F2624
      • sse41sse42ssse3filesKeyKey SysidreadatlistensocketStringFormat[]bytestringuint16uint32uint64structchan<-<-chan ValueGetACPsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED , xrefs: 009F22A8
      • avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0x509sha1ClassANYQuestionntdll.dllFindCloseLocalFreeMoveFileWWriteFileWSASendTocomplex64interfaceinvalid nfuncargs(bad indirreflect: Interfaced.nx != 0psapi.dllprofBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtrac, xrefs: 009F2671
      • pclmulqdqmath/randtlsrsakexfiles,dnsdns,filesipv6-icmpClassINETAuthority/dev/stdinowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptsetsockoptdnsapi.dllws2_32.dllcomplex128t.Kind == execerrdotLockFileExWSASocketWnotifyLi, xrefs: 009F209F
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgallprootitabsbrkidledead is LEAFbase of ) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125Atoiermssse3avx2bmi1bmi2icmpig$avx512bwavx512vlgo/typesnet/httpgo/buildnetedns0x509sha1ClassANYQuestionntdll.dllFindCloseLocalFreeMoveFileWWriteFileWSASendTocomplex64interfaceinvalid nfuncargs(bad indirreflect: Interfaced.nx != 0psapi.dllprofBlockstackpoolhchanLeafwbufSpansmSpanDeadscavtrac$avx512fos/execruntime#internno anodeCancelIoReadFileAcceptExWSAIoctlshutdownGoStringscavengepollDesctraceBufdeadlockraceFinipanicnilcgocheckrunnable procid rax rbx rcx rdx rdi rsi rbp rsp r8 r9 r10 r11 r12 $pclmulqdqmath/randtlsrsakexfiles,dnsdns,filesipv6-icmpClassINETAuthority/dev/stdinowner diedDnsQuery_WGetIfEntryCancelIoExCreatePipeGetVersionWSACleanupWSAStartupgetsockoptsetsockoptdnsapi.dllws2_32.dllcomplex128t.Kind == execerrdotLockFileExWSASocketWnotifyLi$rdtscppopcntcmd/gonetdnsheaderAnswer%s: %xconsoleCopySidWSARecvWSASendconnectfloat32float64invaliduintptrChanDir Value>forcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingUNKNOWN:events, goid= s=nil (scan MB in pacer: % CPU ( zombie, j0 = $sse41sse42ssse3filesKeyKey SysidreadatlistensocketStringFormat[]bytestringuint16uint32uint64structchan<-<-chan ValueGetACPsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc free span= prev= list=, i = code= addr= m->p= p->m=SCHED
      • API String ID: 0-1417408132
      • Opcode ID: 9c643a768f8ec8aa84f59b625758038bdd5eec99a0d6f59ef95dd1064b35c5bf
      • Instruction ID: f4ca3c46f812e5f08f112f08674aaf4e36797ee4cd0c6ceffbe0f2b877857066
      • Opcode Fuzzy Hash: 9c643a768f8ec8aa84f59b625758038bdd5eec99a0d6f59ef95dd1064b35c5bf
      • Instruction Fuzzy Hash: EF42AF7A108B48CAF700DF65F845F993BA4F355B84F448226DA9D8B362DF79C4A9C341
      Function 00A25320 Relevance: 4.0, Strings: 3, Instructions: 273COMMON
      Download Yara Rule
      Strings
      • runtime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10invalid or incomplete multibyte or wide characterslice bounds out of, xrefs: 00A25787
      • runtime.preemptM: duplicatehandle failedglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsHad a bad time getting restore point: %v138777878078144567552953958511352539062569388939039072283776, xrefs: 00A257AF
      • self-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchnot pollableCfgMgr32.dllsetupapi.dllwintrust.dllwtsapi32.dllReportEventWCreateMu, xrefs: 00A257C5
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: runtime.preemptM: duplicatehandle failed; errno=runtime: waitforsingleobject wait_failed; errno=strconv: illegal AppendFloat/FormatFloat bitSizenot enough significant bits after mult64bitPow10invalid or incomplete multibyte or wide characterslice bounds out of$runtime.preemptM: duplicatehandle failedglobal runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsHad a bad time getting restore point: %v138777878078144567552953958511352539062569388939039072283776$self-preempt [recovered]bad recoverybad g statusentersyscallwirep: p->m=) p->status=releasep: m= sysmonwait= preemptoff=cas64 failed m->gsignal=-byte limitruntime: sp=abi mismatchnot pollableCfgMgr32.dllsetupapi.dllwintrust.dllwtsapi32.dllReportEventWCreateMu
      • API String ID: 0-1863512095
      • Opcode ID: 1126cb3ff532d9fc41985dd48f636640860cf349cfb3c991e9276940f26be467
      • Instruction ID: bd8716699ad4c02ead356ad9e25d117cdec99d2e0b50df18d5862f6dad494663
      • Opcode Fuzzy Hash: 1126cb3ff532d9fc41985dd48f636640860cf349cfb3c991e9276940f26be467
      • Instruction Fuzzy Hash: B3C19F36605F9481DB20DF29F84136E7761F78AB94F089236DAAC43BA5DF39C492CB40
      Function 00A23100 Relevance: 2.6, Strings: 2, Instructions: 65COMMON
      Download Yara Rule
      Strings
      • PowerRegisterSuspendResumeNotification, xrefs: 00A23169
      • powrprof.dll, xrefs: 00A23119
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: PowerRegisterSuspendResumeNotification$powrprof.dll
      • API String ID: 0-3247360486
      • Opcode ID: 748306455cc0cdd962a134eaef724f13414d11fa4ce0e781f7d601c1ebda70af
      • Instruction ID: 4c39461a2edead7809f2ffc7988f236ece4eba5f68622e41fcfe63f85bee1410
      • Opcode Fuzzy Hash: 748306455cc0cdd962a134eaef724f13414d11fa4ce0e781f7d601c1ebda70af
      • Instruction Fuzzy Hash: B3214632208B84C6EB01CF15F44535ABBA5F78AB84F588626EA8C47B69DF7DC195CB40
      Function 000001B278C7FFFC Relevance: 1.6, APIs: 1, Instructions: 382memoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178027279.000001B278C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 000001B278C10000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b278c10000_file.jbxd
      Yara matches
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 08c3b473a1f7362871bcf2729fe2c144e163769adb635b581bed10db9dac86c4
      • Instruction ID: 9f5a2e0b6b41dacf03606e80b07f45200eb8bda2083d41f11c75a1eab3d3ba44
      • Opcode Fuzzy Hash: 08c3b473a1f7362871bcf2729fe2c144e163769adb635b581bed10db9dac86c4
      • Instruction Fuzzy Hash: 37C1A7306549058BFB5DEA2AD48A7FAB3D1FBA8310F14432DD44ACB1D6DF70E849C685
      Function 00A18AC0 Relevance: 1.6, Strings: 1, Instructions: 332COMMON
      Download Yara Rule
      Strings
      • grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me, xrefs: 00A19022
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: grew heap, but no adequate free space foundroot level max pages doesn't fit in summaryruntime: releaseSudog with non-nil gp.paramunknown runnable goroutine during bootstrapruntime: casfrom_Gscanstatus bad oldval gp=runtime:stoplockedm: lockedg (atomicstatus=me
      • API String ID: 0-3724787384
      • Opcode ID: 4a7bf5be069226780375828105615d46f7dda4ef383fd86da7f64172008db5df
      • Instruction ID: ee1d91837c63e6a5e1ae541648a2d8a95994cd305f6aa57b4aad7cc885cb395e
      • Opcode Fuzzy Hash: 4a7bf5be069226780375828105615d46f7dda4ef383fd86da7f64172008db5df
      • Instruction Fuzzy Hash: 3AE16D72209B8485EB60CB55F49079EBB61F78ABD0F589116EE8D43B69CF3CC494CB40
      Function 00A05E80 Relevance: 1.5, Strings: 1, Instructions: 283COMMON
      Download Yara Rule
      Strings
      • span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor, xrefs: 00A06030
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: span has no free objectsruntime: found obj at *(runtime: VirtualFree of /cgo/go-to-c-calls:calls/gc/heap/objects:objects/sched/latencies:secondsqueuefinalizer during GCupdate during transitionruntime: markroot index can't scan our own stackgcDrainN phase incor
      • API String ID: 0-1712010102
      • Opcode ID: d203450acb01d06bbebda50fa3a71de4bedf89a95e5b95e9feddb898e8f9b2ea
      • Instruction ID: 6e901e734c3d6ecf6965c6bca09c631f748a0c6008cb7b7dd366725d0f06d626
      • Opcode Fuzzy Hash: d203450acb01d06bbebda50fa3a71de4bedf89a95e5b95e9feddb898e8f9b2ea
      • Instruction Fuzzy Hash: E8C1CE32609B458ADF14CF24F4907AEB764F785B94F484225EB8E47BA9DF38C894CB50
      Function 000001B27A4CF1A0 Relevance: 1.5, APIs: 1, Instructions: 272stringCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: lstrcmpi
      • String ID:
      • API String ID: 1586166983-0
      • Opcode ID: 742e74ce351c1f1b12b47fea87978d01d3a5733e57109485170f251d8ccbb01e
      • Instruction ID: 0612b5af73b421c4657f928f8a5ede054f2a3a628fed4daa20777cb559b7b525
      • Opcode Fuzzy Hash: 742e74ce351c1f1b12b47fea87978d01d3a5733e57109485170f251d8ccbb01e
      • Instruction Fuzzy Hash: 65B12031108B448FF398EF64D86C79A77E1FB99352F604529E18AC32B0DF798944CB16
      Function 00A35D80 Relevance: .3, Instructions: 306COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5789849c5df1d235c287a98531861d3ae46835fcbb5b53e9f6bf2dfb16c67bec
      • Instruction ID: d36a0f940fef19e81d5b4287925c2bf73a33d99f50dc37160dc803ab84fbd880
      • Opcode Fuzzy Hash: 5789849c5df1d235c287a98531861d3ae46835fcbb5b53e9f6bf2dfb16c67bec
      • Instruction Fuzzy Hash: D7C17C32609B4486EB04CF65F49076AB770F78AB84F549626FA8D47B69DF7CC844CB40
      Function 00A2EA00 Relevance: .2, Instructions: 238COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 42b1900c2128b6d4f09da6308f9934932028859ec5738839137e36d3acb6f721
      • Instruction ID: 9375c39dcbe6973c472121493d73a1f480214c16059475e85c90365858c640c8
      • Opcode Fuzzy Hash: 42b1900c2128b6d4f09da6308f9934932028859ec5738839137e36d3acb6f721
      • Instruction Fuzzy Hash: 1591FF72B09624CBEB24DF28F8907696762F785B88F88D235DA0D07725DB79C8C5C780
      Function 00A17CC0 Relevance: .1, Instructions: 89COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 33577010ddc080ba9d9ce269e630847f0545611fdd5dd6c56f1addd733da69ca
      • Instruction ID: 002fd4227a908c01340555c55585a5949483355440614b295354e99cc3cff649
      • Opcode Fuzzy Hash: 33577010ddc080ba9d9ce269e630847f0545611fdd5dd6c56f1addd733da69ca
      • Instruction Fuzzy Hash: 6A3180BB315B8991EB448B19F5817EA6762E385BC0F85D132DE4F57769CE38C58AC300
      Function 00A23240 Relevance: .1, Instructions: 61COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a5a7acd6965f656c70168b1ae0f5dee71d817a5538690fe68639afad6aa71994
      • Instruction ID: 61c8c2c7031e08d38d482b634db879364d501d96b1bba9bf8876a204dbfba8db
      • Opcode Fuzzy Hash: a5a7acd6965f656c70168b1ae0f5dee71d817a5538690fe68639afad6aa71994
      • Instruction Fuzzy Hash: A4215E33608B85C1DA10CB25F44536AB761F35ABD8F449221EEAD47BA9DB3DC191CB40
      Function 000001B27A4D6DC0 Relevance: 18.0, APIs: 11, Instructions: 1455COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c5a17312eacb160121f9eea0b528651a09acfa2ad52bd57e63ccf263f8cb0842
      • Instruction ID: c4ae167a6c419576d114064797e1354ce48416cef22f2997b73fb7b51c9c548b
      • Opcode Fuzzy Hash: c5a17312eacb160121f9eea0b528651a09acfa2ad52bd57e63ccf263f8cb0842
      • Instruction Fuzzy Hash: 83C23E30119A88DFF7B5EB54D4587EA73E0FBBA311F60092ED58AC21A1DF359489CB06
      Function 000001B27A4CF740 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159memoryfileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1357 1b27a4cf740-1b27a4cf771 call 1b27a4d0060 1360 1b27a4cf777-1b27a4cf787 CreateDirectoryW 1357->1360 1361 1b27a4cf9b5 1357->1361 1363 1b27a4cf79a-1b27a4cf7b5 LocalAlloc 1360->1363 1364 1b27a4cf789-1b27a4cf794 1360->1364 1362 1b27a4cf9b7-1b27a4cf9be 1361->1362 1365 1b27a4cf7bb-1b27a4cf80f 1363->1365 1366 1b27a4cf9a2-1b27a4cf9a8 1363->1366 1364->1363 1364->1366 1371 1b27a4cf98f-1b27a4cf995 1365->1371 1372 1b27a4cf815-1b27a4cf838 call 1b27a4dc980 1365->1372 1366->1361 1367 1b27a4cf9aa-1b27a4cf9ab 1366->1367 1367->1361 1371->1366 1373 1b27a4cf997-1b27a4cf998 1371->1373 1372->1371 1376 1b27a4cf83e-1b27a4cf897 CreateFileW 1372->1376 1373->1366 1378 1b27a4cf8a7-1b27a4cf8af 1376->1378 1379 1b27a4cf899-1b27a4cf8a1 1376->1379 1381 1b27a4cf8b1 1378->1381 1382 1b27a4cf8b5-1b27a4cf8f2 WriteFile 1378->1382 1379->1378 1380 1b27a4cf976-1b27a4cf97f 1379->1380 1380->1371 1383 1b27a4cf981-1b27a4cf982 1380->1383 1386 1b27a4cf927-1b27a4cf936 LocalFree 1381->1386 1384 1b27a4cf952-1b27a4cf95b 1382->1384 1385 1b27a4cf8f4-1b27a4cf917 1382->1385 1383->1371 1387 1b27a4cf96b-1b27a4cf96c 1384->1387 1388 1b27a4cf95d-1b27a4cf95e 1384->1388 1385->1386 1391 1b27a4cf919-1b27a4cf91a 1385->1391 1390 1b27a4cf940-1b27a4cf950 1386->1390 1387->1380 1388->1387 1390->1362 1391->1386
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: CreateLocal$AllocDirectoryFileFree
      • String ID: P
      • API String ID: 1520254948-3110715001
      • Opcode ID: da20fc7a7724216b2506d8b5ae4f75a843dfdb9977f341af6ed6c5acbf74433f
      • Instruction ID: 5db038d3dc429a46aa52218bd407ae81b52e5ae7ab2c0f138ae19f5fe2c2b741
      • Opcode Fuzzy Hash: da20fc7a7724216b2506d8b5ae4f75a843dfdb9977f341af6ed6c5acbf74433f
      • Instruction Fuzzy Hash: 9F61DF311197548FEBB4EB68C49C79AB7E1FBA5315F504A2DD08EC21E0CF799485CB06
      Function 000001B27A4D2000 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144processmemoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1575 1b27a4d2000-1b27a4d2023 call 1b27a4d0060 1578 1b27a4d2029-1b27a4d204d LocalAlloc 1575->1578 1579 1b27a4d21f3 1575->1579 1580 1b27a4d21e8-1b27a4d21e9 1578->1580 1581 1b27a4d2053-1b27a4d2095 call 1b27a4e6c1c 1578->1581 1582 1b27a4d21f5-1b27a4d21fc 1579->1582 1580->1579 1586 1b27a4d209b-1b27a4d20b0 1581->1586 1587 1b27a4d21dd-1b27a4d21de 1581->1587 1589 1b27a4d20b6-1b27a4d20c8 1586->1589 1590 1b27a4d21d2-1b27a4d21d3 1586->1590 1587->1580 1589->1590 1592 1b27a4d20ce-1b27a4d20e9 1589->1592 1590->1587 1592->1590 1594 1b27a4d20ef-1b27a4d2192 call 1b27a4e6c1c call 1b27a4e6b30 CreateProcessW 1592->1594 1599 1b27a4d21c7-1b27a4d21c8 1594->1599 1600 1b27a4d2194-1b27a4d21ab LocalFree * 2 1594->1600 1599->1590 1601 1b27a4d21b5-1b27a4d21c5 1600->1601 1601->1582
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: Local$Free$AllocCreateProcess_errno_invalid_parameter_noinfo
      • String ID: h
      • API String ID: 4074914292-2439710439
      • Opcode ID: 14ca2ddfcce8b4881243e4c524c2883a0a1c3527abb3c7557773b7ebc18441d8
      • Instruction ID: 219a53d31803fc0dd2056144b1ed7739928fde619f86c324ee89dcf07da07552
      • Opcode Fuzzy Hash: 14ca2ddfcce8b4881243e4c524c2883a0a1c3527abb3c7557773b7ebc18441d8
      • Instruction Fuzzy Hash: CE51FD30118B488FE754EB24D8597ABB7E1FB98302F60492DE586C32B0DF79D885CB46
      Function 000001B278C7EF64 Relevance: 6.1, APIs: 4, Instructions: 133memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178027279.000001B278C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 000001B278C10000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b278c10000_file.jbxd
      Yara matches
      Similarity
      • API ID: ProtectVirtual$LibraryLoad
      • String ID:
      • API String ID: 895956442-0
      • Opcode ID: d24d4ce7223a552c1b01d238479d20a295a89e3d53a7350efd5ba8d12bfb46a0
      • Instruction ID: 6e83928c218b75a12787411abb56748361cf0647c4c87724be923b86b10a9386
      • Opcode Fuzzy Hash: d24d4ce7223a552c1b01d238479d20a295a89e3d53a7350efd5ba8d12bfb46a0
      • Instruction Fuzzy Hash: A8318B3131CA094FDB5CAA29A88A7A977D5E7D4720F00076EE84BC72C5DF70DD0A46D5
      Function 000001B278C7EFD3 Relevance: 6.1, APIs: 4, Instructions: 89memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178027279.000001B278C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 000001B278C10000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b278c10000_file.jbxd
      Yara matches
      Similarity
      • API ID: ProtectVirtual
      • String ID:
      • API String ID: 544645111-0
      • Opcode ID: f2b484dd179f3dd10506a7a62fe75bc60ed010a6cf5ae84582fe1852291c4020
      • Instruction ID: 8df8c7021df6adaeb95077df5413e2444f6c8489fae0a2b3eb1e5b5cabb73e91
      • Opcode Fuzzy Hash: f2b484dd179f3dd10506a7a62fe75bc60ed010a6cf5ae84582fe1852291c4020
      • Instruction Fuzzy Hash: 9521813131CA084BDB5CA92DB89A3A973D5E7D8720F10026EE84BC72CADF70DD0646C5
      Function 000001B27A4DC980 Relevance: 6.1, APIs: 4, Instructions: 75filememoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1945 1b27a4dc980-1b27a4dc9cb CreateFileW 1946 1b27a4dc9d1-1b27a4dc9e7 1945->1946 1947 1b27a4dca6b 1945->1947 1950 1b27a4dca60-1b27a4dca61 1946->1950 1951 1b27a4dc9e9-1b27a4dca05 LocalAlloc 1946->1951 1948 1b27a4dca6d-1b27a4dca71 1947->1948 1950->1947 1951->1950 1952 1b27a4dca07-1b27a4dca2c ReadFile 1951->1952 1953 1b27a4dca2e-1b27a4dca36 1952->1953 1954 1b27a4dca55-1b27a4dca56 1952->1954 1953->1954 1955 1b27a4dca38-1b27a4dca53 CloseHandle 1953->1955 1954->1950 1955->1948
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: File$AllocCloseCreateHandleLocalRead
      • String ID:
      • API String ID: 1443864953-0
      • Opcode ID: d5fc9f4b33cbbbcc9f8f3db8ab93582bc92b71007fb63339fe9d281fc4954cf0
      • Instruction ID: 3eb75600047d996920d5d1f170478dce00535a1ea18b510d6feb4f7ed101ccd2
      • Opcode Fuzzy Hash: d5fc9f4b33cbbbcc9f8f3db8ab93582bc92b71007fb63339fe9d281fc4954cf0
      • Instruction Fuzzy Hash: 0F21FD30118B448FE754DF68C45871BBBF0FB99355F504A1DE586C32A0CBB5D885CB42
      Function 000001B27A4C8D30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66registryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: CloseCreate_errno_invalid_parameter_noinfo
      • String ID: ?
      • API String ID: 3067000685-1684325040
      • Opcode ID: e1fa8e690777478dbb7aaf1e3c6718a9e7df1082e362113efa4485b0f282c34c
      • Instruction ID: e2930b3aad760cc8a6230e0b3dbfb4ed2602e41720010ddb2f1abdf5d769aac9
      • Opcode Fuzzy Hash: e1fa8e690777478dbb7aaf1e3c6718a9e7df1082e362113efa4485b0f282c34c
      • Instruction Fuzzy Hash: 902157301186448BF794EB64C8647EBB7E1FBA1315F500A2DE44BC21E1EFB9D549CB85
      Function 000001B27A4C8F60 Relevance: 4.6, APIs: 3, Instructions: 87registryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: FileLocal$AllocCloseCreateFreeHandleOpenReadValue_errno_invalid_parameter_noinfo
      • String ID:
      • API String ID: 9688765-0
      • Opcode ID: 59493ee6c7077778934f02759ea539db7f92bfe724745750aa23e1573cf8735b
      • Instruction ID: d2b02508e69c9ceb8f49fe60978e64bbb92fdf0c1c2ad4ec5cd142f2f9096d22
      • Opcode Fuzzy Hash: 59493ee6c7077778934f02759ea539db7f92bfe724745750aa23e1573cf8735b
      • Instruction Fuzzy Hash: ED31FF301186449FE7A4EB64D89CBDA73E1FBD4305F50092DE54EC21A1EF759544CB46
      Function 000001B278C81814 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104libraryCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2178027279.000001B278C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 000001B278C10000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b278c10000_file.jbxd
      Yara matches
      Similarity
      • API ID: LibraryLoad
      • String ID: l
      • API String ID: 1029625771-2517025534
      • Opcode ID: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
      • Instruction ID: 0fa657f0827813c9b8c6f52ccc7c63093ebe4411b622919d3bee1efe8b8c1dcf
      • Opcode Fuzzy Hash: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
      • Instruction Fuzzy Hash: 6731F330558B858FE799DB2DC049B62BBD5FBA9308F2547ADC0DACB193DB70D80A8705
      Function 000001B27A4D01B0 Relevance: 3.1, APIs: 2, Instructions: 87COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: CreateDirectoryFreeLocal
      • String ID:
      • API String ID: 2937684288-0
      • Opcode ID: 3d6c5400fb6232b5440fa9e95e054a6000238df74fb640f1787ec0ff3ebb7f51
      • Instruction ID: f80e72ab7a7ce1ed0ca9d37472e243af4d539328bd639ca6c37fbd0a077f3531
      • Opcode Fuzzy Hash: 3d6c5400fb6232b5440fa9e95e054a6000238df74fb640f1787ec0ff3ebb7f51
      • Instruction Fuzzy Hash: 9631DC30118B448FE7A4EB58D85C76AB7F1FBD9312F90082EF146C31A4DB799885CB06
      Function 000001B27A4C76C0 Relevance: 3.1, APIs: 2, Instructions: 75registryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: OpenValue_errno_invalid_parameter_noinfo
      • String ID:
      • API String ID: 809911093-0
      • Opcode ID: bafd6c7505aa3cec60dc00240c711fa44000b726ee165bdf6933eea115b47741
      • Instruction ID: bf9981390b40c135d785963ff94e8ebbf96fbabd96305653824fe4d4af8a1120
      • Opcode Fuzzy Hash: bafd6c7505aa3cec60dc00240c711fa44000b726ee165bdf6933eea115b47741
      • Instruction Fuzzy Hash: 7F215431118A488BF364EB24E898BEB73E5FBD8315F500539E54AC3194EF79D584CB45
      Function 000001B278C7F090 Relevance: 3.1, APIs: 2, Instructions: 63memoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178027279.000001B278C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 000001B278C10000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b278c10000_file.jbxd
      Yara matches
      Similarity
      • API ID: ProtectVirtual$LibraryLoad
      • String ID:
      • API String ID: 895956442-0
      • Opcode ID: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
      • Instruction ID: 66c3c48f728984b6b7691daf8d83a1ed674015827a9f19fd49e70bfd339dc978
      • Opcode Fuzzy Hash: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
      • Instruction Fuzzy Hash: F0116531718A084BDB99EB19D8C97AA77D5FBD8700F04066EEC4ACB289DF70DE458781
      Function 000001B27A4C8EB0 Relevance: 3.1, APIs: 2, Instructions: 51registryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: OpenValue_errno_invalid_parameter_noinfo
      • String ID:
      • API String ID: 809911093-0
      • Opcode ID: dabac1a20c07f68502351d61ad0aafea07900113097daaf66410e45343aed6c1
      • Instruction ID: 9f695b6efaf7101cc589637b8a9b3d32ec0e2a2e1f30247af5a1dc25e0503433
      • Opcode Fuzzy Hash: dabac1a20c07f68502351d61ad0aafea07900113097daaf66410e45343aed6c1
      • Instruction Fuzzy Hash: 291180302286449FE394EF24D858BAA77E5FBA5305F500929F48AC22A0DFB9C904CB46
      Function 000001B27A4C91E0 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: _errno_invalid_parameter_noinfo
      • String ID:
      • API String ID: 2959964966-0
      • Opcode ID: a40e8e4882deb632cbb976bceb1dbfc021a17528ebf96bf44d647521f47a5f93
      • Instruction ID: 6e7a0d3c45370f113f414fffd53825b05a4c5dd275ec201ac92bbff5456a7cb4
      • Opcode Fuzzy Hash: a40e8e4882deb632cbb976bceb1dbfc021a17528ebf96bf44d647521f47a5f93
      • Instruction Fuzzy Hash: 7D412131218A888BE760EB34D8547DBB3D1FB98300F614A3A958EC32A1EF35D645C746
      Function 000001B27A4DCA80 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
      Download Yara Rule
      APIs
      • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 000001B27A4DCAC7
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: DescriptorSecurity$ConvertString
      • String ID:
      • API String ID: 3907675253-0
      • Opcode ID: 11272a2e7ab32d03185ac6325af245eb3004fbee0aa731c5a7eb43ec361abfc4
      • Instruction ID: 3a8ed3094063761f5dde6f5c375bd82ce7631ad37964a1644168bfa2fcfd0e63
      • Opcode Fuzzy Hash: 11272a2e7ab32d03185ac6325af245eb3004fbee0aa731c5a7eb43ec361abfc4
      • Instruction Fuzzy Hash: F4111870118B888FE754DF54D85879BFBF0FB95345F50092DE58AC22A0DBB9C945CB42
      Function 000001B27A4D72E3 Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: AddressCallerLibraryLoadProc
      • String ID:
      • API String ID: 4215043672-0
      • Opcode ID: d3c6e82d341fdc58c4ee0e0beb1d402abe7649a5e2826e12daa8f3b61ba4bcb1
      • Instruction ID: 5b65e2938332007e78a23aebce1a3ae5c8b3cb6869b527abea7e3b8b955f3d26
      • Opcode Fuzzy Hash: d3c6e82d341fdc58c4ee0e0beb1d402abe7649a5e2826e12daa8f3b61ba4bcb1
      • Instruction Fuzzy Hash: 5F11DB34218B888FE775EB55D4987EBB3E4FBA6311F90091ED48ED2150DF395445CB02
      Function 000001B27A4D7F29 Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: AddressCallerLibraryLoadProc
      • String ID:
      • API String ID: 4215043672-0
      • Opcode ID: 175f4f39c38ea6b1026292fd509b3c5c591c0c80c5e03c7319577518d773177d
      • Instruction ID: 8ca2f0605cfb4a06bb0281faa6b0b2b3029b222a7d88c178f43ba6d775f474a3
      • Opcode Fuzzy Hash: 175f4f39c38ea6b1026292fd509b3c5c591c0c80c5e03c7319577518d773177d
      • Instruction Fuzzy Hash: A711C53461CB888EE775EB58C494BEAB3E0FBE6311F90491DD18EC21A0DB796495CB43
      Function 000001B27A4D805F Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: AddressCallerLibraryLoadProc
      • String ID:
      • API String ID: 4215043672-0
      • Opcode ID: 0af500e9fc0feaf599aacb806cbe120ad5ae0dc2b63974d019f6ddcc2e35b223
      • Instruction ID: 19602c33f236372ad2cddfb02d741a8c172f6980205b4c8bb3932d3695e91f42
      • Opcode Fuzzy Hash: 0af500e9fc0feaf599aacb806cbe120ad5ae0dc2b63974d019f6ddcc2e35b223
      • Instruction Fuzzy Hash: 0F116D34218B888FE774FB58C4587EA73E0FBA9301F50491EC08AC3191DF765589CB86
      Function 00A57CE0 Relevance: 1.5, APIs: 1, Instructions: 46fileCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID: FileWrite
      • String ID:
      • API String ID: 3934441357-0
      • Opcode ID: d0420e7b245c68536b1289b904fe6097933a37c154ff1c15fd575de53d0a58cb
      • Instruction ID: 919297549562f8c176c01ffad5bb3e2cf94caf76ef2d5c655bc8fa957219ff85
      • Opcode Fuzzy Hash: d0420e7b245c68536b1289b904fe6097933a37c154ff1c15fd575de53d0a58cb
      • Instruction Fuzzy Hash: 84115E36A05F80C1DB218B1AE84132D7374F748BE4F244225DFAD67BA4DB39E1A2CB40
      Function 000001B27A4C8E20 Relevance: 1.5, APIs: 1, Instructions: 40registryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: Value_errno_invalid_parameter_noinfo
      • String ID:
      • API String ID: 4005939669-0
      • Opcode ID: 5cbe764aeda1c5945a6e93de4f8dccfc6a9e97416addf78d358c4e106c5a5808
      • Instruction ID: 1693e95f4177f72d50eb90480cd276e9e3e7e9ea72d4ffe80c3ca868f9533732
      • Opcode Fuzzy Hash: 5cbe764aeda1c5945a6e93de4f8dccfc6a9e97416addf78d358c4e106c5a5808
      • Instruction Fuzzy Hash: F8013130118A488FF790EB54D859B9AB7E4F7A4305F500A2EE84DC3190EBB9D648CB46
      Function 000001B27A4E1B30 Relevance: 1.5, APIs: 1, Instructions: 20synchronizationCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: CreateMutex
      • String ID:
      • API String ID: 1964310414-0
      • Opcode ID: f814f6e7bafc190a419314394220be9ea48f845bea0626bfb9e640e2b12b39a9
      • Instruction ID: 8485fb5e311afa0a6999317eec00e34703dc052001bed545d72450eebabd7193
      • Opcode Fuzzy Hash: f814f6e7bafc190a419314394220be9ea48f845bea0626bfb9e640e2b12b39a9
      • Instruction Fuzzy Hash: 7EE086B4D459088FFB68E769EED839131B5F376316F504425D409C51E0EB7EC298874D
      Function 000001B27A4CF8B3 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: FreeLocal
      • String ID:
      • API String ID: 2826327444-0
      • Opcode ID: f992e332d222a4d17fc7fb876d1f1a6f1a1439ebee4c827675b39005004bd709
      • Instruction ID: c0e70b0a493032bbf4a6e5a348518fe6b2a0361c9255f1531c3d8842affeb421
      • Opcode Fuzzy Hash: f992e332d222a4d17fc7fb876d1f1a6f1a1439ebee4c827675b39005004bd709
      • Instruction Fuzzy Hash: D7D012301186048BEB70F754D82976977A1F7A5312F54002A901BC21A0CF7D4885CB06

      Non-executed Functions

      Function 000001B27A4EB030 Relevance: 29.0, APIs: 14, Strings: 2, Instructions: 1050COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: _errnowrite_multi_char$_invalid_parameter_noinfowrite_char$_fileno_getptdfree
      • String ID: $@
      • API String ID: 920461082-1077428164
      • Opcode ID: e2fee4e15932b786adf0fe852ccd7b16741be36214435e4bb46e0613915b18e9
      • Instruction ID: 63c076bb0d98cef0aae351af797f59fca9dc9a421c880586730113c6c33f899a
      • Opcode Fuzzy Hash: e2fee4e15932b786adf0fe852ccd7b16741be36214435e4bb46e0613915b18e9
      • Instruction Fuzzy Hash: 5D72C53051C7598AE7689A9884653EB77E0FBB7324F34861DD586C32D2DF36C80B864A
      Function 000001B27A4EDFC4 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 704COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: __doserrno_errno_invalid_parameter_noinfo
      • String ID: U
      • API String ID: 3902385426-4171548499
      • Opcode ID: 5f4b7be45a5ff0a78e4e8128bc43395c487008e499688c2a984ed18db5922cb4
      • Instruction ID: d8311f16e6b7d147eccfa3023a29b7c9c3c6a06f12d31fb8d5b5954011d7142e
      • Opcode Fuzzy Hash: 5f4b7be45a5ff0a78e4e8128bc43395c487008e499688c2a984ed18db5922cb4
      • Instruction Fuzzy Hash: 8D32F73111CA44DBE7189FA8C8567EA73E1FBA6320F64051DE486C3192DF36D84AC78E
      Function 00A0A940 Relevance: 18.2, Strings: 14, Instructions: 703COMMON
      Download Yara Rule
      Strings
      • +]M[<=1-{}Ly%x: i), )(M [("")) ) @s -> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgall, xrefs: 00A0B216, 00A0B3B6
      • , xrefs: 00A0AF1F
      • gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125Greeksse41sse42ssse3filesKeyKey SysidreadatlistensocketStringFormat[]bytestringuint16uint32uint64structchan<-<-chan ValueGetACPsysmontimersefenceselect, not object next= , xrefs: 00A0AA04
      • gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foun, xrefs: 00A0B73A
      • ., xrefs: 00A0B02A
      • @s -> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgallprootitabsbrkidledead is LEAFbase , xrefs: 00A0B0CC
      • MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, xrefs: 00A0B525
      • MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException , xrefs: 00A0B4E5
      • gc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgallprootitabsbrkidledead is LEAFbase of ) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m, xrefs: 00A0B0AE
      • ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=, xrefs: 00A0B46B
      • failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre, xrefs: 00A0B729
      • ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32, xrefs: 00A0B24A
      • /_`+]M[<=1-{}Ly%x: i), )(M [("")) ) @s -> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allg, xrefs: 00A0B385
      • non-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - d, xrefs: 00A0B718
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: $ @s -> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgallprootitabsbrkidledead is LEAFbase $ MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:$ MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException $ ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32$ ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)traceback} stack=$+]M[<=1-{}Ly%x: i), )(M [("")) ) @s -> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgall$.$/_`+]M[<=1-{}Ly%x: i), )(M [("")) ) @s -> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allg$failed to set sweep barrierwork.nwait was > work.nproc not in stack roots range [allocated pages below zero?address not a stack addressmspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPre$gc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgallprootitabsbrkidledead is LEAFbase of ) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m$gc done but gcphase != _GCoffruntime: p.gcMarkWorkerMode= scanobject of a noscan objectruntime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foun$gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125Greeksse41sse42ssse3filesKeyKey SysidreadatlistensocketStringFormat[]bytestringuint16uint32uint64structchan<-<-chan ValueGetACPsysmontimersefenceselect, not object next= $non-concurrent sweep failed to drain all sweep queuescompileCallback: argument size is larger than uintptrmin size of malloc header is not a size class boundarygcControllerState.findRunnable: blackening not enabledno goroutines (main called runtime.Goexit) - d
      • API String ID: 0-1845765171
      • Opcode ID: b456c3adb1f6e1899da67e5c6ac102f20f7dd5960f155d34da9cf683050448be
      • Instruction ID: 1bdd5e6931c6752ffbee06c3fb7d516e2c6e2cf0cbca2300858a44ba11867e5b
      • Opcode Fuzzy Hash: b456c3adb1f6e1899da67e5c6ac102f20f7dd5960f155d34da9cf683050448be
      • Instruction Fuzzy Hash: 3E728D36215BC886EB20DF25F9817AA7365F78AB84F448226DA8D03B6ADF3CC444C751
      Function 00A1BAA0 Relevance: 16.8, Strings: 13, Instructions: 542COMMON
      Download Yara Rule
      Strings
      • , levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:, xrefs: 00A1C3A5
      • runtime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupuse of closed fileCM_MapCr, xrefs: 00A1BE4F
      • runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockAllocateAndInitializeSidBuildSecurityDescriptorWAssignProcessToJobObjectGenerateConsoleCtrlE, xrefs: 00A1C305
      • , )(M [("")) ) @s -> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgallprootitabsbrkidled, xrefs: 00A1BDF3, 00A1BE0F, 00A1C231, 00A1C24F
      • runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)semacquire not on the G stackruntime: split stack overflowstring concatenation too longinvalid function symbol tabl, xrefs: 00A1C385
      • , j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type FreeSidSleepEx19531259765625avx512fos/execruntime#internno anodeCancelIoReadFileAcceptExWSAIoctlshutdownGoStringscavengepollDesctraceBufdeadl, xrefs: 00A1C2BA
      • , npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by i/o timeoutsechost.dllversion, xrefs: 00A1C29C
      • ] = (usageinit ms, fault tab= top=[...], fp:1562578125Greeksse41sse42ssse3filesKeyKey SysidreadatlistensocketStringFormat[]bytestringuint16uint32uint64structchan<-<-chan ValueGetACPsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc, xrefs: 00A1BDD8
      • ][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgallprootitabsbrkidledead is LEAFbase of ) = <=, xrefs: 00A1BDBA, 00A1C1FB
      • ] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125Atoiermssse3avx2bmi1bmi2icmpigmp<nil>writeclosentohsfalseErrorint16int32int64uint8arrayslice and defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep cnt=gcin, xrefs: 00A1C216
      • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 00A1BE7C, 00A1C5CC
      • runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 00A1BD9F, 00A1C1D6
      • , i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base sendto390625Commonrdtscppopcntcmd/gonetdnsheaderAnswer%s: %xconsoleCopySidWSARecvWSASendconnectfloat32float64invaliduintptrChanDir Value>forcegcallocmWcpuprofallocmRunknowngctraceIO, xrefs: 00A1C325
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: , )(M [("")) ) @s -> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgallprootitabsbrkidled$, i = code= addr= m->p= p->m=SCHED curg= ctxt: min= max= (...) m=nil base sendto390625Commonrdtscppopcntcmd/gonetdnsheaderAnswer%s: %xconsoleCopySidWSARecvWSASendconnectfloat32float64invaliduintptrChanDir Value>forcegcallocmWcpuprofallocmRunknowngctraceIO$, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type FreeSidSleepEx19531259765625avx512fos/execruntime#internno anodeCancelIoReadFileAcceptExWSAIoctlshutdownGoStringscavengepollDesctraceBufdeadl$, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime:$, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64nan3float32nan2GOTRACEBACK) at entry+ (targetpc= , plugin: runtime: g : frame.sp=created by i/o timeoutsechost.dllversion$] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125Atoiermssse3avx2bmi1bmi2icmpigmp<nil>writeclosentohsfalseErrorint16int32int64uint8arrayslice and defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep cnt=gcin$] = (usageinit ms, fault tab= top=[...], fp:1562578125Greeksse41sse42ssse3filesKeyKey SysidreadatlistensocketStringFormat[]bytestringuint16uint32uint64structchan<-<-chan ValueGetACPsysmontimersefenceselect, not object next= jobs= goid sweep B -> % util alloc$][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgallprootitabsbrkidledead is LEAFbase of ) = <=$bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)semacquire not on the G stackruntime: split stack overflowstring concatenation too longinvalid function symbol tabl$runtime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupuse of closed fileCM_MapCr$runtime: p.searchAddr = range partially overlapsstack trace unavailablebindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartbad use of trace.seqlockAllocateAndInitializeSidBuildSecurityDescriptorWAssignProcessToJobObjectGenerateConsoleCtrlE$runtime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
      • API String ID: 0-1428436601
      • Opcode ID: de35b0db16cd01a02109349835d96b36eb4538067745b50c02b28b304f9ce963
      • Instruction ID: af7fc33cdc21ad7876d035a0abf33ae4fa96e7cce54e62cc16e29be2efc0cdc0
      • Opcode Fuzzy Hash: de35b0db16cd01a02109349835d96b36eb4538067745b50c02b28b304f9ce963
      • Instruction Fuzzy Hash: 1E32CD76724BD481DB20AB16F9813DAB326F789BD0F408122EE9D07B5ADF78C985C740
      Function 00A3F160 Relevance: 15.4, Strings: 12, Instructions: 364COMMON
      Download Yara Rule
      Strings
      • (targetpc= , plugin: runtime: g : frame.sp=created by i/o timeoutsechost.dllversion.dllGetFileTimeVirtualFreeCoGetObjectEnumWindowsMessageBoxW30517578125gocachehashgocachetesthttp2clienthttp2serverarchive/tartls10servercrypto/x509archive/zipClassHESIODinvalid, xrefs: 00A3F517, 00A3F698
      • +]M[<=1-{}Ly%x: i), )(M [("")) ) @s -> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgall, xrefs: 00A3F5D2, 00A3F74F
      • and defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125Greeksse41sse42ssse3filesKeyKey SysidreadatlistensocketStringFormat[]bytestringuint16uint3, xrefs: 00A3F4CF, 00A3F65A
      • missing stackmapbad symbol tablenon-Go function not in ranges:SetEntriesInAclWSetServiceStatusCryptProtectDataCryptQueryObjectConnectNamedPipeCreateJobObjectWCreateNamedPipeWDefineDosDeviceWFindFirstVolumeWGetLogicalDrivesGetNamedPipeInfoGetPriorityClassSetD, xrefs: 00A3F5F9, 00A3F779
      • args stack map entries for invalid runtime symbol tableruntime: no module data for traceRegion: alloc too large[originating from goroutine GetSecurityDescriptorControlInitializeSecurityDescriptorSetSecurityDescriptorControlFindFirstChangeNotificationWGetProce, xrefs: 00A3F4EF
      • runtime: pcdata is bad ABI descriptiondodeltimer: wrong Padjusttimers: bad pfile already existsfile does not existfile already closedQueryServiceConfigWCreatePseudoConsoleGetDiskFreeSpaceExWGetLargePageMinimumGetOverlappedResultGetSystemDirectoryWResizePseudoC, xrefs: 00A3F4B3, 00A3F63F
      • ) @s -> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgallprootitabsbrkidledead is LEAFbas, xrefs: 00A3F532, 00A3F6B3
      • bad symbol tablenon-Go function not in ranges:SetEntriesInAclWSetServiceStatusCryptProtectDataCryptQueryObjectConnectNamedPipeCreateJobObjectWCreateNamedPipeWDefineDosDeviceWFindFirstVolumeWGetLogicalDrivesGetNamedPipeInfoGetPriorityClassSetDllDirectoryWSetF, xrefs: 00A3F54A, 00A3F6CA
      • untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine unreachable: ControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDSetThreadTokenCreateEventExWCreateMutexExWGetTickCount64IsWow64ProcessLoadLibraryExWSetConsoleModeSizeofRe, xrefs: 00A3F5B7
      • runtime: frame runtimer: bad ptraceback stuckGetSecurityInfoSetSecurityInfoAddDllDirectoryFindNextVolumeWFindVolumeCloseGetCommTimeoutsIsWow64Process2QueryDosDeviceWSetCommTimeoutsSetVolumeLabelWRtlDefaultNpAclCLSIDFromStringStringFromGUID2IsWindowUnicodeIsWin, xrefs: 00A3F594, 00A3F709
      • untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:SetEntriesInAclWSetServiceStatusCryptProtectDataCryptQueryObjectConnectNamedPipeCreateJobObjectWCreateNamedPipeWDefineDosDeviceWFindFirstVolumeWGetLogicalDrivesGetNamedPipeInfoGetP, xrefs: 00A3F72C
      • locals stack map entries for abi mismatch detected between runtime: impossible type kind unsafe.Slice: len out of rangesync: inconsistent mutex statesync: unlock of unlocked mutexGetSecurityDescriptorRMControlQueryServiceDynamicInformationSetSecurityDescripto, xrefs: 00A3F675
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: (targetpc= , plugin: runtime: g : frame.sp=created by i/o timeoutsechost.dllversion.dllGetFileTimeVirtualFreeCoGetObjectEnumWindowsMessageBoxW30517578125gocachehashgocachetesthttp2clienthttp2serverarchive/tartls10servercrypto/x509archive/zipClassHESIODinvalid$ and defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125Greeksse41sse42ssse3filesKeyKey SysidreadatlistensocketStringFormat[]bytestringuint16uint3$ args stack map entries for invalid runtime symbol tableruntime: no module data for traceRegion: alloc too large[originating from goroutine GetSecurityDescriptorControlInitializeSecurityDescriptorSetSecurityDescriptorControlFindFirstChangeNotificationWGetProce$ locals stack map entries for abi mismatch detected between runtime: impossible type kind unsafe.Slice: len out of rangesync: inconsistent mutex statesync: unlock of unlocked mutexGetSecurityDescriptorRMControlQueryServiceDynamicInformationSetSecurityDescripto$ untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine unreachable: ControlServiceCreateServiceWIsWellKnownSidMakeAbsoluteSDSetThreadTokenCreateEventExWCreateMutexExWGetTickCount64IsWow64ProcessLoadLibraryExWSetConsoleModeSizeofRe$ untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:SetEntriesInAclWSetServiceStatusCryptProtectDataCryptQueryObjectConnectNamedPipeCreateJobObjectWCreateNamedPipeWDefineDosDeviceWFindFirstVolumeWGetLogicalDrivesGetNamedPipeInfoGetP$) @s -> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgallprootitabsbrkidledead is LEAFbas$+]M[<=1-{}Ly%x: i), )(M [("")) ) @s -> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgall$bad symbol tablenon-Go function not in ranges:SetEntriesInAclWSetServiceStatusCryptProtectDataCryptQueryObjectConnectNamedPipeCreateJobObjectWCreateNamedPipeWDefineDosDeviceWFindFirstVolumeWGetLogicalDrivesGetNamedPipeInfoGetPriorityClassSetDllDirectoryWSetF$missing stackmapbad symbol tablenon-Go function not in ranges:SetEntriesInAclWSetServiceStatusCryptProtectDataCryptQueryObjectConnectNamedPipeCreateJobObjectWCreateNamedPipeWDefineDosDeviceWFindFirstVolumeWGetLogicalDrivesGetNamedPipeInfoGetPriorityClassSetD$runtime: frame runtimer: bad ptraceback stuckGetSecurityInfoSetSecurityInfoAddDllDirectoryFindNextVolumeWFindVolumeCloseGetCommTimeoutsIsWow64Process2QueryDosDeviceWSetCommTimeoutsSetVolumeLabelWRtlDefaultNpAclCLSIDFromStringStringFromGUID2IsWindowUnicodeIsWin$runtime: pcdata is bad ABI descriptiondodeltimer: wrong Padjusttimers: bad pfile already existsfile does not existfile already closedQueryServiceConfigWCreatePseudoConsoleGetDiskFreeSpaceExWGetLargePageMinimumGetOverlappedResultGetSystemDirectoryWResizePseudoC
      • API String ID: 0-3467211602
      • Opcode ID: f3f193e51e106a433b3d046ebee46f28d56ff06fc0161fe3d8ff395cf8286ed8
      • Instruction ID: 5821020b3b51e5bc313a9b63a3fd9e4bbf3ead6990b35bcd6ab43ad21d17788e
      • Opcode Fuzzy Hash: f3f193e51e106a433b3d046ebee46f28d56ff06fc0161fe3d8ff395cf8286ed8
      • Instruction Fuzzy Hash: B1E18B36728B9086DB64EF69F58039AB365F789B80F505132EE8D47B69DF38C944CB10
      Function 000001B27A4E8370 Relevance: 14.6, APIs: 9, Instructions: 1062COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: write_multi_char$_errno$_getptd_invalid_parameter_noinfofreewrite_char
      • String ID:
      • API String ID: 2983306934-0
      • Opcode ID: f314fa1a04d89f2d58bebcb04c5c44ad645d9e45fc6ea60ff7cc086cfa18213a
      • Instruction ID: f7f4bf6ef4c67a119405df332904194c1d8ec6a2369ef20450dcc60f4fa7ba5b
      • Opcode Fuzzy Hash: f314fa1a04d89f2d58bebcb04c5c44ad645d9e45fc6ea60ff7cc086cfa18213a
      • Instruction Fuzzy Hash: 0B72DB3151C7858AEF689B9884613BB73E1FBA6322F34052DD586C32D1DF76DC0A874A
      Function 00A08FC0 Relevance: 14.1, Strings: 11, Instructions: 368COMMON
      Download Yara Rule
      Strings
      • , not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failed, xrefs: 00A09610
      • runtime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= casfrom_Gscanstatus: gp->status is not in scan state, xrefs: 00A095CB
      • runtime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memory: cannot allocate runtime.preemptM: duplicatehandle failedglobal runq empty wi, xrefs: 00A0961F
      • , not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 00A09525
      • because dotdotdotruntime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupuse of c, xrefs: 00A094C6
      • runtime.SetFinalizer: first argument is nilruntime.SetFinalizer: finalizer already setgcBgMarkWorker: unexpected gcMarkWorkerModenon in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryru, xrefs: 00A09630
      • runtime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already , xrefs: 00A09443, 00A09497, 00A09501
      • runtime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultuser arena chunk size is not a multiple of the physical page sizeruntime: function marked with #cgo nocallback called back into Goru, xrefs: 00A095DC
      • runtime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpanLocked - invalid span stateattempted to add zero-sized address rangeruntime: block, xrefs: 00A09534
      • runtime.SetFinalizer: pointer not at beginning of allocated blockreflect: reflect.Value.UnsafePointer on an invalid notinheap pointertoo many concurrent operations on a single file or socket (max 1048575)MapIter.Next called on an iterator that does not have an, xrefs: 00A0954A
      • nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod, xrefs: 00A095ED
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: because dotdotdotruntime: npages = runtime: range = {index out of rangeruntime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupuse of c$, not a functiongc: unswept span KiB work (bg), mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$, not pointer != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failed$nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated timeEndPeriod$runtime.SetFinalizer: cannot pass too many pages allocated in chunk?mspan.ensureSwept: m is not lockedVirtualQuery for stack base failedforEachP: sched.safePointWait != 0schedule: spinning with local workruntime: g is running but p is notdoaddtimer: P already $runtime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs when work.full != 0runtime: out of memory: cannot allocate runtime.preemptM: duplicatehandle failedglobal runq empty wi$runtime.SetFinalizer: first argument is nilruntime.SetFinalizer: finalizer already setgcBgMarkWorker: unexpected gcMarkWorkerModenon in-use span found with specials bit setgrew heap, but no adequate free space foundroot level max pages doesn't fit in summaryru$runtime.SetFinalizer: first argument was allocated into an arenacompileCallback: expected function with one uintptr-sized resultuser arena chunk size is not a multiple of the physical page sizeruntime: function marked with #cgo nocallback called back into Goru$runtime.SetFinalizer: pointer not at beginning of allocated blockreflect: reflect.Value.UnsafePointer on an invalid notinheap pointertoo many concurrent operations on a single file or socket (max 1048575)MapIter.Next called on an iterator that does not have an$runtime.SetFinalizer: pointer not in allocated blockruntime: use of FixAlloc_Alloc before FixAlloc_Initspan set block with unpopped elements found in resetruntime: GetQueuedCompletionStatusEx failed (errno= casfrom_Gscanstatus: gp->status is not in scan state$runtime.SetFinalizer: second argument is gcSweep being done but phase is not GCoffobjects added out of order or overlappingmheap.freeSpanLocked - invalid stack freemheap.freeSpanLocked - invalid span stateattempted to add zero-sized address rangeruntime: block
      • API String ID: 0-2314801022
      • Opcode ID: 39e2d0ff2fa3e28e40b74329a15a9c1535a50fcbdf139f64e5763b0bd31ed27b
      • Instruction ID: 9254aa18a8f8da70aadb919bcc468650885bb1a0e9f4eafee13c8077dba46ef4
      • Opcode Fuzzy Hash: 39e2d0ff2fa3e28e40b74329a15a9c1535a50fcbdf139f64e5763b0bd31ed27b
      • Instruction Fuzzy Hash: 80F1AF32709B8885EB609B21F4903AF77A4F789B80F488236DA8D17BD6DF38D594C711
      Function 00A155C0 Relevance: 13.3, Strings: 10, Instructions: 811COMMON
      Download Yara Rule
      Strings
      • mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1, xrefs: 00A1643B
      • swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb, xrefs: 00A15FCD
      • sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevrunt, xrefs: 00A1610F
      • mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdea, xrefs: 00A1642A
      • mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification, xrefs: 00A16058
      • mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 00A1602F, 00A16405
      • nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes nil PoolwsaioctlEqualSidSetEventIsWindowrecvfrom48828125strconv.parsing ParseIntavx512bwavx512vlgo/typesnet/httpgo/buildnetedns0x509sha1ClassANYQuestionntdll.dllFin, xrefs: 00A160A8
      • sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executionattempte, xrefs: 00A15FBC
      • sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine dwmapi.dll, xrefs: 00A1600F, 00A163E5
      • previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime:, xrefs: 00A160C5
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: mheap.sweepgen=runtime: nelems=workbuf is emptymSpanList.removemSpanList.insertbad special kindbad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod$ nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes nil PoolwsaioctlEqualSidSetEventIsWindowrecvfrom48828125strconv.parsing ParseIntavx512bwavx512vlgo/typesnet/httpgo/buildnetedns0x509sha1ClassANYQuestionntdll.dllFin$ previous allocCount=, levelBits[level] = runtime: searchIdx = defer on system stackpanic on system stackasync stack too largestartm: m is spinningstartlockedm: m has pfindrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime:$ sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nanException ptrSize= targetpc= until pc=unknown pcruntime: ggoroutine dwmapi.dll$mspan.sweep: bad span state after sweepruntime: blocked write on free polldescPowerRegisterSuspendResumeNotification$mspan.sweep: bad span stateinvalid profile bucket typeruntime: corrupted polldescruntime: netpollinit failedruntime: asyncPreemptStack=runtime: thread ID overflowstopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdea$mspan.sweep: m is not lockedfound pointer to free objectmheap.freeSpanLocked - span runtime.semasleep unexpectedfatal: morestack on gsignalruntime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1$sweep increased allocation countremovespecial on invalid pointerruntime: root level max pages = WSAGetOverlappedResult not found_cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevrunt$sweep: tried to preserve a user arena spanruntime: blocked write on closing polldescacquireSudog: found s.elem != nil in cachefatal error: cgo callback before cgo callon a locked thread with no template threadunexpected signal during runtime executionattempte$swept cached spanmarkBits overflowruntime: summary[runtime: level = , p.searchAddr = RtlGetCurrentPeb
      • API String ID: 0-2687929702
      • Opcode ID: 787fc5d22eff570f9af6940a112434f54d50f104757b637fafdf959c80d0b73d
      • Instruction ID: 8c41f1eff122e340f65164969452ff85bc5b39e7a6c9c6c50cf4f933446bc73d
      • Opcode Fuzzy Hash: 787fc5d22eff570f9af6940a112434f54d50f104757b637fafdf959c80d0b73d
      • Instruction Fuzzy Hash: 3282BC73608BD4C6DB60CB25E5407AEB7A5F389B84F449226EACD43B99DF38C495CB40
      Function 000001B27A4D82B0 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 496COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: std::rethrow_exception
      • String ID: h
      • API String ID: 1317400359-2439710439
      • Opcode ID: 8ee3f583c56d212dec831c16406cf4e4c95e6968c2955d7366080fd8d4f38ae1
      • Instruction ID: 5f11a5d2bb5c621bfe87361fbc2d12bff3fb4a89724631ae0a6cde317e3e6bca
      • Opcode Fuzzy Hash: 8ee3f583c56d212dec831c16406cf4e4c95e6968c2955d7366080fd8d4f38ae1
      • Instruction Fuzzy Hash: D022083011C7888FE7B5DF58C4987EAB7E1FBA9316F50492DE18AC2290DF759948CB06
      Function 00A2F480 Relevance: 7.2, Strings: 5, Instructions: 943COMMON
      Download Yara Rule
      Strings
      • findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r, xrefs: 00A303DD
      • findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionunsupported operationCM_Get_DevNode_StatusChangeServiceConfig2WDeregist, xrefs: 00A303EE
      • findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadlineSubscribeServiceChangeNotifications17763568394002504646778106689453125888178419700125, xrefs: 00A303BB
      • findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for traceReg, xrefs: 00A303CC
      • global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsHad a bad time getting restore point: %v13877787807814456755295395851135253906256938893903907228377647697925567626953125ryuFtoaFixed32 calle, xrefs: 00A303AA
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: findrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of r$findrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid runtime symbol tableruntime: no module data for traceReg$findrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=file type does not support deadlineSubscribeServiceChangeNotifications17763568394002504646778106689453125888178419700125$findrunnable: wrong ppreempt at unknown pcreleasep: invalid argcheckdead: runnable gruntime: newstack at runtime: newstack sp=runtime: confused by pcHeader.textStart= timer data corruptionunsupported operationCM_Get_DevNode_StatusChangeServiceConfig2WDeregist$global runq empty with non-zero runqsizemust be able to track idle limiter eventruntime: SyscallN has too many argumentsHad a bad time getting restore point: %v13877787807814456755295395851135253906256938893903907228377647697925567626953125ryuFtoaFixed32 calle
      • API String ID: 0-3828683212
      • Opcode ID: ed6c1dc0b3413130e9eb2e06fc107d8702b8b30a48cda57b938ba7c8689e7e25
      • Instruction ID: 8db753957db96b92990acbfbe101665870bed91e51cb6d5636c524a527c7820b
      • Opcode Fuzzy Hash: ed6c1dc0b3413130e9eb2e06fc107d8702b8b30a48cda57b938ba7c8689e7e25
      • Instruction Fuzzy Hash: 90929D32209B948AEB358F25F5907EAB360F785B94F488236DA8D57B64CF7DC885C740
      Function 00A4AD20 Relevance: 6.7, Strings: 5, Instructions: 451COMMON
      Download Yara Rule
      Strings
      • ) @s -> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgallprootitabsbrkidledead is LEAFbas, xrefs: 00A4B20D
      • ... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgallprootitabsbrkidledead is LEAFbase of ) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4, xrefs: 00A4B1B7
      • non-Go function at pc=EnumDependentServicesWWaitForMultipleObjectsNtSetSystemInformationRtlDeleteFunctionTableSetupDiEnumDriverInfoWSetupDiGetClassDevsExWWSAGetOverlappedResultWSALookupServiceBeginW4656612873077392578125device or resource busyinterrupted syste, xrefs: 00A4B4DB
      • sp= sp: lr: fp= gp= mp=) m=3125Atoiermssse3avx2bmi1bmi2icmpigmp<nil>writeclosentohsfalseErrorint16int32int64uint8arrayslice and defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, f, xrefs: 00A4B392
      • fp= gp= mp=) m=3125Atoiermssse3avx2bmi1bmi2icmpigmp<nil>writeclosentohsfalseErrorint16int32int64uint8arrayslice and defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= to, xrefs: 00A4B372
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: fp= gp= mp=) m=3125Atoiermssse3avx2bmi1bmi2icmpigmp<nil>writeclosentohsfalseErrorint16int32int64uint8arrayslice and defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= to$ sp= sp: lr: fp= gp= mp=) m=3125Atoiermssse3avx2bmi1bmi2icmpigmp<nil>writeclosentohsfalseErrorint16int32int64uint8arrayslice and defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptracepanicsleep cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, f$) @s -> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgallprootitabsbrkidledead is LEAFbas$... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgallprootitabsbrkidledead is LEAFbase of ) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4$non-Go function at pc=EnumDependentServicesWWaitForMultipleObjectsNtSetSystemInformationRtlDeleteFunctionTableSetupDiEnumDriverInfoWSetupDiGetClassDevsExWWSAGetOverlappedResultWSALookupServiceBeginW4656612873077392578125device or resource busyinterrupted syste
      • API String ID: 0-1608628172
      • Opcode ID: f3d885babe3141f07c383dc8b006a5b01e1068689c97c277d279a79fdbaa125a
      • Instruction ID: f19846dff0715834b8dff811e41ba18bbe901edc9a8887e7f95a43af76bc27f8
      • Opcode Fuzzy Hash: f3d885babe3141f07c383dc8b006a5b01e1068689c97c277d279a79fdbaa125a
      • Instruction Fuzzy Hash: 4422453A219BC086DB609B25F5903AFB761F7C9B80F545126EE8D07B6ACF39C485CB10
      Function 00A281A0 Relevance: 6.5, Strings: 5, Instructions: 298COMMON
      Download Yara Rule
      Strings
      • suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function RtlDosPathNameToNtPathName_U_WithStatus27755575615628913510590791702270507812584804f99e2c7ab8aee611d256a, xrefs: 00A286CA
      • , gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp, xrefs: 00A28610
      • runtime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupuse of closed fileCM_MapCrToWin32ErrCloseServiceHandleCreateWellKnownSidGetSidSu, xrefs: 00A285DA
      • , goid= s=nil (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type FreeSidSleepEx19531259765625avx512fos/execruntime#internno anodeCancelIoReadFileAcceptExWSAI, xrefs: 00A285F5, 00A28677
      • invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:SetEntriesInAclWSetServiceStatusCryptProtectDataCryptQueryObjectConnectNamedPipeCreateJobObjectWCrea, xrefs: 00A286B9
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: , goid= s=nil (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type FreeSidSleepEx19531259765625avx512fos/execruntime#internno anodeCancelIoReadFileAcceptExWSAI$, gp->atomicstatus=marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp$invalid g statuscastogscanstatusbad g transitionschedule: in cgoreflect mismatch untyped locals missing stackmapbad symbol tablenon-Go function not in ranges:SetEntriesInAclWSetServiceStatusCryptProtectDataCryptQueryObjectConnectNamedPipeCreateJobObjectWCrea$runtime: gp: gp=runtime: getg: g=forEachP: not done in async preemptbad manualFreeListruntime: textAddr frames elided..., locked to threadruntime.semacreateruntime.semawakeupuse of closed fileCM_MapCrToWin32ErrCloseServiceHandleCreateWellKnownSidGetSidSu$suspendG from non-preemptible goroutineruntime: casfrom_Gscanstatus failed gp=stack growth not allowed in system calltraceback: unexpected SPWRITE function RtlDosPathNameToNtPathName_U_WithStatus27755575615628913510590791702270507812584804f99e2c7ab8aee611d256a
      • API String ID: 0-3225884625
      • Opcode ID: 6c0d8734fb2c820db0d7e1074ac7526651c0ecec466191c50a63645a191e1424
      • Instruction ID: 7d388080ec6f99bb174bec4662572d83e5b03c839c832773d527596feefb2359
      • Opcode Fuzzy Hash: 6c0d8734fb2c820db0d7e1074ac7526651c0ecec466191c50a63645a191e1424
      • Instruction Fuzzy Hash: ECD14A76609B9082DB14DB29F18176ABB61F38AB90F448176FE9D07B6ACF7CC441CB50
      Function 00A10D80 Relevance: 6.4, Strings: 5, Instructions: 179COMMON
      Download Yara Rule
      Strings
      • +]M[<=1-{}Ly%x: i), )(M [("")) ) @s -> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgall, xrefs: 00A11025
      • pacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not foundpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valuesemaRoot rotateRightreflect.makeFuncStubdodeltimer0: wrong P, xrefs: 00A10F86
      • MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc called from DeleteServiceStartServiceW, xrefs: 00A11005
      • (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type FreeSidSleepEx19531259765625avx512fos/execruntime#internno anodeCancelIoReadFileAcceptExWSAIoctlshutdownGo, xrefs: 00A10FA5
      • -> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgallprootitabsbrkidledead is LEAFbase of ), xrefs: 00A10FE5
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: (scan MB in pacer: % CPU ( zombie, j0 = head = panic: nmsys= locks= dying= allocsGODEBUG m->g0= pad1= pad2= text= minpc= value= (scan)types : type FreeSidSleepEx19531259765625avx512fos/execruntime#internno anodeCancelIoReadFileAcceptExWSAIoctlshutdownGo$ MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase}sched={pc:, gp->status= pluginpath= runtime: pid=: unknown pc called from DeleteServiceStartServiceW$+]M[<=1-{}Ly%x: i), )(M [("")) ) @s -> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgall$-> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgallprootitabsbrkidledead is LEAFbase of )$pacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not foundpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valuesemaRoot rotateRightreflect.makeFuncStubdodeltimer0: wrong P
      • API String ID: 0-951795110
      • Opcode ID: 651526a418da869414f2405ebb532c774cbb2d7d2c0f3b9b9b434e305fbc6d28
      • Instruction ID: 9748bd50018194f215566f10ce744ad61e75600ef54317ac5ecc249db22fe5c3
      • Opcode Fuzzy Hash: 651526a418da869414f2405ebb532c774cbb2d7d2c0f3b9b9b434e305fbc6d28
      • Instruction Fuzzy Hash: 81718032618F9485D601EF65E44079AB7A8FB8ABC0F449736EA8E27B25CF78C491C750
      Function 00A103C0 Relevance: 6.4, Strings: 5, Instructions: 177COMMON
      Download Yara Rule
      Strings
      • +]M[<=1-{}Ly%x: i), )(M [("")) ) @s -> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgall, xrefs: 00A105C5
      • marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp.parampanic during , xrefs: 00A1063E
      • greyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did n, xrefs: 00A1064F
      • base of ) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125Atoiermssse3avx2bmi1bmi2icmpigmp<nil>writeclosentohsfalseErrorint16int32int64uint8arrayslice and defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptrac, xrefs: 00A105FB
      • runtime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)semacquire not on the G stac, xrefs: 00A10587
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: +]M[<=1-{}Ly%x: i), )(M [("")) ) @s -> Pn=][}]> +25LlLtLuMn"\\?nilintmapptr... m=EOFfinobjgc %: gp *(in n= ) - NaN P MPC= < end > ]:???pc= G125625adxaesshaavxfmanetcgodnstcpudpfilereadseekopenpipebindtrueboolint8uintchanfunccallkind on allgall$base of ) = <==GOGC] = pc=+Inf-Inf: p=cas1cas2cas3cas4cas5cas6 at m= sp= sp: lr: fp= gp= mp=) m=3125Atoiermssse3avx2bmi1bmi2icmpigmp<nil>writeclosentohsfalseErrorint16int32int64uint8arrayslice and defersweeptestRtestWexecWexecRschedhchansudoggscanmheaptrac$greyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freeattempt to clear non-empty span setruntime: close polldesc w/o unblockfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did n$marking free object KiB work (eager), [controller reset]mspan.sweep: state=sysMemStat overflowbad sequence numberntdll.dll not foundwinmm.dll not foundruntime: g0 stack [panic during mallocpanic holding locksmissing deferreturnunexpected gp.parampanic during $runtime: marking free object addspecial on invalid pointerruntime: summary max pages = runtime: levelShift[level] = doRecordGoroutineProfile gp1=timeBegin/EndPeriod not foundruntime: sudog with non-nil cgfput: bad status (not Gdead)semacquire not on the G stac
      • API String ID: 0-1677810536
      • Opcode ID: 6e8dca77a695ae99fa981dcbf0d8dbeafad27a8ae70bd285c30a1cfbf87065a0
      • Instruction ID: b68a920097d87ce51ae21bd8d3928d72b82f6f04026e40b07b24094dd1720607
      • Opcode Fuzzy Hash: 6e8dca77a695ae99fa981dcbf0d8dbeafad27a8ae70bd285c30a1cfbf87065a0
      • Instruction Fuzzy Hash: B561EC72614B8086DB009F15E5407ADBB75F78ABD0F845126EF8E07B66CBB8C5E4C740
      Function 009FBEA0 Relevance: 6.3, Strings: 5, Instructions: 80COMMON
      Download Yara Rule
      Strings
      • packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes nil PoolwsaioctlEqualSidSetEventIsWindowrecvfrom48828125strconv.parsing ParseIntavx512bwavx512vlgo/typesnet/httpgo/b, xrefs: 009FBF65
      • lfstack.push span.limit= span.state=bad flushGen MB stacks, worker mode nDataRoots= nSpanRoots= wbuf1=<nil> wbuf2=<nil> gcscandone runtime: gp= found at *( s.elemsize= B (goal , cons/mark maxTrigger= pages/byte s.sweepgen= allocCount end tracegcProces, xrefs: 009FBFAF
      • runtime: lfstack.push invalid packing: node=out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark p, xrefs: 009FBF25
      • -> node= ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)tracebac, xrefs: 009FBF85
      • cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125Greeksse41sse42ssse3filesKeyKey SysidreadatlistensocketStringFormat[]bytestringuint16uint32uint64structchan<-<-chan ValueGetACPsysmontimersefenceselect, not object n, xrefs: 009FBF45
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: -> node= ms cpu, (forced) wbuf1.n= wbuf2.n= s.limit= s.state= B work ( B exp.) marked unmarked in use), size = bad prune, tail = recover: not in [ctxt != 0, oldval=, newval= threads=: status= blocked= lockedg=atomicor8 runtime= m->curg=(unknown)tracebac$ cnt=gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125Greeksse41sse42ssse3filesKeyKey SysidreadatlistensocketStringFormat[]bytestringuint16uint32uint64structchan<-<-chan ValueGetACPsysmontimersefenceselect, not object n$ packed=BAD RANK status unknown(trigger= npages= nalloc= nfreed=[signal newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes nil PoolwsaioctlEqualSidSetEventIsWindowrecvfrom48828125strconv.parsing ParseIntavx512bwavx512vlgo/typesnet/httpgo/b$lfstack.push span.limit= span.state=bad flushGen MB stacks, worker mode nDataRoots= nSpanRoots= wbuf1=<nil> wbuf2=<nil> gcscandone runtime: gp= found at *( s.elemsize= B (goal , cons/mark maxTrigger= pages/byte s.sweepgen= allocCount end tracegcProces$runtime: lfstack.push invalid packing: node=out of memory allocating heap arena metadata/cpu/classes/scavenge/background:cpu-secondsruntime: unexpected metric registration for gcmarknewobject called while doing checkmarkactive sweepers found at start of mark p
      • API String ID: 0-3066382416
      • Opcode ID: 4655a93cf0c610fa6299d2d38cc22161067603a125096b4d4a5d2e9d7c3019f6
      • Instruction ID: 1586f3399bf39ea5e3ace2fd6258f7e405d8bf0dc20b6f88e5c730769b11e58e
      • Opcode Fuzzy Hash: 4655a93cf0c610fa6299d2d38cc22161067603a125096b4d4a5d2e9d7c3019f6
      • Instruction Fuzzy Hash: D3214A36624B54C6D700EF15F9813AAB768F74AB80F889531EB8D07B2ACF38C545C750
      Function 00A09D60 Relevance: 5.3, Strings: 4, Instructions: 334COMMON
      Download Yara Rule
      Strings
      • != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase, xrefs: 00A0A2D1
      • p mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not foundpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valuesemaRoot rotateRight, xrefs: 00A0A2F8
      • flushGen MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nan, xrefs: 00A0A2B6
      • runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64, xrefs: 00A0A29B
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: != sweepgen MB globals, work.nproc= work.nwait= nStackRoots= flushedWork double unlock s.spanclass= MB) workers=min too large-byte block (runtime: val=runtime: seq=fatal error: idlethreads= syscalltick=load64 failedxadd64 failedxchg64 failednil stackbase$ flushGen MB goal, s.state = s.base()= heapGoal=GOMEMLIMIT KiB now, pages at sweepgen= sweepgen , bound = , limit = tracefree(tracegc()exitThreadBad varintGC forced runqueue= stopwait= runqsize= gfreecnt= throwing= spinning=atomicand8float64nanfloat32nan$p mcache not flushed markroot jobs donepacer: assist ratio=workbuf is not emptybad use of bucket.mpbad use of bucket.bpruntime: double waitws2_32.dll not foundpreempt off reason: forcegc: phase errorgopark: bad g statusgo of nil func valuesemaRoot rotateRight$runtime: p ms clock, nBSSRoots=runtime: P exp.) for minTrigger=GOMEMLIMIT=bad m value, elemsize= freeindex= span.list=, npages = tracealloc( p->status= in status idleprocs= gcwaiting= schedtick= timerslen= mallocing=bad timedivfloat64nan1float64nan2float64
      • API String ID: 0-4177187854
      • Opcode ID: 965289f310d441236374574f136103cdceb4876b7db0c619e19848f1691dbc68
      • Instruction ID: 5d906c38e490f82f1fdc0d62b39c4514e9be62f25376553ae099acff3353469e
      • Opcode Fuzzy Hash: 965289f310d441236374574f136103cdceb4876b7db0c619e19848f1691dbc68
      • Instruction Fuzzy Hash: 59E1A132204B48CAEB10DF65F58175FB765F78AB90F448226EA9D43BA6DF39C485CB01
      Function 009F3980 Relevance: 5.3, Strings: 4, Instructions: 294COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: 2-by$expa$nd 3$te k
      • API String ID: 0-3581043453
      • Opcode ID: d0a0678b136faf6cdae2b5bb443573c909990b14ac4f0b67f8b4f134291ae36c
      • Instruction ID: 0c71f4ba0b98ea64ad8700245c74ae3ff760222ec817bf0c77dbc5df3d1e57c8
      • Opcode Fuzzy Hash: d0a0678b136faf6cdae2b5bb443573c909990b14ac4f0b67f8b4f134291ae36c
      • Instruction Fuzzy Hash: 77B1B066F25FD94AF323A63910036B7EB185FFB9C9A40E327FC9474A87D72095036254
      Function 00A2BD80 Relevance: 5.3, Strings: 4, Instructions: 266COMMON
      Download Yara Rule
      Strings
      • casgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: split stack overflow: ...additional frames elided...unsafe.String: len out of rangeCertDuplicateCertificateContextSetupDiGetDeviceInfoListDetailW113686837721, xrefs: 00A2C18F
      • newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes nil PoolwsaioctlEqualSidSetEventIsWindowrecvfrom48828125strconv.parsing ParseIntavx512bwavx512vlgo/typesnet/httpgo/buildnetedns0x509sha1ClassANYQuestionntdll.dllFindCloseLocalFreeMoveFileW, xrefs: 00A2C165
      • casgstatus: waiting for Gwaiting but is Grunnablepe32 optional header has unexpected Magic of 0x%xnot enough significant bits after mult128bitPow10runtime: unable to acquire - semaphore out of syncmallocgc called with gcphase == _GCmarkterminationrecursive cal, xrefs: 00A2C0FB
      • runtime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid , xrefs: 00A2C147
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: newval= mcount= bytes, stack=[ minLC= maxpc= stack=[ minutes etypes nil PoolwsaioctlEqualSidSetEventIsWindowrecvfrom48828125strconv.parsing ParseIntavx512bwavx512vlgo/typesnet/httpgo/buildnetedns0x509sha1ClassANYQuestionntdll.dllFindCloseLocalFreeMoveFileW$casgstatus: bad incoming valuesresetspinning: not a spinning mentersyscallblock inconsistent runtime: split stack overflow: ...additional frames elided...unsafe.String: len out of rangeCertDuplicateCertificateContextSetupDiGetDeviceInfoListDetailW113686837721$casgstatus: waiting for Gwaiting but is Grunnablepe32 optional header has unexpected Magic of 0x%xnot enough significant bits after mult128bitPow10runtime: unable to acquire - semaphore out of syncmallocgc called with gcphase == _GCmarkterminationrecursive cal$runtime: casgstatus: oldval=gcstopm: negative nmspinningfindrunnable: netpoll with psave on system g not allowednewproc1: newg missing stacknewproc1: new g is not GdeadFixedStack is not power-of-2missing stack in shrinkstack args stack map entries for invalid
      • API String ID: 0-447271998
      • Opcode ID: 143d95079a5e92aee5f953a8ffb61dcc81ff63b34b9b936becde4a502d0ef55e
      • Instruction ID: e72c9cb2849fd265473681cebf6295130019921205d489f1894b144956737106
      • Opcode Fuzzy Hash: 143d95079a5e92aee5f953a8ffb61dcc81ff63b34b9b936becde4a502d0ef55e
      • Instruction Fuzzy Hash: D2B1B236609A94C6D704CB29E58536EBB71F34AB94F148232EF9C43B65CF3AC455CB41
      Function 00A289E0 Relevance: 5.2, Strings: 4, Instructions: 221COMMON
      Download Yara Rule
      Strings
      • runtime/internal/thread exhaustionlocked m0 woke upentersyscallblock spinningthreads=unknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff AdjustTokenGroupsIsTokenRestrictedCertFindExtensionCryptDecodeObjectReadProcessMemoryQuery, xrefs: 00A28BA5
      • runtime., xrefs: 00A28B72
      • reflect., xrefs: 00A28BCC
      • bad restart PC-thread limitstopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine unreachable: ControlS, xrefs: 00A28C93
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: bad restart PC-thread limitstopm spinning nmidlelocked= needspinning=randinit twicestore64 failedsemaRoot queuebad allocCountbad span statestack overflow untyped args out of range no module dataruntime: seq1=runtime: goid= in goroutine unreachable: ControlS$reflect.$runtime.$runtime/internal/thread exhaustionlocked m0 woke upentersyscallblock spinningthreads=unknown caller pcstack: frame={sp:runtime: nameOff runtime: typeOff runtime: textOff AdjustTokenGroupsIsTokenRestrictedCertFindExtensionCryptDecodeObjectReadProcessMemoryQuery
      • API String ID: 0-1732337880
      • Opcode ID: 8886a7b3a7af4100c379caafe067bfe1de48abdc4cdbfc41e31d2dd6bb3fbac8
      • Instruction ID: e1840a97d8dbc314280dd55969c1cf9a00a055f03e0b8f91c8f5092a31ee2c2c
      • Opcode Fuzzy Hash: 8886a7b3a7af4100c379caafe067bfe1de48abdc4cdbfc41e31d2dd6bb3fbac8
      • Instruction Fuzzy Hash: 6A719D72716A608ADB14CF28A18036AA765F389B94F4C4639EF4D57B44DF3CD8918710
      Function 000001B27A4D03A0 Relevance: 4.5, Strings: 3, Instructions: 750COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID:
      • String ID: @$@$h
      • API String ID: 0-1939477041
      • Opcode ID: 4a462c65aaa5ee4cb5eefe34262d9c9c718cb0a949f1d5267bcc6d3551e0ea6f
      • Instruction ID: c04b45093501c7eee2d40a852082db048ad7a6e2610a280f3ca3c411fe281640
      • Opcode Fuzzy Hash: 4a462c65aaa5ee4cb5eefe34262d9c9c718cb0a949f1d5267bcc6d3551e0ea6f
      • Instruction Fuzzy Hash: 1E629470118B889FE7A5EF18C498BDAB7E1FB98305F50491DE4CEC3260DBB99585CB42
      Function 000001B27A4D2EF0 Relevance: 4.4, Strings: 3, Instructions: 689COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID:
      • String ID: @$@$h
      • API String ID: 0-1939477041
      • Opcode ID: 28de4c54f65f17b84dbf6bfcea711746423dcc068f0d4871044aa6d515b88c96
      • Instruction ID: 3503a968a16b573088611508c3445f7519d9ae062a08eccd9f9edb671e04ad78
      • Opcode Fuzzy Hash: 28de4c54f65f17b84dbf6bfcea711746423dcc068f0d4871044aa6d515b88c96
      • Instruction Fuzzy Hash: DE527770118B888FE7A5EF58C498BDBB7E1FB98305F504A1DD48EC3260DB799585CB42
      Function 00A2C6E0 Relevance: 4.0, Strings: 3, Instructions: 245COMMON
      Download Yara Rule
      Strings
      • stopTheWorld: not stopped (stopwait != 0)fail to read relocation block item %d: %v34694469519536141888238489627838134765625strconv: illegal AppendInt/FormatInt baseMapIter.Value called on exhausted iteratorpersistentalloc: align is not a power of 2out of memor, xrefs: 00A2CA00
      • stopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len ou, xrefs: 00A2CAC5
      • stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executioncompileCallback: float arguments not supportedruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base poin, xrefs: 00A2CA7B
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: stopTheWorld: holding locksgcstopm: not waiting for gcinternal lockOSThread errorruntime: checkdead: nmidle=runtime: checkdead: find g runlock of unlocked rwmutexsigsend: inconsistent statemakeslice: len out of rangemakeslice: cap out of rangegrowslice: len ou$stopTheWorld: not stopped (status != _Pgcstop)signal arrived during external code executioncompileCallback: float arguments not supportedruntime: name offset base pointer out of rangeruntime: type offset base pointer out of rangeruntime: text offset base poin$stopTheWorld: not stopped (stopwait != 0)fail to read relocation block item %d: %v34694469519536141888238489627838134765625strconv: illegal AppendInt/FormatInt baseMapIter.Value called on exhausted iteratorpersistentalloc: align is not a power of 2out of memor
      • API String ID: 0-1561105388
      • Opcode ID: 0d42c8e3c527ddbcea903b0d0fdcd355ee8c66cf86be2783a3cbfb8205c2a0d6
      • Instruction ID: 024857cac836779bc5ada75dd3b90a79bc0ca21ea7b086871bd2c3ef4af24919
      • Opcode Fuzzy Hash: 0d42c8e3c527ddbcea903b0d0fdcd355ee8c66cf86be2783a3cbfb8205c2a0d6
      • Instruction Fuzzy Hash: A7A1AD32209B9486EB14CF29F55076EB7A1F38AB94F548236DE8D43B65DF38C445CB40
      Function 000001B27A4E4520 Relevance: 3.4, APIs: 2, Instructions: 403COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c47dd10ad2ffc75a4fb68eec796e3029fb36d07deac5f587a2ed2ad7d380ff7d
      • Instruction ID: dffec980990487419d227a48df8a1925e377ccb4503479d5a22bc2df5c156f55
      • Opcode Fuzzy Hash: c47dd10ad2ffc75a4fb68eec796e3029fb36d07deac5f587a2ed2ad7d380ff7d
      • Instruction Fuzzy Hash: 14020E74518644CFF7A4DB74D95C79B77E1FBA6325F204929E146C21E0CFBA8888CB0A
      Function 000001B27A4ED01C Relevance: 3.2, APIs: 2, Instructions: 240COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: _set_error_mode$_errno_invalid_parameter_noinfo
      • String ID:
      • API String ID: 1239817535-0
      • Opcode ID: 61e198cd96bf3a7d6d01e63f616d7615256a84a0dabeda641be1faa46d329df0
      • Instruction ID: 0d22d5568604ec3db817aa7bb82983a456c9d8c42a485785a93ebe6232d53c08
      • Opcode Fuzzy Hash: 61e198cd96bf3a7d6d01e63f616d7615256a84a0dabeda641be1faa46d329df0
      • Instruction Fuzzy Hash: A961083031C9484FEB5CEB6898653AB73C6E7E6310F24452EE85BC31D6DF35C9098649
      Function 000001B27A4CB340 Relevance: 3.2, Strings: 2, Instructions: 681COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: Timer$ChangeConcurrency::details::platform::__Queue
      • String ID: 2$h
      • API String ID: 19862154-1781522464
      • Opcode ID: adc0e538de935e29b1200ddc316d70f42cae9e69c8baf8df58ba3b730e764b05
      • Instruction ID: 8bd1b0c0fb0f5f2dc3889e0263d419ea44078fac1b1eca0d1ee9a03f55297c6a
      • Opcode Fuzzy Hash: adc0e538de935e29b1200ddc316d70f42cae9e69c8baf8df58ba3b730e764b05
      • Instruction Fuzzy Hash: A852B631118A888FE7B5EF18D898BDBB7E5FBA4305F50092ED48EC2160DF759685CB42
      Function 000001B27A4CE700 Relevance: 3.1, Strings: 2, Instructions: 645COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID:
      • String ID: 2$h
      • API String ID: 0-1781522464
      • Opcode ID: 933841f83ee4cd8a2178f92730b9b63252a466f6bf167bd2332cfe478ca586c4
      • Instruction ID: 0561e36701d22088b2636bcb9d26fa7244f9d691085dda0e514ce2f5c8c21ad7
      • Opcode Fuzzy Hash: 933841f83ee4cd8a2178f92730b9b63252a466f6bf167bd2332cfe478ca586c4
      • Instruction Fuzzy Hash: AE42B471118B888FE775EF14D498BDBB7E5FBA4311F500A2ED08EC2160DF3596898B46
      Function 000001B27A4D4AC0 Relevance: 3.1, Strings: 2, Instructions: 603COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID:
      • String ID: 2$h
      • API String ID: 0-1781522464
      • Opcode ID: 46210806302b553765d2aefdbf89518961dd7be77563453aa79eaab9da8b6dfb
      • Instruction ID: eb38e7474da1086168d2d956b5be73edb8005f509eb77c5f13cf3d8ed8da77c5
      • Opcode Fuzzy Hash: 46210806302b553765d2aefdbf89518961dd7be77563453aa79eaab9da8b6dfb
      • Instruction Fuzzy Hash: B242D531118B888FE775EF14D898BDBB7E5FBA9301F604A2ED48EC2160DF3495498B46
      Function 000001B27A4C7D70 Relevance: 2.4, Strings: 1, Instructions: 1110COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID:
      • String ID: d
      • API String ID: 0-2564639436
      • Opcode ID: 66b57e7f80cdc274b7313cfeb5881d25c78d462638225719946137e9c4768fb8
      • Instruction ID: 50b0ae95179a0e1cc11f5e2778caff5428fc7530e3860251958bb5f1b42a0111
      • Opcode Fuzzy Hash: 66b57e7f80cdc274b7313cfeb5881d25c78d462638225719946137e9c4768fb8
      • Instruction Fuzzy Hash: D0A2A735109A88CFE7B5EB18C458BEAB7E1FBA9312F54096DD08EC3261DF719944CB42
      Function 000001B27A4D8AA0 Relevance: 1.7, Strings: 1, Instructions: 468COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID:
      • String ID: h
      • API String ID: 0-2439710439
      • Opcode ID: a07e33f896b3e8815cac824815d3d86c5292d43a2d484c7fd0c4945bd6e46fcb
      • Instruction ID: e5e5e669a87e6880a3aa537ca87637712235e170e1096171c1b3256171b003af
      • Opcode Fuzzy Hash: a07e33f896b3e8815cac824815d3d86c5292d43a2d484c7fd0c4945bd6e46fcb
      • Instruction Fuzzy Hash: 3E12DB301187888FE7B4DF69C8687EBB7E1FB99315F10492DE18AC3290DB759885CB46
      Function 00A3BE40 Relevance: 1.7, Strings: 1, Instructions: 441COMMON
      Download Yara Rule
      Strings
      • !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, xrefs: 00A3BF4D, 00A3C056, 00A3C197, 00A3C2BF
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: !"#$%%&&''((()))*++,,,,,------....//////0001123333333333444444444455666677777888888888889999999999::::::;;;;;;;;;;;;;;;;<<<<<<<<<<<<<<<<=====>>>>>>>>>>>??????????@@@@@@@@@@@@@@@@@@@@@@AAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
      • API String ID: 0-2911004680
      • Opcode ID: 5ed3aa6a43838c8b28439dc7834d93543f151ae1690b73d3d5615f3a05c120d9
      • Instruction ID: 3c1357025784da9a40f29793e722b57d5b2727b9a0da74d8350e1b750ef1eab3
      • Opcode Fuzzy Hash: 5ed3aa6a43838c8b28439dc7834d93543f151ae1690b73d3d5615f3a05c120d9
      • Instruction Fuzzy Hash: 07F1F032355A84C6EA00DB25E8057BAA766F784BE0F994126FF5E27B95CF7CC845C700
      Function 000001B27A4D92E0 Relevance: 1.6, Strings: 1, Instructions: 356COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID:
      • String ID: h
      • API String ID: 0-2439710439
      • Opcode ID: d382f11ba5a69f70f62551fcb19b99bbd528cd8ca2d54e000dc28b20ef4a62b0
      • Instruction ID: 3ac8ad472872f37459f2c29c428bb76cf33d53c792bc8c7638c81bc815fd8f9c
      • Opcode Fuzzy Hash: d382f11ba5a69f70f62551fcb19b99bbd528cd8ca2d54e000dc28b20ef4a62b0
      • Instruction Fuzzy Hash: 3BE118305187888FE7B5DF68C8587EAB7E1FBA9305F10492EE18ED3690DB749485CB42
      Function 00A1EC60 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
      Download Yara Rule
      Strings
      • runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin, xrefs: 00A1F005
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: runtime: cannot allocate memorycheckmark found unmarked objectruntime: failed to commit pages/memory/classes/heap/free:bytes/memory/classes/os-stacks:bytespacer: sweep done at heap size non in-use span in unswept listcasgstatus: bad incoming valuesresetspinnin
      • API String ID: 0-429552053
      • Opcode ID: fe40db33e75f3ec8ef636a34b92cde33c6badab1a5aa60edf01a5fa9eb0cc8b8
      • Instruction ID: 80b41a864794c53d971910d02c3a3a78397330a272f9ff4d6b478ae89493c414
      • Opcode Fuzzy Hash: fe40db33e75f3ec8ef636a34b92cde33c6badab1a5aa60edf01a5fa9eb0cc8b8
      • Instruction Fuzzy Hash: 59A15976618B9482DA24CB16F4407AAA775F3C9BC0F585522EF8E57B29CF38C991CB40
      Function 00A04A80 Relevance: 1.5, Strings: 1, Instructions: 255COMMON
      Download Yara Rule
      Strings
      • bulkBarrierPreWrite: unaligned argumentsrefill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs, xrefs: 00A04E27
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: bulkBarrierPreWrite: unaligned argumentsrefill of span with free space remaining/cpu/classes/scavenge/assist:cpu-secondsruntime.SetFinalizer: first argument is failed to acquire lock to reset capacitymarkWorkerStop: unknown mark worker modecannot free workbufs
      • API String ID: 0-866072839
      • Opcode ID: 7bc90c1452cbbc7e1b93d138c682f504b26b8733e46facca209e7fd7f81b64aa
      • Instruction ID: 409bfb1127a1ac438c24e5af297028e063c02cdfe0992e02687078d7e92712fd
      • Opcode Fuzzy Hash: 7bc90c1452cbbc7e1b93d138c682f504b26b8733e46facca209e7fd7f81b64aa
      • Instruction Fuzzy Hash: 7F918BB6719A9882DB108B56F4403AAB765F38EFC0F588126EF8D57B58DB38C4A1C700
      Function 00A1DE40 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
      Download Yara Rule
      Strings
      • bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod, xrefs: 00A1E107
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: bad summary dataruntime: addr = runtime: base = runtime: head = timeBeginPeriod
      • API String ID: 0-2099802129
      • Opcode ID: f497cace111e24177e3f2929a9120ef36b0710a6e1229a6dbecb2e8b2ed37383
      • Instruction ID: dd72103016bd455a93c08221116999653ad163c74a1d08b4d056d49ca476d9f9
      • Opcode Fuzzy Hash: f497cace111e24177e3f2929a9120ef36b0710a6e1229a6dbecb2e8b2ed37383
      • Instruction Fuzzy Hash: 4D61CDB3750B8882DB00DB16E44039A77A6F78ABD4F849226EF9D17B99CB7CD585C340
      Function 00A0A420 Relevance: 1.4, Strings: 1, Instructions: 180COMMON
      Download Yara Rule
      Strings
      • gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125Greeksse41sse42ssse3filesKeyKey SysidreadatlistensocketStringFormat[]bytestringuint16uint32uint64structchan<-<-chan ValueGetACPsysmontimersefenceselect, not object next= , xrefs: 00A0A5F4
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: gcing MB, got= ... max=scav ptr ] = (usageinit ms, fault tab= top=[...], fp:1562578125Greeksse41sse42ssse3filesKeyKey SysidreadatlistensocketStringFormat[]bytestringuint16uint32uint64structchan<-<-chan ValueGetACPsysmontimersefenceselect, not object next=
      • API String ID: 0-2827204213
      • Opcode ID: 177bd78426176aa971dae05c8ea15b451086d80e2902ed32e6907b63e309a476
      • Instruction ID: bb98d9bd1021f100baac3829e9b11c19ab3e261659379bf2154297bdbb894ca6
      • Opcode Fuzzy Hash: 177bd78426176aa971dae05c8ea15b451086d80e2902ed32e6907b63e309a476
      • Instruction Fuzzy Hash: 77817C32208B84C6E700DF20F48575AB774F39A794F558326EA9D837A5EF7AC489CB01
      Function 00A10B00 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
      Download Yara Rule
      Strings
      • gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not , xrefs: 00A10BF0
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID: gcmarknewobject called while doing checkmarkactive sweepers found at start of mark phaseno P available, write barriers are forbiddencompileCallback: float results not supportedcannot trace user goroutine on its own stackunsafe.Slice: ptr is nil and len is not
      • API String ID: 0-3110597650
      • Opcode ID: 3fb25025385263e90aba77d5286d80a85059c15c3ddd45348806f1429adaff7e
      • Instruction ID: 2c7315d90518299d4349569df283b91b274c5e1b8511d9a5441fbb861c6aae90
      • Opcode Fuzzy Hash: 3fb25025385263e90aba77d5286d80a85059c15c3ddd45348806f1429adaff7e
      • Instruction Fuzzy Hash: 0421CFF3B06A8446EB058F29D4803A86B22E75AFD8F49A075CF4D57756CA68C596C300
      Function 000001B278C83AB4 Relevance: .7, Instructions: 730COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2178027279.000001B278C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 000001B278C10000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b278c10000_file.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: f830e609fe5cee47e6c16999e452ce305c1c12be961c10b305ce6362bf0b176d
      • Instruction ID: f6fe584ad53d6cd92f9fb9bc5980e0a34cc66f00a37b6a3771561f22d906ef55
      • Opcode Fuzzy Hash: f830e609fe5cee47e6c16999e452ce305c1c12be961c10b305ce6362bf0b176d
      • Instruction Fuzzy Hash: DA527D715443019FE768CF26C849BABB7E5AF98704F044A2DF9859F2C1DBB0E848CB95
      Function 000001B27A4DACD0 Relevance: .6, Instructions: 601COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5a583ae86051e2f7dd8e1f5aad3c29afd1add19ea6dbc22acd9425ae77474c6f
      • Instruction ID: 57926ea9eae2b5ad98d74fa2671e79c172517ce85b0a05c2235f61e70f7f127c
      • Opcode Fuzzy Hash: 5a583ae86051e2f7dd8e1f5aad3c29afd1add19ea6dbc22acd9425ae77474c6f
      • Instruction Fuzzy Hash: B22272707082419FD74CCB2CD8A1A2EB7E2ABDC344F54892DF59AD7391DA30E915CB4A
      Function 000001B27A4DAD51 Relevance: .5, Instructions: 510COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ee4bf9ab2e29397760fc8cb3bc6385edb1bd6fffdce0efa5aaa3d0e99b23b852
      • Instruction ID: 49b96194504ccdf6f1240f0ff1a012c5d7fe34f7fa3d74143e7d6006a5f1c1ab
      • Opcode Fuzzy Hash: ee4bf9ab2e29397760fc8cb3bc6385edb1bd6fffdce0efa5aaa3d0e99b23b852
      • Instruction Fuzzy Hash: 2B1255747092019F974CCB2CD8A1A2EB7E2ABCC744F44892DF59AD7381DA30ED15CB4A
      Function 000001B278C7F120 Relevance: .4, Instructions: 429COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2178027279.000001B278C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 000001B278C10000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b278c10000_file.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 629590470d97b874860c088878d19a79a4e01a140465c2e63e0b89389eaa0b6e
      • Instruction ID: ad846f34f53fd6d8957bfefdcd2171cb8400718fdef9b7d4236e943f7c46f79a
      • Opcode Fuzzy Hash: 629590470d97b874860c088878d19a79a4e01a140465c2e63e0b89389eaa0b6e
      • Instruction Fuzzy Hash: 79E17430618A498BEB6CDF29D8897EEB7E5FB58701F00432DE85AC7280DF70E9158785
      Function 000001B278C803D8 Relevance: .4, Instructions: 405COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2178027279.000001B278C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 000001B278C10000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b278c10000_file.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a66aa8eccb36b3c863fa0cf2326f118ce4658279e53cce5a51b176019e00911a
      • Instruction ID: cf3d48de496c557f19ebf9bfabec57d2b55e9ab4edcf8e76f0b0e238758762a7
      • Opcode Fuzzy Hash: a66aa8eccb36b3c863fa0cf2326f118ce4658279e53cce5a51b176019e00911a
      • Instruction Fuzzy Hash: CAD16E31508A088FEB59DF28C889AEAB7E1FF98310F14462DE88ACB155DF30E545CB45
      Function 00A64320 Relevance: .4, Instructions: 356COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e5db96014bc2057459a5de57d795ac0494fa1063507bb8748ea6a2b77d000882
      • Instruction ID: de2e4c6a76d66fb147fad6ffb8f4f5d4e8de04026e9e6f66491aa263d7dd4b81
      • Opcode Fuzzy Hash: e5db96014bc2057459a5de57d795ac0494fa1063507bb8748ea6a2b77d000882
      • Instruction Fuzzy Hash: 77C1C577B08A9482CA14CF16F401BAAA775F39AFC4F485521EE8E87B19CB79C945C740
      Function 000001B278C812BC Relevance: .3, Instructions: 283COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2178027279.000001B278C10000.00000040.00000020.00020000.00000000.sdmp, Offset: 000001B278C10000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b278c10000_file.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2eb60552c2100443aaec2c648c47b59461eb5170d6947b4f16a84231dc1554a0
      • Instruction ID: 80bb89dca05d8b2aef9f440b708c118023c2c164ebba28b1e21f720818636e33
      • Opcode Fuzzy Hash: 2eb60552c2100443aaec2c648c47b59461eb5170d6947b4f16a84231dc1554a0
      • Instruction Fuzzy Hash: FEA12C31508A0C8FDB59EF28C889BEA77E5FB68315F10466FE44AC7160EB30D644CB85
      Function 00A0E140 Relevance: .3, Instructions: 275COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: fa490ab6571b93393d0a1a4a94c8c4e5444e5b9063051b146d42770c6ade12ea
      • Instruction ID: 415826a09075281bf82f4d2ec674b0bd69f49647238e5eda5f22293c8358a0b5
      • Opcode Fuzzy Hash: fa490ab6571b93393d0a1a4a94c8c4e5444e5b9063051b146d42770c6ade12ea
      • Instruction Fuzzy Hash: 83B12432309B88C6EB05CB21F4543AABB65F386B84F088A35EA9D137D4DF39D485D701
      Function 000001B27A4DB880 Relevance: .3, Instructions: 261COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 51cd065529514eff7a7f141582a7417b104afbf881e1d1e60466e9b6a8fbc7b2
      • Instruction ID: d7e5b6cd81af0867ae2a5f442fe69b6b079e17191ab3ed37a150cce822db1570
      • Opcode Fuzzy Hash: 51cd065529514eff7a7f141582a7417b104afbf881e1d1e60466e9b6a8fbc7b2
      • Instruction Fuzzy Hash: 9BA16C302087488FF778EB69D8687AB77E1FBAA312F104529D54AC22A0DF798945CB45
      Function 00A30640 Relevance: .3, Instructions: 260COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0351977f8a9c6ad20ec25c8f94d0c4112283a0eae10307cc46bc89dd75069b69
      • Instruction ID: babd2c91fc05a2ec396b4e9d01ad6c74239e637c2f029e2afeaf597a5f1d5513
      • Opcode Fuzzy Hash: 0351977f8a9c6ad20ec25c8f94d0c4112283a0eae10307cc46bc89dd75069b69
      • Instruction Fuzzy Hash: 3D91D3727196808AD724CB66B560F6BBB61F799BC0F589125FE8D47F19CB38C8508B40
      Function 00A536E9 Relevance: .3, Instructions: 259COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2b52b00425498a556b8e8e77816f0c5cafaf55d5da3e93247ae1f2a6147883f2
      • Instruction ID: c91e3a47b19b221ba89efe4a6de35835a0604c1582682c49c1dfe5d272e217f6
      • Opcode Fuzzy Hash: 2b52b00425498a556b8e8e77816f0c5cafaf55d5da3e93247ae1f2a6147883f2
      • Instruction Fuzzy Hash: D8B11A16D18FCA20F6135778D403B762A146FF36C4F01D72ABAC6F16B3DB566A04B922
      Function 00A1B5E0 Relevance: .2, Instructions: 231COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b7223a579b979f01d93bbfcd00fa344795459571650b7942a5d2e5933e787820
      • Instruction ID: 795858132940f5aed3d9d27646e7fa01de5aca91a7d0c6afcdb91f74b186c428
      • Opcode Fuzzy Hash: b7223a579b979f01d93bbfcd00fa344795459571650b7942a5d2e5933e787820
      • Instruction Fuzzy Hash: CBA14876618B8482DB10CB25F18029AB7A5F789BD4F545226EFED57BA9CF3CD091CB00
      Function 00A1CA60 Relevance: .2, Instructions: 219COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5802199e9b15065e1c2173d735624e98e10ed4ac0cbec300296e7e546346cedb
      • Instruction ID: 1cf6fa46dadc03f4884419d25f9ed072e71b6b5e597253a6bd4ae279e4ac8d67
      • Opcode Fuzzy Hash: 5802199e9b15065e1c2173d735624e98e10ed4ac0cbec300296e7e546346cedb
      • Instruction Fuzzy Hash: DD819D73718B8482DB108B15E5803EAA762F79ABD0F585226EF8D57B5ACB3CC494C740
      Function 000001B27A4E0A10 Relevance: .2, Instructions: 184COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 67fee4663bc745c6a5a2df735d6d59c7405c2b46a96bc890505430404ad3a281
      • Instruction ID: 6df6bcca8f4baf5164663f437fb8b3b287ac3a789c973142d19389161018c734
      • Opcode Fuzzy Hash: 67fee4663bc745c6a5a2df735d6d59c7405c2b46a96bc890505430404ad3a281
      • Instruction Fuzzy Hash: 9A71B0B4208608CFF7A8EF64D92D7EA73E1F7AA315F10452ED446C21A0DF798588CB49
      Function 00A64B40 Relevance: .2, Instructions: 178COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 2fd0a24f60d9856ce55c1014a38e6b70657eb8710e95823019aa89749b6cc77a
      • Instruction ID: 0ab4b6527f3a793cbc45e554da88a804f841dde2780f3b477150a6f07f0c2d17
      • Opcode Fuzzy Hash: 2fd0a24f60d9856ce55c1014a38e6b70657eb8710e95823019aa89749b6cc77a
      • Instruction Fuzzy Hash: 8E41573274AA5482CB18DB19D511B6DAA31F3DDFD0F99521ADE1B07B81CE7ACC45C384
      Function 009F9F80 Relevance: .2, Instructions: 161COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: bf61a254f4b2648dcf3111e7e7c633afb370ea62aa868d77fd3444ef2bb033a4
      • Instruction ID: 9357a616f04d78127e0689ab099c259860a903b202812f2a8ac2fd2d69630204
      • Opcode Fuzzy Hash: bf61a254f4b2648dcf3111e7e7c633afb370ea62aa868d77fd3444ef2bb033a4
      • Instruction Fuzzy Hash: 92410AD5701A5981AE048F6795201BAA361E74BFD039CE633CF1D77B68CA3CD902D344
      Function 00A40380 Relevance: .2, Instructions: 155COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c8b0b1f45454a5469b54204aac39b17cb437c0de978e696865ce4b20dffb7cd4
      • Instruction ID: 5220f122e7bf1789897ddedc9e157b9bf1f1cdc0a362b021d7ac8aba390b8b4b
      • Opcode Fuzzy Hash: c8b0b1f45454a5469b54204aac39b17cb437c0de978e696865ce4b20dffb7cd4
      • Instruction Fuzzy Hash: 3141D53AB81A448BCB149F34A441BBA6286D7C0774FCC8674DF6D4B3C2E67C84E5BA10
      Function 00A16A00 Relevance: .1, Instructions: 138COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 232779ea1d360234e4bbd75473a090e227ddaa2c60edee6d735021a4b2af9bdd
      • Instruction ID: 8f42f0aabb8b38d0c0de79f2678beacd8c1019bef07dac3b0fe9f9c7bb19bacc
      • Opcode Fuzzy Hash: 232779ea1d360234e4bbd75473a090e227ddaa2c60edee6d735021a4b2af9bdd
      • Instruction Fuzzy Hash: 5B51F772649B8485DA05CB35E48036AA375FB8ABE0F188725EA5EA7B94DF38D0C18700
      Function 000001B27A4E0A86 Relevance: .1, Instructions: 138COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: _errno_invalid_parameter_noinfo
      • String ID:
      • API String ID: 2959964966-0
      • Opcode ID: 47bec2cab459e606d8e94f63c52c019478015b28cd6406e527822758cc017737
      • Instruction ID: e46f48e2b315786eb30a9a140dbaedc6902fce17752efe106eae2d426b657173
      • Opcode Fuzzy Hash: 47bec2cab459e606d8e94f63c52c019478015b28cd6406e527822758cc017737
      • Instruction Fuzzy Hash: 0D5190B4108608CFF764EF60D9687EB73E5F7AA315F60452ED446C21A0DF798588CB4A
      Function 00A12660 Relevance: .1, Instructions: 106COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b29f9cdf8554c025d6ca51dbd0cdd2e34d02295294e4587bcfa64bdc961bb353
      • Instruction ID: c0f5e4d067a9e7d61d40c8e4bac1fc5ee496ce58df8143f1ddb7ce2a2df01774
      • Opcode Fuzzy Hash: b29f9cdf8554c025d6ca51dbd0cdd2e34d02295294e4587bcfa64bdc961bb353
      • Instruction Fuzzy Hash: E1312EB1B0BE0849ED0BD77A9461B65921B9F93BE4F54D7219C3F765E4EB29C0E28300
      Function 00A1F9E0 Relevance: .1, Instructions: 84COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: d559122a1f6f0b69832be9421c7c214fb777efde5fa0d191de61b1ee1601c01b
      • Instruction ID: 37264136081b2b230ff4ffec9f2f3842a356ba4b283d2614991bc7591c2c09ea
      • Opcode Fuzzy Hash: d559122a1f6f0b69832be9421c7c214fb777efde5fa0d191de61b1ee1601c01b
      • Instruction Fuzzy Hash: 8931E8B5719BC44ADB94CB229A243C963ABF798BC0F15D175DF0C93718EB38E5918340
      Function 00A103B1 Relevance: .1, Instructions: 68COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c674deb00d230c80aa69741c84338d33708ba9b5a9c10745acb9a9f1fc901b11
      • Instruction ID: a746d06703e68395b5cfb85e68e54b2ba195f1b75f4604b85574992493b64c43
      • Opcode Fuzzy Hash: c674deb00d230c80aa69741c84338d33708ba9b5a9c10745acb9a9f1fc901b11
      • Instruction Fuzzy Hash: E221F2E36456C097EB128F26E140BE87B32F302BC4F44A015DF8E07642C7A8C6E8D700
      Function 009FE520 Relevance: .1, Instructions: 63COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 04eb0b3ddef3c53d4ed474fa1367046bc3a2d6401958521f328fa5e76c32f96a
      • Instruction ID: 59921bc2c04307f4243a3b1c1847b32e670bdc99d48854dbd9d52b90dbd4fa65
      • Opcode Fuzzy Hash: 04eb0b3ddef3c53d4ed474fa1367046bc3a2d6401958521f328fa5e76c32f96a
      • Instruction Fuzzy Hash: 721100E1E36F480ADA47C73A5551311810B5FA7BD0F28D322BD1BB67A6E72595D34200
      Function 00A56440 Relevance: .0, Instructions: 11COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.2176094777.00000000009F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009F0000, based on PE: true
      • Associated: 00000000.00000002.2176057849.00000000009F0000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176201813.0000000000AB6000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176333221.0000000000C2B000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176354996.0000000000C2D000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176377291.0000000000C36000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176395931.0000000000C42000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C43000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000C63000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176412502.0000000000CCA000.00000004.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176481951.0000000000CCF000.00000002.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176502800.0000000000CD5000.00000008.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.2176520734.0000000000CD6000.00000002.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_9f0000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 0e7b355c84e3535949f97abed5442f9bcc5c482bc638cbc6a7056c7ac6c4d10a
      • Instruction ID: 58bfbbea4c306c1731cebaa769e2fa56cc385789a16573b13e0417f4e284c231
      • Opcode Fuzzy Hash: 0e7b355c84e3535949f97abed5442f9bcc5c482bc638cbc6a7056c7ac6c4d10a
      • Instruction Fuzzy Hash: 51C08CB090ABC218FB10C300B20270439A19B24382ED08084825801615963CC6884104
      Function 000001B27A4EFFD8 Relevance: 107.8, APIs: 86, Instructions: 270COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: free$_errno
      • String ID:
      • API String ID: 2288870239-0
      • Opcode ID: 892d27b847e74208b98b5f524de7e1165b6f73ba6f7e08818c88c9b05fc7fdc8
      • Instruction ID: e851e0f4852eba1b567a5d9b0566edc6dbb0216d24cf0bc527b998119da181f5
      • Opcode Fuzzy Hash: 892d27b847e74208b98b5f524de7e1165b6f73ba6f7e08818c88c9b05fc7fdc8
      • Instruction Fuzzy Hash: 62B1B43112540CCFE688EBA4C8E97EA7351FB9A711F9985F4D80DDA1A7CF225C49C714
      Function 000001B27A4EC8A0 Relevance: 19.6, APIs: 13, Instructions: 135COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: free$__free_lconv_mon__free_lconv_num_errno
      • String ID:
      • API String ID: 2822633559-0
      • Opcode ID: 7b336d24eba5c0ac9b4bfec758739f2f0144249e4441c89cb6f65c36a07eadc0
      • Instruction ID: b8fa447a58030f0c1186073aebf4b3152265aded28d7f2a2738456f11d09b1e4
      • Opcode Fuzzy Hash: 7b336d24eba5c0ac9b4bfec758739f2f0144249e4441c89cb6f65c36a07eadc0
      • Instruction Fuzzy Hash: 10413F3111890DCFEFA5EB98C4B47E67291FBAA321F6905B9D809DA1D2CF329C84C754
      Function 000001B27A4EEAF4 Relevance: 18.2, APIs: 12, Instructions: 216COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: _fileno$_errno$_invalid_parameter_noinfo
      • String ID:
      • API String ID: 482796045-0
      • Opcode ID: 028979bd5b13ade2da22324f9a5c4af98c9790d4944bca090fd0f536f3016bc3
      • Instruction ID: 77eb759fdec7817fa903beb449a2f9e5763f51b23888f0bf2993616e80f217d8
      • Opcode Fuzzy Hash: 028979bd5b13ade2da22324f9a5c4af98c9790d4944bca090fd0f536f3016bc3
      • Instruction Fuzzy Hash: 2061D73011CE49EAE654ABA984A33FA72D1FB96330F78035DE466C31D1DB35985A834D
      Function 000001B27A4EF6BC Relevance: 12.2, APIs: 8, Instructions: 165COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: _errno$_invalid_parameter_noinfo
      • String ID:
      • API String ID: 2819658684-0
      • Opcode ID: ccf1906097c5c7367852938f8d44dc6cf4f8c05bff97315b0985e3b8af237a58
      • Instruction ID: c0af367cbf229176d00a54bc174c766e48d17ad8447de1882791c8958f3acbdb
      • Opcode Fuzzy Hash: ccf1906097c5c7367852938f8d44dc6cf4f8c05bff97315b0985e3b8af237a58
      • Instruction Fuzzy Hash: BE51E832618A0A8FFBA59B9884643EB76E0FB66331FB44259D419C71D2DF33C8498749
      Function 000001B27A4EDEE0 Relevance: 10.6, APIs: 7, Instructions: 93COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: __doserrno_errno
      • String ID:
      • API String ID: 921712934-0
      • Opcode ID: cf1cf9e5ee490599d654468345f8dd86778b0f50a3bdec84bd96aa650e994298
      • Instruction ID: f1f61a408fbd5b9af3dd4b07df3adc551a329bd7043b5c096b12d192546bee93
      • Opcode Fuzzy Hash: cf1cf9e5ee490599d654468345f8dd86778b0f50a3bdec84bd96aa650e994298
      • Instruction Fuzzy Hash: C0210E3161D6044EF758EBD8DCA63FA72C0EB67331F650249F505872D7DF76180582AA
      Function 000001B27A4EE724 Relevance: 10.6, APIs: 7, Instructions: 89COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: __doserrno_errno
      • String ID:
      • API String ID: 921712934-0
      • Opcode ID: 253ccbe714b82c328477c76466321d949f30074f1a6150cf967292407ae3f5db
      • Instruction ID: b6488e6a6c7189eff6c5bc215ea80806a8638be94e2cd32e17f748afc348cc30
      • Opcode Fuzzy Hash: 253ccbe714b82c328477c76466321d949f30074f1a6150cf967292407ae3f5db
      • Instruction Fuzzy Hash: 8921F93161C6049EF718ABD89CA73FA7680EB67330F650649F505872D3DBB65809829D
      Function 000001B27A4EF20C Relevance: 9.1, APIs: 6, Instructions: 82COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: _set_error_mode$_errno$_lockfreemalloc
      • String ID:
      • API String ID: 360200360-0
      • Opcode ID: 52b3feda2cd18445a43c6f8d2fc7ed35086aeb53fe70fc1ac63f9a8d8bfcb4c0
      • Instruction ID: db8cfd4e55b82a6326e092d5fc62c798dcfc578fbd30e6ad634250ceaeb45295
      • Opcode Fuzzy Hash: 52b3feda2cd18445a43c6f8d2fc7ed35086aeb53fe70fc1ac63f9a8d8bfcb4c0
      • Instruction Fuzzy Hash: 9621623561D6098FF7A4BFE4D4657EA72D0EBAA320FA44429E009C31D2DF7B98488749
      Function 000001B27A4E7C14 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 284COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: _errno$_getptd_invalid_parameter_noinfo
      • String ID: $$$
      • API String ID: 2372577547-233714265
      • Opcode ID: c460adb36a8ff80a267e1a98acf9e65ed31786de6d2f7996c3ef535e335d8ea5
      • Instruction ID: e68da9553176cff172e15a355e0eb3acbd66ba89ebff0779b5708cd8b0f8d594
      • Opcode Fuzzy Hash: c460adb36a8ff80a267e1a98acf9e65ed31786de6d2f7996c3ef535e335d8ea5
      • Instruction Fuzzy Hash: C281243081C6588AF7B95ADC98A57FB36D4FB63730F34125DC4D2861C3EF36884A4A49
      Function 000001B27A4DF190 Relevance: 7.7, APIs: 5, Instructions: 208COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: und_memcpy
      • String ID:
      • API String ID: 2264155635-0
      • Opcode ID: 233c2dc3f6114190a0c3a58bca7bebfacb80644e2e843f1241ac7ac938ceac0f
      • Instruction ID: 04b571132be947eec373e35f567512e857a2fe3ec415cdda29fd74f9d5f0f5d0
      • Opcode Fuzzy Hash: 233c2dc3f6114190a0c3a58bca7bebfacb80644e2e843f1241ac7ac938ceac0f
      • Instruction Fuzzy Hash: 0A91D6742087849FE7B4DB18C4A4BEAB7E1FBA9314F60882DD58DC3290DF359985CB42
      Function 000001B27A4F12CC Relevance: 7.7, APIs: 5, Instructions: 154COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
      • String ID:
      • API String ID: 2574049805-0
      • Opcode ID: f6cb1389b3d300155bab13a29e2be79a7747ea1a71811924160686b94840a2be
      • Instruction ID: 8ea9bbdd66d7e09a47db62813bec5b4919be7a5fb208828668bb88cae7a0cd43
      • Opcode Fuzzy Hash: f6cb1389b3d300155bab13a29e2be79a7747ea1a71811924160686b94840a2be
      • Instruction Fuzzy Hash: 2751D3301046098AFB58EF9CC4A23E676E1FB67330F381258D956CB2D6DB76C8498789
      Function 000001B27A4E80B8 Relevance: 7.6, APIs: 5, Instructions: 150COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
      • String ID:
      • API String ID: 2574049805-0
      • Opcode ID: 400924676afdb6542912dbb754b0c6b2f42f88cbdf26364f46bcf7423cf333eb
      • Instruction ID: 88f0c888fc3c31e8345b2c8c63b6651bac03709ed88ad0c781509d11e8820cdc
      • Opcode Fuzzy Hash: 400924676afdb6542912dbb754b0c6b2f42f88cbdf26364f46bcf7423cf333eb
      • Instruction Fuzzy Hash: BC51C430118A888FEF98DFA8C4A17A776D0FB66330F244699D855CB2D7DF36C8458789
      Function 000001B27A4F0EC0 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: __doserrno_errno
      • String ID:
      • API String ID: 921712934-0
      • Opcode ID: cc1a65610d45c684b4d644e34a1a9e911e9c410526ae494b7efd2ca09e7c409c
      • Instruction ID: 4cd39293d936512b36e2e4fbd240902ebe0ccfed4c193c62c8fbf958fc6cf3fa
      • Opcode Fuzzy Hash: cc1a65610d45c684b4d644e34a1a9e911e9c410526ae494b7efd2ca09e7c409c
      • Instruction Fuzzy Hash: 1E01D6315258498EE759EBE488753E53290EBB3331FA88254E105C72D3DF7A0448C225
      Function 000001B27A4EC1A4 Relevance: 6.1, APIs: 4, Instructions: 66COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: _amsg_exit$_getptd_lockfree
      • String ID:
      • API String ID: 2148533958-0
      • Opcode ID: 4046e20d8c9ee5f78bc00f49ff3442623897f32c527e484218f0333f02347ad5
      • Instruction ID: 459149f41b577882691bb97db0cacea1ca7cd841d6194d3867043c5ae7817a28
      • Opcode Fuzzy Hash: 4046e20d8c9ee5f78bc00f49ff3442623897f32c527e484218f0333f02347ad5
      • Instruction Fuzzy Hash: 7E211231618A498FEBE5EBD8C4D4BA673E4FB69311FA40169E409C31D1CF319848C795
      Function 000001B27A4ECA74 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: _amsg_exit_getptd$_lock
      • String ID:
      • API String ID: 3670291111-0
      • Opcode ID: 9551b0adf5f97ad9614b394a459279b2b61166ac4730dc1e728ddb053ef1bccd
      • Instruction ID: 4908de0f690f2467c54431dcfd39cebf10c00ff7993d27dc72e44af22e5d1207
      • Opcode Fuzzy Hash: 9551b0adf5f97ad9614b394a459279b2b61166ac4730dc1e728ddb053ef1bccd
      • Instruction Fuzzy Hash: 25F03C31619A048BF764EBE8C8E5FE632A4EB29314F640264E419C72D3DFB248588359
      Function 000001B27A4E6C1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.2178195021.000001B27A4C1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000001B27A4C1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_1b27a4c1000_file.jbxd
      Similarity
      • API ID: _errno_invalid_parameter_noinfo
      • String ID: B
      • API String ID: 2959964966-1255198513
      • Opcode ID: 5b9fd8484ccd4287e022cca72682e00a1ed95e5f0e740e72b956befb73647925
      • Instruction ID: de88949c8884a9e2a8abd2a110d38dc65f7744972d6ad04421f8a5042dbfd617
      • Opcode Fuzzy Hash: 5b9fd8484ccd4287e022cca72682e00a1ed95e5f0e740e72b956befb73647925
      • Instruction Fuzzy Hash: F931CA3191890CEEEB11EBD8D8A47DEBBF0FB66330F600216E406D62D1DF3294488786

      Execution Graph

      Execution Coverage:4.6%
      Dynamic/Decrypted Code Coverage:31.6%
      Signature Coverage:0.7%
      Total number of Nodes:1249
      Total number of Limit Nodes:106
      execution_graph 59246 2667b1aa540 59247 2667b1aa549 59246->59247 59248 2667b1aa5cd CreateFileW 59247->59248 59249 2667b1aa6a7 LocalFree 59247->59249 59250 2667b1aa631 59247->59250 59248->59247 59249->59247 59251 2667b1b805f 59253 2667b1b806f 59251->59253 59252 2667b1b8167 LoadLibraryExW 59256 2667b1b80fc 59252->59256 59253->59252 59254 2667b1b80b8 GetProcAddressForCaller 59253->59254 59255 2667b1b8103 59253->59255 59254->59255 59254->59256 59255->59252 59255->59256 59257 2667b1c53a4 59259 2667b1c54ab 59257->59259 59258 2667b1c5570 59259->59258 59260 2667b1c54e9 shutdown 59259->59260 59260->59259 59261 2667b1b72e3 59263 2667b1b72f3 59261->59263 59262 2667b1b73f1 LoadLibraryExW 59267 2667b1b7412 59262->59267 59284 2667b1b7383 59262->59284 59263->59262 59264 2667b1b733c GetProcAddressForCaller 59263->59264 59265 2667b1b738a 59263->59265 59264->59265 59264->59284 59265->59262 59265->59284 59266 2667b1b7793 LoadLibraryExW 59269 2667b1b77ba 59266->59269 59266->59284 59267->59266 59267->59284 59268 2667b1b78d5 LoadLibraryExW 59270 2667b1b78f6 59268->59270 59268->59284 59269->59268 59269->59284 59271 2667b1b7b4d LoadLibraryExW 59270->59271 59270->59284 59273 2667b1b7b6e 59271->59273 59271->59284 59272 2667b1b7c83 LoadLibraryExW 59275 2667b1b7caa 59272->59275 59272->59284 59273->59272 59273->59284 59274 2667b1b7efb LoadLibraryExW 59277 2667b1b7f1c 59274->59277 59274->59284 59275->59274 59275->59284 59276 2667b1b8031 LoadLibraryExW 59281 2667b1b8052 59276->59281 59276->59284 59277->59276 59278 2667b1b7f82 GetProcAddressForCaller 59277->59278 59280 2667b1b7fcd 59277->59280 59278->59280 59278->59284 59279 2667b1b8167 LoadLibraryExW 59279->59284 59280->59276 59280->59284 59281->59279 59282 2667b1b80b8 GetProcAddressForCaller 59281->59282 59283 2667b1b8103 59281->59283 59282->59283 59282->59284 59283->59279 59283->59284 59285 266799efffc 59308 266799f1aa4 59285->59308 59288 266799f1aa4 LoadLibraryA 59289 266799f0038 59288->59289 59290 266799f1aa4 LoadLibraryA 59289->59290 59291 266799f004e 59290->59291 59292 266799f0060 VirtualAlloc 59291->59292 59306 266799f0079 59291->59306 59293 266799f00a5 59292->59293 59292->59306 59294 266799f1aa4 LoadLibraryA 59293->59294 59293->59306 59296 266799f0119 59294->59296 59295 266799f1aa4 LoadLibraryA 59297 266799f0170 59295->59297 59296->59297 59296->59306 59346 266799f1814 59296->59346 59297->59295 59299 266799f01b0 59297->59299 59297->59306 59299->59306 59307 266799f0238 59299->59307 59350 266799eef64 VirtualProtect VirtualProtect VirtualProtect VirtualProtect LoadLibraryA 59299->59350 59301 266799f020e 59302 266799f0212 59301->59302 59312 266799ef090 59301->59312 59302->59301 59302->59306 59307->59306 59321 266799f0808 59307->59321 59310 266799f1adb 59308->59310 59309 266799f0025 59309->59288 59310->59309 59351 266799ef5b0 LoadLibraryA 59310->59351 59313 266799f1814 LoadLibraryA 59312->59313 59314 266799ef0ae 59313->59314 59352 266799f18fc 59314->59352 59317 266799ef10d 59317->59306 59317->59307 59318 266799ef0cb VirtualProtect 59318->59317 59319 266799ef0e5 59318->59319 59320 266799ef0f7 VirtualProtect 59319->59320 59320->59317 59322 266799f085c 59321->59322 59323 266799f1090 59322->59323 59324 266799f08b4 NtCreateSection 59322->59324 59326 266799f08e3 59322->59326 59323->59306 59324->59323 59324->59326 59325 266799f0989 NtMapViewOfSection 59334 266799f09dd 59325->59334 59326->59323 59326->59325 59327 266799f0d58 VirtualAlloc 59335 266799f0e0f 59327->59335 59328 266799f1814 LoadLibraryA 59328->59334 59330 266799f1814 LoadLibraryA 59331 266799f0cb9 59330->59331 59331->59327 59331->59330 59338 266799f18fc LoadLibraryA 59331->59338 59332 266799f0f0b VirtualProtect 59333 266799f101e VirtualProtect 59332->59333 59343 266799f0f33 59332->59343 59341 266799f105a 59333->59341 59334->59323 59334->59328 59334->59331 59336 266799f18fc LoadLibraryA 59334->59336 59335->59332 59337 266799f0e87 NtUnmapViewOfSection 59335->59337 59336->59334 59337->59323 59339 266799f0e9f NtMapViewOfSection 59337->59339 59338->59331 59339->59323 59339->59332 59340 266799f1011 59340->59333 59341->59323 59357 266799f15b8 LoadLibraryA 59341->59357 59343->59340 59344 266799f0fe4 VirtualProtect 59343->59344 59344->59343 59347 266799f1832 59346->59347 59348 266799f18dd LoadLibraryA 59347->59348 59349 266799f18e5 59347->59349 59348->59349 59349->59296 59350->59301 59351->59310 59353 266799ef0c3 59352->59353 59354 266799f1932 59352->59354 59353->59317 59353->59318 59354->59353 59356 266799ef768 LoadLibraryA 59354->59356 59356->59353 59357->59323 59358 aae700 59359 aae706 59358->59359 59359->59358 59362 aae740 59359->59362 59361 aae728 59364 aae74a 59362->59364 59363 aae785 59365 aae85b 59363->59365 59366 aae796 59363->59366 59364->59362 59364->59363 59367 ad7400 CloseHandle 59364->59367 59368 ab6840 CloseHandle 59365->59368 59370 aae7ca 59366->59370 59389 aac120 CloseHandle 59366->59389 59367->59364 59369 aae865 59368->59369 59369->59361 59376 aae856 59370->59376 59384 ab6840 59370->59384 59374 aae8c9 59378 aae905 59374->59378 59391 ad18e0 59374->59391 59375 aae970 59410 ad7400 CloseHandle 59375->59410 59411 aac380 CloseHandle 59375->59411 59376->59374 59390 aac380 CloseHandle 59376->59390 59378->59361 59383 ad18e0 CloseHandle 59383->59378 59385 ad18e0 CloseHandle 59384->59385 59386 ab685b 59385->59386 59412 ad4e80 59386->59412 59389->59370 59390->59374 59392 ad1905 59391->59392 59393 aae8f0 59392->59393 59433 ad8ea0 CloseHandle 59392->59433 59393->59383 59395 ad1925 59434 ad9720 CloseHandle 59395->59434 59397 ad1936 59435 ad9460 CloseHandle 59397->59435 59399 ad1945 59436 ad9720 CloseHandle 59399->59436 59401 ad1956 59437 ad9540 CloseHandle 59401->59437 59403 ad1965 59438 ad90e0 CloseHandle 59403->59438 59405 ad196a 59439 ad8f00 CloseHandle 59405->59439 59407 ad196f 59440 ad7400 CloseHandle 59407->59440 59409 ad1985 59410->59375 59411->59375 59415 ad4c20 59412->59415 59416 ad4c3c 59415->59416 59419 b06180 59416->59419 59418 aae845 59418->59375 59418->59376 59420 b061a5 59419->59420 59421 b06207 59419->59421 59420->59421 59424 b061ba 59420->59424 59422 b06160 CloseHandle 59421->59422 59423 b06221 59422->59423 59423->59418 59427 b06160 59424->59427 59430 b07ce0 59427->59430 59428 b0616d 59428->59418 59432 b07d00 CloseHandle 59430->59432 59432->59428 59433->59395 59434->59397 59435->59399 59436->59401 59437->59403 59438->59405 59439->59407 59440->59409 59441 adcda0 59442 adcdb3 59441->59442 59447 adce20 59442->59447 59446 adce14 59450 adce2a 59447->59450 59448 adce49 59462 ad46a0 59448->59462 59450->59447 59450->59448 59511 ad7400 CloseHandle 59450->59511 59452 adce85 59453 adce9c 59452->59453 59509 adcf20 CloseHandle 59452->59509 59455 adcebd 59453->59455 59478 ae5d80 59453->59478 59456 adcede 59455->59456 59510 ae54a0 CloseHandle 59455->59510 59495 ae1200 59456->59495 59461 adcf60 CloseHandle 59461->59446 59477 ad46af 59462->59477 59465 ad4c20 CloseHandle 59465->59477 59467 ad4e80 CloseHandle 59467->59477 59469 ad488c 59469->59452 59470 ad8ea0 CloseHandle 59470->59477 59471 ad9460 CloseHandle 59471->59477 59472 ad9720 CloseHandle 59472->59477 59473 ad90e0 CloseHandle 59473->59477 59474 ad95a0 CloseHandle 59474->59477 59475 ad7400 CloseHandle 59475->59477 59476 ad8f00 CloseHandle 59476->59477 59477->59462 59477->59465 59477->59467 59477->59469 59477->59470 59477->59471 59477->59472 59477->59473 59477->59474 59477->59475 59477->59476 59512 ad5000 59477->59512 59515 aac120 CloseHandle 59477->59515 59516 aac380 CloseHandle 59477->59516 59517 ad4e00 59477->59517 59493 ae5d8a 59478->59493 59481 aac120 CloseHandle 59481->59493 59483 b06180 CloseHandle 59483->59493 59486 aac380 CloseHandle 59486->59493 59489 ad3340 CloseHandle 59489->59493 59491 ae58e0 CloseHandle 59491->59493 59492 ae0ec0 CloseHandle 59492->59493 59493->59478 59493->59481 59493->59483 59493->59486 59493->59489 59493->59491 59493->59492 59520 b04580 59493->59520 59527 ae6320 59493->59527 59540 ae5940 CloseHandle 59493->59540 59541 af54a0 CloseHandle 59493->59541 59542 aac8c0 CloseHandle 59493->59542 59543 ad27e0 CloseHandle 59493->59543 59544 ac2a80 CloseHandle 59493->59544 59545 ab9c60 CloseHandle 59493->59545 59546 ae6720 CloseHandle 59493->59546 59501 ae120a 59495->59501 59497 ad7400 CloseHandle 59497->59501 59501->59495 59501->59497 59502 aac120 CloseHandle 59501->59502 59503 aded60 CloseHandle 59501->59503 59504 ae1437 59501->59504 59508 aac380 CloseHandle 59501->59508 60077 adeea0 59501->60077 60093 ae0e40 59501->60093 60099 adf2c0 59501->60099 60109 adf120 CloseHandle 59501->60109 60110 adf480 CloseHandle 59501->60110 59502->59501 59503->59501 59505 adf2c0 CloseHandle 59504->59505 59507 adce0a 59505->59507 59507->59461 59508->59501 59509->59453 59510->59456 59511->59450 59513 ad4c20 CloseHandle 59512->59513 59514 ad5056 59513->59514 59514->59477 59515->59477 59516->59477 59518 ad4c20 CloseHandle 59517->59518 59519 ad4e56 59518->59519 59519->59477 59521 b045ff 59520->59521 59522 b045a1 59520->59522 59521->59493 59522->59521 59547 ac86a0 59522->59547 59553 aff040 59522->59553 59557 ae36e0 59522->59557 59523 b045c9 59523->59493 59528 ae632a 59527->59528 59528->59527 59963 aac120 CloseHandle 59528->59963 59530 ae6427 59964 aac380 CloseHandle 59530->59964 59532 ae6435 59532->59493 59535 ae6345 59535->59530 59536 ae58e0 CloseHandle 59535->59536 59959 ae6680 59535->59959 59965 aac380 CloseHandle 59535->59965 59966 af7e80 CloseHandle 59535->59966 59967 adea00 59535->59967 60013 aac120 CloseHandle 59535->60013 59536->59535 59540->59493 59541->59493 59542->59493 59543->59493 59544->59493 59545->59493 59546->59493 59549 ac86a6 59547->59549 59548 ac86e6 59565 ac8ac0 59548->59565 59549->59547 59549->59548 59599 ac7e40 CloseHandle 59549->59599 59552 ac86fc 59552->59523 59554 aff046 59553->59554 59554->59553 59771 ade180 59554->59771 59556 aff065 59556->59523 59558 ae36e6 59557->59558 59558->59557 59923 ae3740 CloseHandle 59558->59923 59560 ae36ff 59924 ae7760 CloseHandle 59560->59924 59562 ae371a 59563 ae3728 59562->59563 59909 aded60 59562->59909 59563->59523 59567 ac8acf 59565->59567 59566 aac120 CloseHandle 59566->59567 59567->59565 59567->59566 59574 ac8c74 59567->59574 59576 acc7a0 CloseHandle 59567->59576 59578 ac8c1d 59567->59578 59584 ac8bd0 59567->59584 59600 ac9360 59567->59600 59660 acde40 CloseHandle 59567->59660 59661 aac380 CloseHandle 59567->59661 59668 ad7400 CloseHandle 59567->59668 59572 ac8cde 59663 aac380 CloseHandle 59572->59663 59662 aac380 CloseHandle 59574->59662 59576->59567 59577 ac8c85 59577->59552 59578->59572 59636 ac89c0 59578->59636 59579 ac8eb6 59644 ac9080 59579->59644 59582 ac8f05 59583 ac8f58 59582->59583 59650 ab6b00 59582->59650 59586 ad18e0 CloseHandle 59583->59586 59584->59579 59664 ac3040 CloseHandle 59584->59664 59589 ac8f74 59586->59589 59591 ac8f95 59589->59591 59593 ad18e0 CloseHandle 59589->59593 59590 ad18e0 CloseHandle 59590->59583 59666 ad19a0 CloseHandle 59591->59666 59593->59591 59594 ac8e67 59594->59579 59665 abd1a0 CloseHandle 59594->59665 59596 ac8fa5 59667 ad1a80 CloseHandle 59596->59667 59598 ac9014 59598->59552 59599->59548 59601 ac936a 59600->59601 59601->59600 59630 ac93f6 59601->59630 59669 aacdc0 59601->59669 59604 ad18e0 CloseHandle 59608 ac95a9 59604->59608 59605 ac94dc 59696 ad8ea0 CloseHandle 59605->59696 59606 ac93df 59613 ad18e0 CloseHandle 59606->59613 59606->59630 59703 ad19a0 CloseHandle 59608->59703 59609 ac9505 59697 ad9720 CloseHandle 59609->59697 59612 ac95b5 59704 ad1a80 CloseHandle 59612->59704 59616 ac9446 59613->59616 59614 ac9516 59698 ad9460 CloseHandle 59614->59698 59694 ad19a0 CloseHandle 59616->59694 59618 ac95cc 59685 acac60 59618->59685 59620 ac9525 59699 ad9720 CloseHandle 59620->59699 59622 ac9452 59695 ad1a80 CloseHandle 59622->59695 59624 ac95e5 59624->59567 59626 ac9536 59700 ad9460 CloseHandle 59626->59700 59627 ac9469 59628 acac60 CloseHandle 59627->59628 59628->59630 59630->59604 59631 ac9548 59701 ad9720 CloseHandle 59631->59701 59633 ac9559 59702 ad8f00 CloseHandle 59633->59702 59635 ac955e 59635->59567 59638 ac89ca 59636->59638 59637 ac89fd 59742 ab9840 59637->59742 59638->59636 59638->59637 59642 ac89e5 59638->59642 59640 ac8a29 59640->59572 59641 ac8a08 59641->59572 59642->59640 59643 ab9840 CloseHandle 59642->59643 59643->59642 59646 ac908a 59644->59646 59646->59644 59647 ac928b 59646->59647 59648 aca620 CloseHandle 59646->59648 59649 ad6040 CloseHandle 59646->59649 59770 ac8860 CloseHandle 59646->59770 59647->59582 59648->59646 59649->59646 59658 ab6b0a 59650->59658 59651 ad4e80 CloseHandle 59651->59658 59652 ab6b73 59652->59590 59653 ad8ea0 CloseHandle 59653->59658 59654 ad9460 CloseHandle 59654->59658 59655 ad9720 CloseHandle 59655->59658 59656 ad90e0 CloseHandle 59656->59658 59657 ad8f00 CloseHandle 59657->59658 59658->59650 59658->59651 59658->59652 59658->59653 59658->59654 59658->59655 59658->59656 59658->59657 59659 ad7400 CloseHandle 59658->59659 59659->59658 59660->59567 59661->59567 59662->59577 59663->59584 59664->59594 59665->59579 59666->59596 59667->59598 59668->59567 59676 aacdcf 59669->59676 59673 aad119 59673->59605 59673->59606 59675 ad4e80 CloseHandle 59675->59676 59676->59669 59676->59673 59676->59675 59677 aaea00 CloseHandle 59676->59677 59678 ad7400 CloseHandle 59676->59678 59679 ad9720 CloseHandle 59676->59679 59680 ab9840 CloseHandle 59676->59680 59681 aae640 CloseHandle 59676->59681 59682 ad95a0 CloseHandle 59676->59682 59705 ab6e40 59676->59705 59712 ab6d60 CloseHandle 59676->59712 59713 aad580 CloseHandle 59676->59713 59714 ad8ea0 CloseHandle 59676->59714 59715 ad90e0 CloseHandle 59676->59715 59716 ad8f00 CloseHandle 59676->59716 59677->59676 59678->59676 59679->59676 59680->59676 59681->59676 59682->59676 59691 acac6a 59685->59691 59690 acae8c 59690->59624 59691->59685 59691->59690 59692 ab6840 CloseHandle 59691->59692 59717 acd0c0 59691->59717 59732 ac3da0 CloseHandle 59691->59732 59733 ad0960 CloseHandle 59691->59733 59734 ad0d40 CloseHandle 59691->59734 59735 ad7400 CloseHandle 59691->59735 59692->59691 59694->59622 59695->59627 59696->59609 59697->59614 59698->59620 59699->59626 59700->59631 59701->59633 59702->59635 59703->59612 59704->59618 59707 ab6e4a 59705->59707 59706 ad4e80 CloseHandle 59708 ab6e85 59706->59708 59707->59705 59707->59706 59709 ab6ea5 59708->59709 59710 ad4e80 CloseHandle 59708->59710 59709->59676 59711 ab6ee5 59710->59711 59711->59676 59712->59676 59713->59676 59714->59676 59715->59676 59716->59676 59730 acd0cf 59717->59730 59719 ad9720 CloseHandle 59719->59730 59720 acd447 59737 acd660 CloseHandle 59720->59737 59723 acd475 59723->59691 59724 ad95a0 CloseHandle 59724->59730 59728 ad09e0 CloseHandle 59728->59730 59729 ad18e0 CloseHandle 59729->59730 59730->59717 59730->59719 59730->59720 59730->59724 59730->59728 59730->59729 59731 ab6b00 CloseHandle 59730->59731 59736 ad0960 CloseHandle 59730->59736 59738 ad8ea0 CloseHandle 59730->59738 59739 ad90e0 CloseHandle 59730->59739 59740 ad8f00 CloseHandle 59730->59740 59741 ad7400 CloseHandle 59730->59741 59731->59730 59732->59691 59733->59691 59734->59691 59735->59691 59736->59730 59737->59723 59738->59730 59739->59730 59740->59730 59741->59730 59746 ab984a 59742->59746 59743 ab985e 59745 ab9867 59743->59745 59749 ab98b7 59743->59749 59754 aae640 59743->59754 59745->59641 59746->59742 59746->59743 59764 ad8ea0 CloseHandle 59746->59764 59765 ad9720 CloseHandle 59746->59765 59766 ad8f00 CloseHandle 59746->59766 59767 ad7400 CloseHandle 59746->59767 59751 ab98e7 59749->59751 59758 ac7a60 59749->59758 59751->59641 59757 aae646 59754->59757 59755 b04580 CloseHandle 59756 aae69c 59755->59756 59756->59749 59757->59754 59757->59755 59763 ac7a6a 59758->59763 59759 ab6840 CloseHandle 59759->59763 59760 ac7bbc 59760->59751 59763->59758 59763->59759 59763->59760 59768 ab68e0 CloseHandle 59763->59768 59769 ad7400 CloseHandle 59763->59769 59764->59746 59765->59746 59766->59746 59767->59746 59768->59763 59769->59763 59770->59646 59773 ade18a 59771->59773 59773->59771 59774 ade287 59773->59774 59778 ade212 59773->59778 59784 add6a0 59773->59784 59824 aac120 CloseHandle 59773->59824 59827 ad7400 CloseHandle 59773->59827 59807 ade300 59774->59807 59776 ade28c 59776->59556 59780 ade249 59778->59780 59825 aac480 CloseHandle 59778->59825 59826 aac380 CloseHandle 59780->59826 59783 ade257 59783->59556 59785 add6aa 59784->59785 59785->59784 59832 ae9940 CloseHandle 59785->59832 59787 add6cd 59788 add6fa 59787->59788 59833 ae54a0 CloseHandle 59787->59833 59798 add725 59788->59798 59834 aac120 CloseHandle 59788->59834 59792 add731 59835 adafa0 CloseHandle 59792->59835 59795 add712 59797 add912 59795->59797 59801 b04580 CloseHandle 59795->59801 59844 af82c0 CloseHandle 59795->59844 59796 add765 59836 ae3540 CloseHandle 59796->59836 59845 aac380 CloseHandle 59797->59845 59828 aae380 59798->59828 59801->59795 59802 add76f 59803 add7d5 59802->59803 59837 ae5700 59802->59837 59843 ae9a60 CloseHandle 59803->59843 59806 add816 59806->59773 59809 ade30a 59807->59809 59808 ade3a3 59895 ae9940 CloseHandle 59808->59895 59809->59807 59809->59808 59811 ade33c 59809->59811 59897 ad7400 CloseHandle 59809->59897 59893 ae9940 CloseHandle 59811->59893 59812 ade3b4 59879 ad4500 59812->59879 59816 ade365 59818 b06180 CloseHandle 59816->59818 59820 ade37f 59818->59820 59894 ae9a60 CloseHandle 59820->59894 59822 ade3ca 59822->59776 59823 ade39d 59823->59776 59824->59773 59825->59780 59826->59783 59827->59773 59829 aae386 59828->59829 59829->59828 59846 aad960 59829->59846 59831 aae3a5 59831->59792 59832->59787 59833->59788 59834->59795 59835->59796 59836->59802 59838 ae570a 59837->59838 59838->59837 59839 ae5745 59838->59839 59877 af6de0 CloseHandle 59838->59877 59878 ae57a0 CloseHandle 59839->59878 59842 ae5785 59842->59803 59843->59806 59844->59795 59845->59798 59860 aad96a 59846->59860 59847 ad7400 CloseHandle 59847->59860 59849 aae640 CloseHandle 59851 aad9f9 59849->59851 59850 aad9ab 59850->59849 59851->59831 59853 aadb36 59853->59831 59855 aad760 CloseHandle 59855->59860 59858 aae0d8 59859 aae106 59858->59859 59874 ad04a0 CloseHandle 59858->59874 59863 aae174 59859->59863 59875 ab9c60 CloseHandle 59859->59875 59860->59846 59860->59847 59860->59850 59860->59853 59860->59855 59860->59858 59861 aae0c9 59860->59861 59868 aae260 CloseHandle 59860->59868 59869 ab59c0 CloseHandle 59860->59869 59870 ab5400 CloseHandle 59860->59870 59871 ac0b00 CloseHandle 59860->59871 59872 aae460 CloseHandle 59860->59872 59873 aae2e0 CloseHandle 59861->59873 59863->59831 59866 aae165 59866->59863 59876 ab9d60 CloseHandle 59866->59876 59868->59860 59869->59860 59870->59860 59871->59860 59872->59860 59873->59858 59874->59859 59875->59866 59876->59863 59877->59839 59878->59842 59898 ad4f80 59879->59898 59882 ad4551 59901 ad4d00 59882->59901 59884 aac120 CloseHandle 59890 ad457e 59884->59890 59888 ad9720 CloseHandle 59888->59890 59890->59884 59890->59888 59904 ad8ea0 CloseHandle 59890->59904 59905 ad9540 CloseHandle 59890->59905 59906 ad9460 CloseHandle 59890->59906 59907 ad8f00 CloseHandle 59890->59907 59908 ad7400 CloseHandle 59890->59908 59893->59816 59894->59823 59895->59812 59896 ae9a60 CloseHandle 59896->59822 59897->59809 59899 ad4c20 CloseHandle 59898->59899 59900 ad4535 59899->59900 59900->59882 59900->59890 59902 ad4c20 CloseHandle 59901->59902 59903 ad4566 59902->59903 59903->59896 59904->59890 59905->59890 59906->59890 59907->59890 59908->59890 59914 aded6a 59909->59914 59910 aded95 59910->59563 59913 adee28 59949 aac380 CloseHandle 59913->59949 59914->59909 59914->59910 59914->59913 59915 adede8 59914->59915 59946 aac120 CloseHandle 59914->59946 59947 ae7700 CloseHandle 59914->59947 59950 ad7400 CloseHandle 59914->59950 59948 aac380 CloseHandle 59915->59948 59917 adee3b 59925 ade720 59917->59925 59921 adedf6 59921->59563 59922 adee4c 59922->59563 59923->59560 59924->59562 59935 ade72a 59925->59935 59928 ade82c 59954 adaf40 CloseHandle 59928->59954 59930 ade831 59955 aac380 CloseHandle 59930->59955 59931 ade8c4 59933 ade8db 59931->59933 59957 aac380 CloseHandle 59931->59957 59933->59922 59935->59925 59935->59928 59935->59931 59937 ad7400 CloseHandle 59935->59937 59943 ade825 59935->59943 59951 aac120 CloseHandle 59935->59951 59952 ae7560 CloseHandle 59935->59952 59953 aac380 CloseHandle 59935->59953 59937->59935 59938 ade851 59939 ade180 CloseHandle 59938->59939 59941 ade878 59939->59941 59942 ade892 59941->59942 59956 aac120 CloseHandle 59941->59956 59942->59922 59958 aac480 CloseHandle 59943->59958 59944 ade929 59944->59922 59946->59914 59947->59914 59948->59921 59949->59917 59950->59914 59951->59935 59952->59935 59953->59935 59954->59930 59955->59938 59956->59942 59957->59933 59958->59944 59960 ae6686 59959->59960 59960->59959 59961 ae66d5 59960->59961 60014 ad5320 59960->60014 59961->59535 59963->59535 59964->59532 59965->59535 59966->59535 59970 adea0a 59967->59970 59968 aded2d 59969 ade720 CloseHandle 59968->59969 59971 aded36 59969->59971 59970->59967 59970->59968 59976 adea56 59970->59976 59971->59535 59972 adeb42 59973 adeb96 59972->59973 59977 adeb75 59972->59977 60068 aac120 CloseHandle 59973->60068 59974 adead4 59974->59972 59982 adeb33 59974->59982 59976->59974 59983 adeac5 59976->59983 59978 ade720 CloseHandle 59977->59978 59980 adeb90 59978->59980 59979 adeba5 59981 adebaf 59979->59981 59992 adebef 59979->59992 59980->59535 59984 adebdb 59981->59984 60069 aac480 CloseHandle 59981->60069 59985 ade720 CloseHandle 59982->59985 59986 ade720 CloseHandle 59983->59986 60070 aac380 CloseHandle 59984->60070 59989 adeb3c 59985->59989 59990 adeace 59986->59990 59989->59535 59990->59535 59991 adebe9 59991->59535 59993 adec51 59992->59993 60071 aac480 CloseHandle 59992->60071 59994 aded0b 59993->59994 59995 adec66 59993->59995 60076 aac380 CloseHandle 59994->60076 59996 adecab 59995->59996 59998 adec85 59995->59998 60073 ae73c0 CloseHandle 59996->60073 60072 aac380 CloseHandle 59998->60072 59999 aded19 60003 ade720 CloseHandle 59999->60003 60006 aded27 60003->60006 60004 adece5 60074 aac380 CloseHandle 60004->60074 60005 adec93 60008 ade720 CloseHandle 60005->60008 60006->59535 60010 adeca5 60008->60010 60009 adecf3 60011 aded05 60009->60011 60075 ae0de0 CloseHandle 60009->60075 60010->59535 60011->59535 60013->59535 60034 ad5332 60014->60034 60015 ad5745 60015->59961 60017 ad5397 60054 aac380 CloseHandle 60017->60054 60019 ad5000 CloseHandle 60019->60034 60020 ad53a6 60020->59961 60021 ad5446 60055 aac380 CloseHandle 60021->60055 60023 ad5455 60056 aac120 CloseHandle 60023->60056 60026 ad5490 60027 ad4d00 CloseHandle 60026->60027 60029 ad54ad 60027->60029 60030 ad54cd 60029->60030 60031 ad56e1 60029->60031 60057 ad4d80 60030->60057 60062 aac380 CloseHandle 60031->60062 60034->60014 60034->60015 60034->60017 60034->60019 60034->60021 60043 ad7400 CloseHandle 60034->60043 60053 aac120 CloseHandle 60034->60053 60063 ad8ea0 CloseHandle 60034->60063 60064 ad9720 CloseHandle 60034->60064 60065 ad9460 CloseHandle 60034->60065 60066 ad90e0 CloseHandle 60034->60066 60067 ad8f00 CloseHandle 60034->60067 60038 ad56ef 60040 ad4d00 CloseHandle 60038->60040 60042 ad570c 60040->60042 60042->59961 60043->60034 60044 ad5517 60045 ad5645 60044->60045 60061 ad89e0 CloseHandle 60044->60061 60046 ad4d00 CloseHandle 60045->60046 60048 ad5692 60046->60048 60050 ad4d00 CloseHandle 60048->60050 60049 ad55ed 60049->60045 60052 ad4d80 CloseHandle 60049->60052 60051 ad56c5 60050->60051 60051->59961 60052->60045 60053->60034 60054->60020 60055->60023 60056->60026 60058 ad4c20 CloseHandle 60057->60058 60059 ad4dd6 60058->60059 60060 aac380 CloseHandle 60059->60060 60060->60044 60061->60049 60062->60038 60063->60034 60064->60034 60065->60034 60066->60034 60067->60034 60068->59979 60069->59984 60070->59991 60071->59993 60072->60005 60073->60004 60074->60009 60075->60011 60076->59999 60088 adeeaa 60077->60088 60078 ae5700 CloseHandle 60078->60088 60080 adea00 CloseHandle 60080->60088 60082 adef4a 60113 ae54a0 CloseHandle 60082->60113 60084 adef5a 60084->59501 60085 ad8f00 CloseHandle 60085->60088 60086 ad8ea0 CloseHandle 60086->60088 60087 ad96a0 CloseHandle 60087->60088 60088->60077 60088->60078 60088->60080 60088->60082 60088->60085 60088->60086 60088->60087 60089 ad9720 CloseHandle 60088->60089 60090 ad90e0 CloseHandle 60088->60090 60091 ad9460 CloseHandle 60088->60091 60092 ad7400 CloseHandle 60088->60092 60111 ae58e0 CloseHandle 60088->60111 60112 aac500 CloseHandle 60088->60112 60089->60088 60090->60088 60091->60088 60092->60088 60094 ae0e46 60093->60094 60094->60093 60095 ae0e79 60094->60095 60096 ad7400 CloseHandle 60094->60096 60097 aded60 CloseHandle 60095->60097 60096->60094 60098 ae0e7e 60097->60098 60098->59501 60100 adf2ca 60099->60100 60100->60099 60102 adf2f9 60100->60102 60114 ad00c0 CloseHandle 60100->60114 60115 adbd80 CloseHandle 60102->60115 60104 adf35b 60106 adf3b3 60104->60106 60116 ad5240 CloseHandle 60104->60116 60107 adf3e5 60106->60107 60117 af7640 CloseHandle 60106->60117 60107->59501 60109->59501 60110->59501 60111->60088 60112->60088 60113->60084 60114->60102 60115->60104 60116->60106 60117->60107 60118 adabe0 60137 adabea 60118->60137 60137->60118 60138 adade9 60137->60138 60142 aaca40 60137->60142 60157 aa1a80 60137->60157 60163 ad3900 60137->60163 60178 ae91a0 60137->60178 60194 ae8920 CloseHandle 60137->60194 60195 af13a0 CloseHandle 60137->60195 60196 ae8420 CloseHandle 60137->60196 60197 aa4ee0 CloseHandle 60137->60197 60198 adafa0 CloseHandle 60137->60198 60199 af1180 CloseHandle 60137->60199 60200 afd640 CloseHandle 60137->60200 60201 aaaf20 CloseHandle 60137->60201 60202 aef7c0 CloseHandle 60137->60202 60203 ab9980 CloseHandle 60137->60203 60204 aecc60 60137->60204 60213 aac120 CloseHandle 60137->60213 60214 aa8340 CloseHandle 60137->60214 60215 ae4b00 CloseHandle 60137->60215 60217 ad7400 CloseHandle 60137->60217 60216 aac380 CloseHandle 60138->60216 60141 adadf7 60151 aaca4a 60142->60151 60143 ad8ea0 CloseHandle 60143->60151 60144 ad9720 CloseHandle 60144->60151 60145 ad9460 CloseHandle 60145->60151 60146 aacb0b 60218 ac7cc0 60146->60218 60149 ad9540 CloseHandle 60149->60151 60151->60142 60151->60143 60151->60144 60151->60145 60151->60146 60151->60149 60152 ad8f00 CloseHandle 60151->60152 60154 ad7400 CloseHandle 60151->60154 60152->60151 60153 aacba2 60153->60137 60154->60151 60155 aacb1c 60155->60153 60156 ab9840 CloseHandle 60155->60156 60156->60155 60158 aa1a86 60157->60158 60158->60157 60278 aa2020 60158->60278 60160 aa1a9d 60288 aa1ae0 CloseHandle 60160->60288 60162 aa1aac 60162->60137 60166 ad390a 60163->60166 60164 ad4c20 CloseHandle 60164->60166 60166->60163 60166->60164 60167 ad3a5c 60166->60167 60177 ad3b0b 60166->60177 60304 aebd60 CloseHandle 60166->60304 60305 af0620 CloseHandle 60166->60305 60168 ad4d00 CloseHandle 60167->60168 60169 ad3a71 60168->60169 60306 b02a00 CloseHandle 60169->60306 60172 ad3aaf 60173 ad4d80 CloseHandle 60172->60173 60174 ad3acd 60173->60174 60292 ad3100 60174->60292 60176 ad3ae5 60176->60137 60177->60137 60179 ae91aa 60178->60179 60179->60178 60309 aa8340 CloseHandle 60179->60309 60181 ae91eb 60182 aae380 CloseHandle 60181->60182 60183 ae9205 60182->60183 60310 b00f80 CloseHandle 60183->60310 60185 ae9245 60311 ae94a0 CloseHandle 60185->60311 60187 ae929e 60312 ae94a0 CloseHandle 60187->60312 60189 ae92af 60313 aa8340 CloseHandle 60189->60313 60191 ae92db 60314 b022c0 CloseHandle 60191->60314 60193 ae92e5 60193->60137 60194->60137 60195->60137 60196->60137 60197->60137 60198->60137 60199->60137 60200->60137 60201->60137 60202->60137 60203->60137 60208 aecc6a 60204->60208 60205 ab6840 CloseHandle 60205->60208 60206 aac120 CloseHandle 60206->60208 60208->60204 60208->60205 60208->60206 60209 aac380 CloseHandle 60208->60209 60210 aeccf1 60208->60210 60212 ad7400 CloseHandle 60208->60212 60315 ac8720 60208->60315 60321 ac9aa0 CloseHandle 60208->60321 60209->60208 60210->60137 60212->60208 60213->60137 60214->60137 60215->60137 60216->60141 60217->60137 60221 ac7cca 60218->60221 60220 ac7cfe 60253 ab9720 CloseHandle 60220->60253 60221->60218 60252 ab9720 CloseHandle 60221->60252 60223 ac7d25 60254 ab9720 CloseHandle 60223->60254 60225 ac7d49 60255 ab9720 CloseHandle 60225->60255 60227 ac7d6d 60256 ab9720 CloseHandle 60227->60256 60229 ac7d91 60257 ab9720 CloseHandle 60229->60257 60231 ac7db5 60258 ab9720 CloseHandle 60231->60258 60233 ac7dd9 60237 acaaa0 60233->60237 60236 ab5620 CloseHandle 60236->60155 60250 acaaaa 60237->60250 60238 acaaca 60259 ad0ac0 60238->60259 60240 ad9720 CloseHandle 60240->60250 60241 acab16 60263 accf80 60241->60263 60243 ad9540 CloseHandle 60243->60250 60244 acab25 60268 ac3cc0 60244->60268 60246 ad8f00 CloseHandle 60246->60250 60248 ad8ea0 CloseHandle 60248->60250 60249 ad90e0 CloseHandle 60249->60250 60250->60237 60250->60238 60250->60240 60250->60243 60250->60246 60250->60248 60250->60249 60272 ad7400 CloseHandle 60250->60272 60252->60220 60253->60223 60254->60225 60255->60227 60256->60229 60257->60231 60258->60233 60261 ad0ac6 60259->60261 60260 aae640 CloseHandle 60262 ad0afa 60260->60262 60261->60259 60261->60260 60262->60241 60264 accf8a 60263->60264 60264->60263 60265 acd085 60264->60265 60266 ab6e40 CloseHandle 60264->60266 60273 ad7400 CloseHandle 60264->60273 60265->60244 60266->60264 60269 ac3cca 60268->60269 60269->60268 60274 acd960 60269->60274 60271 aacb17 60271->60236 60272->60250 60273->60264 60275 acd966 60274->60275 60275->60274 60276 ab6e40 CloseHandle 60275->60276 60277 acd985 60276->60277 60277->60271 60279 aa202a 60278->60279 60279->60278 60280 aae380 CloseHandle 60279->60280 60281 aa203e 60280->60281 60282 aa219b 60281->60282 60289 aebe40 CloseHandle 60281->60289 60284 aa23ad 60282->60284 60290 aebe40 CloseHandle 60282->60290 60287 aa25ba 60284->60287 60291 aebe40 CloseHandle 60284->60291 60287->60160 60288->60162 60289->60282 60290->60284 60291->60287 60293 ad310a 60292->60293 60293->60292 60294 ad4e00 CloseHandle 60293->60294 60295 ad3145 60294->60295 60296 ad321a 60295->60296 60307 ad2c40 CloseHandle 60295->60307 60296->60176 60298 ad317d 60299 ad3214 60298->60299 60308 b02a00 CloseHandle 60298->60308 60299->60176 60301 ad31ba 60302 ad4e00 CloseHandle 60301->60302 60303 ad31fc 60302->60303 60303->60176 60304->60166 60305->60166 60306->60172 60307->60298 60308->60301 60309->60181 60310->60185 60311->60187 60312->60189 60313->60191 60314->60193 60317 ac8726 60315->60317 60316 ac8732 60318 ac8ac0 CloseHandle 60316->60318 60317->60315 60317->60316 60322 ad7400 CloseHandle 60317->60322 60320 ac8739 60318->60320 60320->60208 60321->60208 60322->60317 60323 ad3760 60324 ad376a 60323->60324 60324->60323 60345 ad2da0 60324->60345 60334 ad37b6 60375 ad2d00 60334->60375 60338 ad37ca 60397 ad3240 60338->60397 60340 ad37cf 60341 ad4d00 CloseHandle 60340->60341 60342 ad3805 60341->60342 60343 ad4d80 CloseHandle 60342->60343 60344 ad3845 60343->60344 60349 ad2daa 60345->60349 60346 ad2c40 CloseHandle 60346->60349 60347 ad7400 CloseHandle 60347->60349 60348 ad4e00 CloseHandle 60348->60349 60349->60345 60349->60346 60349->60347 60349->60348 60350 ad3070 60349->60350 60351 aeabe0 60350->60351 60352 aeabea 60351->60352 60352->60351 60353 ad4c20 CloseHandle 60352->60353 60354 aeac0a 60353->60354 60355 ad4d00 CloseHandle 60354->60355 60356 aeac25 60355->60356 60357 ad4d80 CloseHandle 60356->60357 60358 aeac65 60357->60358 60359 ad4d00 CloseHandle 60358->60359 60360 ad37a5 60359->60360 60361 aead40 60360->60361 60362 aead4a 60361->60362 60362->60361 60363 ad4d80 CloseHandle 60362->60363 60364 aead77 60363->60364 60365 ad4d80 CloseHandle 60364->60365 60366 aeadae 60365->60366 60367 ad4d80 CloseHandle 60366->60367 60368 ad37aa 60367->60368 60369 ad3400 60368->60369 60370 ad340a 60369->60370 60370->60369 60371 ad4e80 CloseHandle 60370->60371 60372 ad343b 60371->60372 60373 ad3473 60372->60373 60374 ad4d00 CloseHandle 60372->60374 60404 ad3340 CloseHandle 60373->60404 60374->60373 60376 ad2d0a 60375->60376 60376->60375 60377 ad4d80 CloseHandle 60376->60377 60379 ad2d5b 60376->60379 60405 ad7400 CloseHandle 60376->60405 60377->60376 60380 ad34a0 60379->60380 60388 ad34aa 60380->60388 60381 ad4e00 CloseHandle 60381->60388 60382 ad35ce 60382->60338 60383 ad4c20 CloseHandle 60383->60388 60386 ad3679 60387 ad5000 CloseHandle 60386->60387 60390 ad36b3 60387->60390 60388->60380 60388->60381 60388->60382 60388->60383 60388->60386 60406 ad3880 CloseHandle 60388->60406 60407 ae85c0 CloseHandle 60388->60407 60389 ad3710 60389->60338 60390->60389 60408 ad8ea0 CloseHandle 60390->60408 60392 ad36f3 60409 ad9720 CloseHandle 60392->60409 60394 ad3705 60410 ad8f00 CloseHandle 60394->60410 60396 ad370a 60396->60338 60399 ad324a 60397->60399 60398 ad4e00 CloseHandle 60402 ad3291 60398->60402 60399->60397 60399->60398 60400 ad4d00 CloseHandle 60401 ad32dd 60400->60401 60401->60340 60402->60400 60403 ad332b 60402->60403 60403->60340 60404->60334 60405->60376 60406->60388 60407->60388 60408->60392 60409->60394 60410->60396 60411 aedd80 60452 aedd92 60411->60452 60412 ad8ea0 CloseHandle 60412->60452 60414 aee106 60416 aee11b 60414->60416 60473 aeea40 CloseHandle 60414->60473 60415 aee151 60421 aee18f 60415->60421 60476 af2a20 CloseHandle 60415->60476 60420 aee13e 60416->60420 60474 ae1cc0 CloseHandle 60416->60474 60418 aee262 60449 aee2aa 60418->60449 60479 ad8ea0 CloseHandle 60418->60479 60475 ae18c0 CloseHandle 60420->60475 60421->60418 60422 aee1ed 60421->60422 60477 adbd80 CloseHandle 60422->60477 60425 ad8ea0 CloseHandle 60425->60449 60428 aee274 60480 ad9720 CloseHandle 60428->60480 60429 aee209 60456 aed940 60429->60456 60433 aee285 60481 ad9460 CloseHandle 60433->60481 60438 aee291 60482 ad9720 CloseHandle 60438->60482 60439 aee232 60440 ad9720 CloseHandle 60440->60449 60442 aee2a5 60483 ad8f00 CloseHandle 60442->60483 60443 ad8f00 CloseHandle 60443->60449 60445 afa840 CloseHandle 60445->60452 60446 ad95a0 CloseHandle 60446->60452 60447 ad95a0 CloseHandle 60447->60449 60448 ad90e0 CloseHandle 60448->60452 60449->60425 60449->60440 60449->60443 60449->60447 60484 ad7400 CloseHandle 60449->60484 60485 ad9460 CloseHandle 60449->60485 60450 ad7400 CloseHandle 60450->60452 60452->60411 60452->60412 60452->60414 60452->60415 60452->60445 60452->60446 60452->60448 60452->60450 60453 ad96a0 CloseHandle 60452->60453 60454 ad9720 CloseHandle 60452->60454 60455 ad8f00 CloseHandle 60452->60455 60486 ad9460 CloseHandle 60452->60486 60487 af1be0 CloseHandle 60452->60487 60453->60452 60454->60452 60455->60452 60457 aed94f 60456->60457 60457->60456 60458 aed972 60457->60458 60459 ad7400 CloseHandle 60457->60459 60460 aecc60 CloseHandle 60458->60460 60459->60457 60461 aeda25 60460->60461 60463 aeda9a 60461->60463 60465 aedacd 60461->60465 60492 ad7400 CloseHandle 60461->60492 60493 aed7e0 CloseHandle 60463->60493 60488 af8e00 CloseHandle 60465->60488 60468 aedc16 60470 aedc3c 60468->60470 60489 aed440 CloseHandle 60468->60489 60490 af9440 CloseHandle 60468->60490 60491 aecf40 CloseHandle 60470->60491 60472 aedc71 60478 adbd80 CloseHandle 60472->60478 60473->60416 60474->60420 60475->60415 60476->60421 60477->60429 60478->60439 60479->60428 60480->60433 60481->60438 60482->60442 60483->60449 60484->60449 60485->60449 60486->60452 60487->60452 60488->60468 60489->60468 60490->60468 60491->60472 60492->60463 60493->60465 60494 ae6240 60495 ae624a 60494->60495 60495->60494 60496 ae62a7 60495->60496 60497 ad4f80 CloseHandle 60495->60497 60498 ad4d80 CloseHandle 60496->60498 60497->60496 60499 ae62fa 60498->60499 60500 b042e0 60501 b04300 60500->60501 60504 b0b140 60501->60504 60503 b04449 60507 ae3660 60504->60507 60509 ae3666 60507->60509 60508 b04580 CloseHandle 60510 ae36ab 60508->60510 60509->60507 60509->60508 60510->60503 60511 b04500 60512 b04534 60511->60512 60513 b0452f 60511->60513 60520 ae16a0 60512->60520 60534 ada800 CloseHandle 60513->60534 60521 ae16aa 60520->60521 60521->60520 60536 adbd80 CloseHandle 60521->60536 60523 ae16f8 60528 ae1725 60523->60528 60537 af7940 CloseHandle 60523->60537 60525 ae1887 60526 ae1200 CloseHandle 60525->60526 60527 ae188c 60526->60527 60535 ada840 CloseHandle 60527->60535 60528->60525 60538 adbd80 CloseHandle 60528->60538 60530 ae181d 60531 ae183b 60530->60531 60539 af7a80 CloseHandle 60530->60539 60533 adf2c0 CloseHandle 60531->60533 60533->60525 60536->60523 60537->60528 60538->60530 60539->60531 60540 2667b1af571 60543 2667b1af51a SleepEx 60540->60543 60542 2667b1af58a 60543->60542 60544 2667b1c5053 60556 2667b1c4c0f 60544->60556 60545 2667b1c5570 60546 2667b1c54e9 shutdown 60547 2667b1c4c82 60546->60547 60547->60545 60547->60546 60550 2667b1c4d37 setsockopt 60551 2667b1c4d82 setsockopt 60550->60551 60552 2667b1c4fac shutdown 60550->60552 60551->60552 60551->60556 60552->60556 60553 2667b1c3490 send 60553->60556 60554 2667b1c2f40 recv WSAEventSelect WSAEnumNetworkEvents CloseHandle 60554->60556 60555 2667b1c4f35 WSAEventSelect 60555->60556 60556->60547 60556->60550 60556->60552 60556->60553 60556->60554 60556->60555 60557 2667b1c2340 socket 60556->60557 60575 2667b1c0e60 LocalFree CreateFileW LocalAlloc send Concurrency::details::platform::__ChangeTimerQueueTimer 60556->60575 60558 2667b1c2384 60557->60558 60567 2667b1c237d 60557->60567 60559 2667b1c23a7 WSAEventSelect 60558->60559 60558->60567 60560 2667b1c23cb 60559->60560 60559->60567 60561 2667b1c23db 60560->60561 60570 2667b1c25ee 60560->60570 60562 2667b1c23e7 connect 60561->60562 60563 2667b1c240d gethostbyname 60561->60563 60565 2667b1c248a 60562->60565 60562->60567 60563->60562 60563->60567 60566 2667b1c2547 WSAEnumNetworkEvents 60565->60566 60565->60567 60566->60567 60568 2667b1c257d 60566->60568 60567->60556 60568->60567 60569 2667b1c25b0 WSACloseEvent 60568->60569 60569->60567 60570->60567 60571 2667b1c28ea 60570->60571 60572 2667b1c2867 60570->60572 60571->60567 60577 2667b1c2b40 recv send und_memcpy Concurrency::details::platform::__ChangeTimerQueueTimer 60571->60577 60576 2667b1c29b0 recv send und_memcpy Concurrency::details::platform::__ChangeTimerQueueTimer 60572->60576 60575->60556 60576->60567 60577->60567 60578 266799eefd3 VirtualProtect 60579 266799eefeb 60578->60579 60586 266799eef8b 60578->60586 60580 266799eeff9 VirtualProtect 60579->60580 60581 266799f18fc LoadLibraryA 60580->60581 60582 266799ef021 60581->60582 60583 266799ef03c VirtualProtect 60582->60583 60582->60586 60584 266799ef055 60583->60584 60583->60586 60585 266799ef063 VirtualProtect 60584->60585 60585->60586 60587 2667b1af8b3 60588 2667b1af927 LocalFree 60587->60588 60589 2667b1af940 60588->60589 60590 2667b1c474b 60598 2667b1c4689 60590->60598 60592 2667b1c4784 setsockopt 60592->60598 60593 2667b1c4802 CreateThread 60593->60598 60594 2667b1c46f0 SleepEx 60594->60598 60595 2667b1c4973 shutdown closesocket 60595->60598 60596 2667b1c46e9 60597 2667b1c4963 SleepEx 60597->60598 60598->60592 60598->60593 60598->60594 60598->60595 60598->60596 60598->60597 60599 2667b1c1b70 recv Concurrency::details::platform::__ChangeTimerQueueTimer 60598->60599 60600 2667b1c5730 60598->60600 60599->60598 60601 2667b1c5744 60600->60601 60603 2667b1c5799 60600->60603 60606 2667b1c39b0 60601->60606 60604 2667b1c39b0 20 API calls 60603->60604 60605 2667b1c57a6 60603->60605 60604->60605 60605->60598 60607 2667b1c39f3 60606->60607 60642 2667b1c3fb0 60607->60642 60609 2667b1c3f19 und_memcpy 60609->60603 60611 2667b1c2340 8 API calls 60612 2667b1c3a98 60611->60612 60612->60609 60613 2667b1c3aaf setsockopt 60612->60613 60613->60609 60614 2667b1c3afa 60613->60614 60648 2667b1c3490 60614->60648 60619 2667b1c3490 send 60620 2667b1c3be5 60619->60620 60620->60609 60621 2667b1c2f40 4 API calls 60620->60621 60622 2667b1c3c30 60621->60622 60622->60609 60623 2667b1c3490 send 60622->60623 60624 2667b1c3c94 60623->60624 60624->60609 60664 2667b1c43b0 60624->60664 60627 2667b1c3490 send 60628 2667b1c3cfb 60627->60628 60628->60609 60629 2667b1c2f40 4 API calls 60628->60629 60630 2667b1c3d48 60629->60630 60630->60609 60631 2667b1c3490 send 60630->60631 60632 2667b1c3dac 60631->60632 60632->60609 60668 2667b1c41a0 60632->60668 60635 2667b1c3490 send 60636 2667b1c3e13 60635->60636 60636->60609 60637 2667b1c2f40 4 API calls 60636->60637 60638 2667b1c3e60 60637->60638 60638->60609 60639 2667b1c2f40 4 API calls 60638->60639 60640 2667b1c3eb9 60639->60640 60640->60609 60641 2667b1c3ef9 WSAEventSelect 60640->60641 60641->60609 60675 2667b1c0790 60642->60675 60645 2667b1c3a0e 60645->60609 60645->60611 60646 2667b1c3fe8 und_memcpy 60646->60645 60647 2667b1c40c7 CoUninitialize 60646->60647 60647->60645 60649 2667b1c34b4 60648->60649 60652 2667b1c34d9 60648->60652 60677 2667b1c1bb0 send 60649->60677 60653 2667b1c34d4 60652->60653 60678 2667b1c1bb0 send 60652->60678 60653->60609 60654 2667b1c2f40 60653->60654 60655 2667b1c2f64 60654->60655 60660 2667b1c2f89 60654->60660 60680 2667b1c1b70 recv 60655->60680 60657 2667b1c2f84 60657->60609 60657->60619 60658 2667b1c3451 CloseHandle 60658->60657 60660->60657 60661 2667b1c328d WSAEventSelect 60660->60661 60662 2667b1c33c6 WSAEnumNetworkEvents 60660->60662 60663 2667b1c3117 60660->60663 60679 2667b1c1b70 recv 60660->60679 60661->60660 60661->60663 60662->60660 60662->60663 60663->60657 60663->60658 60666 2667b1c43c7 60664->60666 60665 2667b1c3ca5 60665->60609 60665->60627 60666->60665 60681 2667b1a8e20 60666->60681 60669 2667b1c41b7 _snprintf 60668->60669 60670 2667b1c3dbd 60669->60670 60671 2667b1c4260 GetUserGeoID gethostname 60669->60671 60670->60609 60670->60635 60671->60670 60672 2667b1c42d7 gethostbyname 60671->60672 60672->60670 60673 2667b1c42fc 60672->60673 60673->60670 60674 2667b1c4343 GetUserNameW 60673->60674 60674->60670 60676 2667b1c07a6 CoInitializeEx 60675->60676 60676->60645 60676->60646 60677->60653 60678->60652 60679->60660 60680->60657 60685 2667b1c6c1c 60681->60685 60683 2667b1a8e49 RegGetValueW 60684 2667b1a8e94 60683->60684 60684->60665 60686 2667b1c6c4e _invalid_parameter_noinfo write_char _errno _snprintf 60685->60686 60686->60683 60687 2667b1b77c7 60689 2667b1b77d7 60687->60689 60688 2667b1b78d5 LoadLibraryExW 60691 2667b1b78f6 60688->60691 60701 2667b1b7867 60688->60701 60689->60688 60689->60701 60690 2667b1b7b4d LoadLibraryExW 60693 2667b1b7b6e 60690->60693 60690->60701 60691->60690 60691->60701 60692 2667b1b7c83 LoadLibraryExW 60695 2667b1b7caa 60692->60695 60692->60701 60693->60692 60693->60701 60694 2667b1b7efb LoadLibraryExW 60697 2667b1b7f1c 60694->60697 60694->60701 60695->60694 60695->60701 60696 2667b1b8031 LoadLibraryExW 60696->60701 60702 2667b1b8052 60696->60702 60697->60696 60698 2667b1b7f82 GetProcAddressForCaller 60697->60698 60700 2667b1b7fcd 60697->60700 60698->60700 60698->60701 60699 2667b1b8167 LoadLibraryExW 60699->60701 60700->60696 60700->60701 60702->60699 60703 2667b1b80b8 GetProcAddressForCaller 60702->60703 60704 2667b1b8103 60702->60704 60703->60701 60703->60704 60704->60699 60704->60701 60705 2667b1c0a86 60709 2667b1c0aa0 60705->60709 60707 2667b1c0b9a 60713 2667b1a5cb0 60707->60713 60709->60707 60721 2667b1afd50 60709->60721 60710 2667b1c0cb0 60711 2667b1c0bc0 60711->60710 60712 2667b1c0c7a CreateThread 60711->60712 60712->60710 60714 2667b1a5cc7 60713->60714 60720 2667b1a5ccc __initmbctable 60714->60720 60728 2667b1b02e0 60714->60728 60719 2667b1a5d69 CreateFileW 60719->60720 60720->60711 60723 2667b1afd65 60721->60723 60722 2667b1afea4 60722->60707 60723->60722 60724 2667b1afdd8 RegOpenKeyW 60723->60724 60727 2667b1afe34 LocalFree 60723->60727 60725 2667b1afdf5 RegSetValueExW RegCloseKey 60724->60725 60724->60727 60725->60727 60727->60722 60729 2667b1b0305 60728->60729 60730 2667b1b0309 LocalAlloc 60729->60730 60731 2667b1a5ce4 60729->60731 60730->60731 60731->60720 60732 2667b1a4fa0 60731->60732 60733 2667b1b02e0 LocalAlloc 60732->60733 60736 2667b1a4fc3 60733->60736 60734 2667b1a597f LocalFree 60735 2667b1a595a 60734->60735 60735->60719 60735->60720 60736->60734 60736->60735 60737 2667b1c7f08 60738 2667b1c7f20 60737->60738 60743 2667b1cdd3c HeapCreate 60738->60743 60740 2667b1c7f78 7 library calls 60745 2667b1a1000 60740->60745 60742 2667b1c805c 60744 2667b1cdd64 60743->60744 60744->60740 60746 2667b1a101f 60745->60746 60786 2667b1b6dc0 60746->60786 60748 2667b1a104b CreateMutexExW 60751 2667b1a10e3 60748->60751 60810 2667b1a91e0 60751->60810 60752 2667b1a1190 60814 2667b1af1a0 60752->60814 60757 2667b1a12b5 CreateMutexExW 60758 2667b1a12dc CreateMutexExW 60757->60758 60761 2667b1a1326 60758->60761 60818 2667b1bca80 ConvertStringSecurityDescriptorToSecurityDescriptorW 60761->60818 60763 2667b1a120b 60763->60757 60765 2667b1bca80 ConvertStringSecurityDescriptorToSecurityDescriptorW 60768 2667b1a138e _LDint 60765->60768 60820 2667b1c1b30 60768->60820 60770 2667b1a15d2 60830 2667b1a8f60 60770->60830 60775 2667b1a1609 60857 2667b1b01b0 60775->60857 60778 2667b1a1644 60780 2667b1a165a 60778->60780 60785 2667b1a1669 _snprintf 60778->60785 60781 2667b1bbe50 11 API calls 60780->60781 60783 2667b1a165f 60781->60783 60783->60742 60785->60783 60879 2667b1b03a0 CreateFileW LocalAlloc ReadFile CloseHandle __initmbctable 60785->60879 60788 2667b1b6dd8 60786->60788 60787 2667b1b73f1 LoadLibraryExW 60792 2667b1b7412 60787->60792 60809 2667b1b6deb 60787->60809 60788->60787 60789 2667b1b733c GetProcAddressForCaller 60788->60789 60790 2667b1b738a 60788->60790 60788->60809 60789->60790 60789->60809 60790->60787 60790->60809 60791 2667b1b7793 LoadLibraryExW 60794 2667b1b77ba 60791->60794 60791->60809 60792->60791 60792->60809 60793 2667b1b78d5 LoadLibraryExW 60796 2667b1b78f6 60793->60796 60793->60809 60794->60793 60794->60809 60795 2667b1b7b4d LoadLibraryExW 60798 2667b1b7b6e 60795->60798 60795->60809 60796->60795 60796->60809 60797 2667b1b7c83 LoadLibraryExW 60800 2667b1b7caa 60797->60800 60797->60809 60798->60797 60798->60809 60799 2667b1b7efb LoadLibraryExW 60802 2667b1b7f1c 60799->60802 60799->60809 60800->60799 60800->60809 60801 2667b1b8031 LoadLibraryExW 60806 2667b1b8052 60801->60806 60801->60809 60802->60801 60803 2667b1b7f82 GetProcAddressForCaller 60802->60803 60805 2667b1b7fcd 60802->60805 60803->60805 60803->60809 60804 2667b1b8167 LoadLibraryExW 60804->60809 60805->60801 60805->60809 60806->60804 60807 2667b1b80b8 GetProcAddressForCaller 60806->60807 60808 2667b1b8103 60806->60808 60807->60808 60807->60809 60808->60804 60808->60809 60809->60748 60811 2667b1a9214 60810->60811 60812 2667b1a934b StrCmpIW 60811->60812 60813 2667b1a10fe 60811->60813 60812->60813 60813->60752 60867 2667b1bbe50 60813->60867 60816 2667b1af1ad 60814->60816 60815 2667b1af573 SleepEx 60817 2667b1a119d CreateMutexExW 60815->60817 60816->60815 60816->60817 60817->60763 60819 2667b1a133a 60818->60819 60819->60765 60821 2667b1c1b3d CreateMutexExW 60820->60821 60822 2667b1a15c1 60820->60822 60821->60822 60823 2667b1a8d30 60822->60823 60824 2667b1c6c1c 60823->60824 60825 2667b1a8d54 RegCreateKeyExW 60824->60825 60826 2667b1a8da0 RegCloseKey 60825->60826 60829 2667b1a8d9c 60825->60829 60827 2667b1a8dbd _snprintf 60826->60827 60828 2667b1a8e20 RegGetValueW 60827->60828 60828->60829 60829->60770 60831 2667b1a8fab 60830->60831 60835 2667b1a15e3 60831->60835 60880 2667b1bc980 CreateFileW 60831->60880 60833 2667b1a8fc5 60834 2667b1a8ffc RegOpenKeyW 60833->60834 60833->60835 60834->60835 60836 2667b1a901d RegSetValueExW 60834->60836 60839 2667b1a76c0 60835->60839 60836->60835 60837 2667b1a9057 LocalFree 60836->60837 60837->60835 60840 2667b1a76f4 60839->60840 60841 2667b1a15f4 60840->60841 60842 2667b1a771c RegOpenKeyW 60840->60842 60841->60775 60845 2667b1af740 60841->60845 60842->60841 60843 2667b1a773d RegSetValueExW 60842->60843 60843->60841 60846 2667b1af766 60845->60846 60847 2667b1af777 CreateDirectoryW 60846->60847 60854 2667b1af940 60846->60854 60848 2667b1af789 60847->60848 60849 2667b1af79a LocalAlloc 60847->60849 60848->60849 60848->60854 60850 2667b1af7bb 60849->60850 60849->60854 60851 2667b1bc980 4 API calls 60850->60851 60850->60854 60852 2667b1af827 60851->60852 60853 2667b1af83e CreateFileW 60852->60853 60852->60854 60856 2667b1af887 60853->60856 60854->60775 60855 2667b1af927 LocalFree 60855->60854 60856->60854 60856->60855 60858 2667b1b01d0 60857->60858 60859 2667b1b023f CreateDirectoryW 60858->60859 60862 2667b1a1621 60858->60862 60860 2667b1b026e 60859->60860 60861 2667b1b0286 LocalFree 60860->60861 60860->60862 60861->60862 60862->60778 60863 2667b1b2000 60862->60863 60864 2667b1b2018 60863->60864 60865 2667b1b2029 LocalAlloc 60864->60865 60866 2667b1b2053 _snprintf 60864->60866 60865->60866 60866->60778 60868 2667b1bbe6b 60867->60868 60878 2667b1bbeaa 60868->60878 60887 2667b1c0a10 60868->60887 60870 2667b1bbf78 60870->60878 60897 2667b1aa6d0 60870->60897 60873 2667b1bca80 ConvertStringSecurityDescriptorToSecurityDescriptorW 60874 2667b1bc001 60873->60874 60875 2667b1bca80 ConvertStringSecurityDescriptorToSecurityDescriptorW 60874->60875 60874->60878 60876 2667b1bc04d 60875->60876 60877 2667b1bca80 ConvertStringSecurityDescriptorToSecurityDescriptorW 60876->60877 60876->60878 60877->60878 60878->60752 60879->60785 60881 2667b1bc9d1 60880->60881 60882 2667b1bca55 60880->60882 60881->60882 60883 2667b1bc9e9 LocalAlloc 60881->60883 60882->60833 60883->60882 60884 2667b1bca07 ReadFile 60883->60884 60884->60882 60885 2667b1bca2e 60884->60885 60885->60882 60886 2667b1bca38 CloseHandle 60885->60886 60886->60882 60888 2667b1c0a26 60887->60888 60889 2667b1c0a4e CreateThread 60888->60889 60893 2667b1c0a84 60888->60893 60889->60893 60890 2667b1afd50 4 API calls 60891 2667b1c0b9a 60890->60891 60892 2667b1a5cb0 3 API calls 60891->60892 60895 2667b1c0bc0 60892->60895 60893->60890 60893->60891 60894 2667b1c0cb0 60894->60870 60895->60894 60896 2667b1c0c7a CreateThread 60895->60896 60896->60894 60899 2667b1aa6e4 60897->60899 60898 2667b1aa7c4 LocalFree 60900 2667b1aa791 60898->60900 60899->60898 60899->60900 60900->60873 60900->60878

      Executed Functions

      Function 00000266799F0808 Relevance: 16.8, APIs: 8, Strings: 1, Instructions: 1070memorynativeCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.3410605768.0000026679980000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026679980000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_26679980000_Edge.jbxd
      Yara matches
      Similarity
      • API ID: SectionVirtual$ProtectView$AllocCreateUnmap
      • String ID: @
      • API String ID: 1653215272-2766056989
      • Opcode ID: c637d99d209d1ca9699a6f6406458f9f86e5ddc939b9afbe853fcc5f8e29eda5
      • Instruction ID: 2d99f21deb55d051df7154fc3d8fa3f7ec71315e43da19262baded5c7ac32db0
      • Opcode Fuzzy Hash: c637d99d209d1ca9699a6f6406458f9f86e5ddc939b9afbe853fcc5f8e29eda5
      • Instruction Fuzzy Hash: 11728A31618B488FEB6ADF28C8497A9F3E6FB6C318F14461DE89AC7141DB35E541CB81
      Function 000002667B1C4520 Relevance: 12.4, APIs: 8, Instructions: 403COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1013 2667b1c4520-2667b1c454b 1015 2667b1c4b5e-2667b1c4b67 1013->1015 1016 2667b1c4551-2667b1c4561 1013->1016 1017 2667b1c4563-2667b1c4578 1016->1017 1018 2667b1c457c-2667b1c4583 1016->1018 1017->1018 1019 2667b1c4585-2667b1c458b 1018->1019 1020 2667b1c4591-2667b1c45a1 1018->1020 1019->1020 1024 2667b1c4b40-2667b1c4b46 1019->1024 1021 2667b1c45a3 1020->1021 1022 2667b1c45a7-2667b1c45c6 1020->1022 1027 2667b1c45f2-2667b1c4614 1021->1027 1022->1024 1029 2667b1c45cc-2667b1c45e2 1022->1029 1025 2667b1c4b53-2667b1c4b54 1024->1025 1026 2667b1c4b48-2667b1c4b49 1024->1026 1025->1015 1026->1025 1031 2667b1c4b22-2667b1c4b28 1027->1031 1032 2667b1c461a-2667b1c463d 1027->1032 1029->1027 1039 2667b1c45e4-2667b1c45ec 1029->1039 1031->1024 1034 2667b1c4b2a-2667b1c4b36 1031->1034 1035 2667b1c463f-2667b1c4647 1032->1035 1036 2667b1c4689-2667b1c4690 1032->1036 1034->1024 1040 2667b1c4653-2667b1c465d 1035->1040 1037 2667b1c4a9e-2667b1c4ab0 1036->1037 1038 2667b1c4696-2667b1c46aa 1036->1038 1047 2667b1c4ab2-2667b1c4ac3 1037->1047 1048 2667b1c4acd-2667b1c4ad3 1037->1048 1038->1037 1046 2667b1c46b0-2667b1c46b8 1038->1046 1039->1027 1039->1031 1040->1036 1042 2667b1c465f-2667b1c467b 1040->1042 1049 2667b1c467d 1042->1049 1050 2667b1c4687 1042->1050 1051 2667b1c46f0-2667b1c4723 SleepEx 1046->1051 1052 2667b1c46ba-2667b1c46ce 1046->1052 1047->1048 1053 2667b1c4ad5-2667b1c4ae1 1048->1053 1054 2667b1c4ae9-2667b1c4aef 1048->1054 1057 2667b1c4b0a-2667b1c4b18 1049->1057 1050->1040 1064 2667b1c4725-2667b1c4732 1051->1064 1065 2667b1c4736-2667b1c473d 1051->1065 1052->1051 1068 2667b1c46d0-2667b1c46e7 1052->1068 1053->1054 1055 2667b1c4b05 call 2667b1c55d0 1054->1055 1056 2667b1c4af1-2667b1c4afd 1054->1056 1055->1057 1056->1055 1057->1031 1064->1065 1069 2667b1c4752-2667b1c475a 1065->1069 1070 2667b1c473f-2667b1c4747 1065->1070 1079 2667b1c46ee 1068->1079 1080 2667b1c46e9 1068->1080 1074 2667b1c4a85 1069->1074 1075 2667b1c4760-2667b1c4768 1069->1075 1072 2667b1c474d 1070->1072 1073 2667b1c4749 1070->1073 1078 2667b1c4a87-2667b1c4a99 1072->1078 1077 2667b1c476e-2667b1c477e call 2667b1c5730 1073->1077 1074->1037 1075->1074 1075->1077 1084 2667b1c4784-2667b1c47b1 setsockopt 1077->1084 1085 2667b1c4a57-2667b1c4a5e 1077->1085 1078->1036 1079->1036 1080->1037 1086 2667b1c47b7-2667b1c47d5 1084->1086 1087 2667b1c4a09-2667b1c4a0f 1084->1087 1088 2667b1c4a83 1085->1088 1089 2667b1c4a60-2667b1c4a67 1085->1089 1086->1087 1095 2667b1c47db-2667b1c47fc 1086->1095 1090 2667b1c4a11-2667b1c4a22 1087->1090 1091 2667b1c4a2c-2667b1c4a55 call 2667b1c0790 1087->1091 1088->1078 1089->1088 1092 2667b1c4a69-2667b1c4a70 1089->1092 1090->1091 1091->1088 1092->1088 1094 2667b1c4a72-2667b1c4a79 1092->1094 1094->1088 1098 2667b1c4a7b 1094->1098 1102 2667b1c4802-2667b1c4847 CreateThread 1095->1102 1103 2667b1c49f5-2667b1c4a01 1095->1103 1098->1088 1104 2667b1c49dc-2667b1c49e5 1102->1104 1105 2667b1c484d-2667b1c485d 1102->1105 1103->1087 1104->1103 1107 2667b1c49e7-2667b1c49e8 1104->1107 1109 2667b1c4864-2667b1c486b 1105->1109 1107->1103 1110 2667b1c4973-2667b1c49d4 shutdown closesocket call 2667b1c55d0 call 2667b1a2f50 1109->1110 1111 2667b1c4871-2667b1c4879 1109->1111 1110->1104 1112 2667b1c487b-2667b1c488f 1111->1112 1113 2667b1c4896-2667b1c48aa 1111->1113 1112->1113 1117 2667b1c4891 1112->1117 1119 2667b1c48b1-2667b1c48c5 1113->1119 1120 2667b1c48ac 1113->1120 1117->1110 1125 2667b1c48cc-2667b1c48f6 call 2667b1c1b70 1119->1125 1126 2667b1c48c7 1119->1126 1120->1110 1131 2667b1c48fa-2667b1c4902 1125->1131 1132 2667b1c48f8 1125->1132 1126->1110 1133 2667b1c4904-2667b1c490f 1131->1133 1134 2667b1c492b-2667b1c4933 1131->1134 1132->1110 1138 2667b1c4911-2667b1c4923 1133->1138 1139 2667b1c4929 1133->1139 1135 2667b1c4963-2667b1c496e SleepEx 1134->1135 1136 2667b1c4935-2667b1c493b 1134->1136 1135->1109 1141 2667b1c4942-2667b1c495f call 2667b1c1b70 1136->1141 1144 2667b1c4925 1138->1144 1145 2667b1c4927 1138->1145 1139->1110 1141->1135 1147 2667b1c4961 1141->1147 1144->1110 1145->1134 1147->1141
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c47dd10ad2ffc75a4fb68eec796e3029fb36d07deac5f587a2ed2ad7d380ff7d
      • Instruction ID: c8db46e20bc1744fa2676c8e3ba2870099393a1e06bc0d853420e1b35a876a1a
      • Opcode Fuzzy Hash: c47dd10ad2ffc75a4fb68eec796e3029fb36d07deac5f587a2ed2ad7d380ff7d
      • Instruction Fuzzy Hash: DD023D7451C645CFF7A5EF24D94C76AB7E2FB99309F504A39E08AC21E4CB798884CB06
      Function 000002667B1A1000 Relevance: 11.3, APIs: 7, Instructions: 790synchronizationCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: CreateMutex$Dint
      • String ID:
      • API String ID: 2494643213-0
      • Opcode ID: f98d3638bcb4881571893d0b64532fb7071e35af9423874bbb812e626070e764
      • Instruction ID: 82f0668708d20e659a0d350d22018b6096f0f6a1ed1ebd2b209b0b6d4f8330e6
      • Opcode Fuzzy Hash: f98d3638bcb4881571893d0b64532fb7071e35af9423874bbb812e626070e764
      • Instruction Fuzzy Hash: F37251701086458FF7A5EF24D85C7AAB7E2FB95309F50092DD18AC21A0DFB9A994CF06
      Function 000002667B1C41A0 Relevance: 6.1, APIs: 4, Instructions: 142COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 192f403424aaaf008d525928eb5116ea02d11db019e28c700354a5fbe7f0df23
      • Instruction ID: 9694295aeefb49f69ef7bb30102e9d353d6156d32a5e89a4544c56f18872f9c6
      • Opcode Fuzzy Hash: 192f403424aaaf008d525928eb5116ea02d11db019e28c700354a5fbe7f0df23
      • Instruction Fuzzy Hash: 85511A742186488FE795DF28D45CBAAB7E1FB9D305F400A3DE48AD72A0DB39DA40CB41
      Function 000002667B1C0A10 Relevance: 3.2, APIs: 2, Instructions: 184threadCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: CreateThread
      • String ID:
      • API String ID: 2422867632-0
      • Opcode ID: 67fee4663bc745c6a5a2df735d6d59c7405c2b46a96bc890505430404ad3a281
      • Instruction ID: f52161aa18358d54e33fc447e712b4cc8bc67d10a7a958765ab3aec909990fa4
      • Opcode Fuzzy Hash: 67fee4663bc745c6a5a2df735d6d59c7405c2b46a96bc890505430404ad3a281
      • Instruction Fuzzy Hash: 4C71C2B4204A09CFF7A5EF24DD0DBAAB7E5F799309F00463ED446C21A0DB798684CB49
      Function 000002667B1AF1A0 Relevance: 1.8, APIs: 1, Instructions: 272COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 742e74ce351c1f1b12b47fea87978d01d3a5733e57109485170f251d8ccbb01e
      • Instruction ID: a62d0471f4257a00f1ff6ed41f2c9ab122f4ab22afc252a6b9a65203e3cc6cf6
      • Opcode Fuzzy Hash: 742e74ce351c1f1b12b47fea87978d01d3a5733e57109485170f251d8ccbb01e
      • Instruction Fuzzy Hash: CEB1ED30108B45CFF799EF24D85C75AB7E1FB98346F50492AE48AC32A0DB799A45CF42
      Function 000002667B1C0A86 Relevance: 1.6, APIs: 1, Instructions: 138threadCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: CreateThread_errno_invalid_parameter_noinfo
      • String ID:
      • API String ID: 3352222661-0
      • Opcode ID: 47bec2cab459e606d8e94f63c52c019478015b28cd6406e527822758cc017737
      • Instruction ID: 8cb8b1d455b24fdd725e3495d4884b7736d8bd5c83ce4ad7c64dfad7407e95d5
      • Opcode Fuzzy Hash: 47bec2cab459e606d8e94f63c52c019478015b28cd6406e527822758cc017737
      • Instruction Fuzzy Hash: B251A1B4104649CFF766EF20D94C7EAB3E5F798309F00463ED446C21A1DB7A9684CB4A
      Function 00000266799EFFFC Relevance: 1.6, APIs: 1, Instructions: 382memoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410605768.0000026679980000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026679980000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_26679980000_Edge.jbxd
      Yara matches
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 08c3b473a1f7362871bcf2729fe2c144e163769adb635b581bed10db9dac86c4
      • Instruction ID: efbdf274a12d495b41b098a85c440f0f2aadccbd9fe80c610ed965f6ddfab582
      • Opcode Fuzzy Hash: 08c3b473a1f7362871bcf2729fe2c144e163769adb635b581bed10db9dac86c4
      • Instruction Fuzzy Hash: 54C168317149058FFB9AEB28C48D7A9F3E6FB6C30CF184369E44AC7186DB21D945CA91
      Function 000002667B1B6DC0 Relevance: 18.0, APIs: 11, Instructions: 1455COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c5a17312eacb160121f9eea0b528651a09acfa2ad52bd57e63ccf263f8cb0842
      • Instruction ID: 095b7b66d5e49d1955c639fb8b92982712a4c8a5f531eee28a625e596e286455
      • Opcode Fuzzy Hash: c5a17312eacb160121f9eea0b528651a09acfa2ad52bd57e63ccf263f8cb0842
      • Instruction Fuzzy Hash: B9C2EB30119A89DFF7B6EF18D45C7ABB3E0FBA8305F50092ED44AC26A1DB359585CB42
      Function 000002667B1C4B70 Relevance: 11.1, APIs: 5, Strings: 1, Instructions: 628COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1492 2667b1c4b70-2667b1c4c04 call 2667b1c0790 * 2 1497 2667b1c4c0f-2667b1c4c16 1492->1497 1498 2667b1c537f-2667b1c5394 1497->1498 1499 2667b1c4c1c-2667b1c4c31 1497->1499 1503 2667b1c539f 1498->1503 1504 2667b1c5396-2667b1c539d 1498->1504 1499->1498 1502 2667b1c4c37-2667b1c4c5c 1499->1502 1510 2667b1c4fe2-2667b1c5009 1502->1510 1511 2667b1c4c62-2667b1c4c69 1502->1511 1506 2667b1c53a9-2667b1c53b4 1503->1506 1507 2667b1c54ab-2667b1c54b6 1503->1507 1504->1503 1504->1506 1509 2667b1c53c6-2667b1c53ce 1506->1509 1508 2667b1c54c8-2667b1c54d0 1507->1508 1516 2667b1c5570-2667b1c5579 1508->1516 1517 2667b1c54d6-2667b1c54e7 1508->1517 1512 2667b1c53d4-2667b1c53e5 1509->1512 1513 2667b1c546e-2667b1c5477 1509->1513 1532 2667b1c5015 1510->1532 1533 2667b1c500b-2667b1c5013 1510->1533 1514 2667b1c4c82 1511->1514 1515 2667b1c4c6b-2667b1c4c80 1511->1515 1518 2667b1c542c-2667b1c543d 1512->1518 1519 2667b1c53e7-2667b1c5421 1512->1519 1520 2667b1c54a6 1513->1520 1521 2667b1c5479-2667b1c549b 1513->1521 1514->1507 1515->1514 1536 2667b1c4c8c-2667b1c4c9d 1515->1536 1525 2667b1c557b-2667b1c559d 1516->1525 1526 2667b1c55a8-2667b1c55bf 1516->1526 1522 2667b1c552e-2667b1c553f 1517->1522 1523 2667b1c54e9-2667b1c550d shutdown 1517->1523 1528 2667b1c543f-2667b1c5461 1518->1528 1529 2667b1c5469 1518->1529 1519->1518 1520->1497 1520->1507 1521->1520 1530 2667b1c5541-2667b1c5563 1522->1530 1531 2667b1c556b 1522->1531 1538 2667b1c551a-2667b1c5523 1523->1538 1525->1526 1528->1529 1529->1509 1530->1531 1531->1508 1532->1507 1533->1532 1539 2667b1c501f-2667b1c5027 1533->1539 1543 2667b1c4ca3-2667b1c4caa 1536->1543 1544 2667b1c4fdd 1536->1544 1538->1522 1547 2667b1c5033-2667b1c503a 1539->1547 1548 2667b1c5029 1539->1548 1549 2667b1c4cc3 1543->1549 1550 2667b1c4cac-2667b1c4cc1 1543->1550 1544->1510 1553 2667b1c503c 1547->1553 1554 2667b1c5046-2667b1c506b 1547->1554 1548->1506 1549->1510 1550->1549 1560 2667b1c4cc8-2667b1c4d31 call 2667b1c2340 1550->1560 1553->1506 1558 2667b1c5071-2667b1c5078 1554->1558 1559 2667b1c537a 1554->1559 1561 2667b1c508e 1558->1561 1562 2667b1c507a-2667b1c508c 1558->1562 1559->1497 1566 2667b1c4fcd-2667b1c4fd6 1560->1566 1567 2667b1c4d37-2667b1c4d7c setsockopt 1560->1567 1561->1507 1562->1561 1568 2667b1c5098-2667b1c50b5 1562->1568 1566->1544 1569 2667b1c4d82-2667b1c4db8 setsockopt 1567->1569 1570 2667b1c4fac-2667b1c4fc0 shutdown 1567->1570 1573 2667b1c5375 1568->1573 1574 2667b1c50bb-2667b1c50eb 1568->1574 1569->1570 1572 2667b1c4dbe-2667b1c4e05 call 2667b1c3490 1569->1572 1570->1566 1572->1570 1578 2667b1c4e0b-2667b1c4e53 call 2667b1c2f40 1572->1578 1573->1559 1579 2667b1c50f1-2667b1c50fd 1574->1579 1580 2667b1c5306-2667b1c536d 1574->1580 1578->1570 1585 2667b1c4e59-2667b1c4e61 1578->1585 1582 2667b1c5173-2667b1c517f 1579->1582 1583 2667b1c50ff-2667b1c516e 1579->1583 1580->1573 1586 2667b1c5304 1582->1586 1587 2667b1c5185-2667b1c51bd 1582->1587 1583->1586 1585->1570 1589 2667b1c4e67-2667b1c4eba call 2667b1c3490 1585->1589 1586->1573 1596 2667b1c51c3-2667b1c51e2 call 2667b1c0e60 1587->1596 1597 2667b1c5295-2667b1c52fc 1587->1597 1589->1570 1599 2667b1c4ec0-2667b1c4f08 call 2667b1c2f40 1589->1599 1606 2667b1c5224-2667b1c528b 1596->1606 1607 2667b1c51e4-2667b1c5222 1596->1607 1597->1586 1599->1570 1608 2667b1c4f0e-2667b1c4f16 1599->1608 1614 2667b1c5293 1606->1614 1607->1614 1608->1570 1610 2667b1c4f1c-2667b1c4f33 1608->1610 1610->1570 1617 2667b1c4f35-2667b1c4f53 WSAEventSelect 1610->1617 1614->1586 1619 2667b1c4f55-2667b1c4f81 1617->1619 1620 2667b1c4f8a-2667b1c4fa4 1617->1620 1619->1620 1620->1570
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: shutdown
      • String ID: 8
      • API String ID: 2510479042-4194326291
      • Opcode ID: 0cfbe239d229b35d6fa7e3f7e6a4fdefa61c7d779efab9389671b4e29cc5810e
      • Instruction ID: fb65ddf1fb801dfd8b6d76ed30d29784f1bc21f3a634570d337592e31a07f030
      • Opcode Fuzzy Hash: 0cfbe239d229b35d6fa7e3f7e6a4fdefa61c7d779efab9389671b4e29cc5810e
      • Instruction Fuzzy Hash: C942FE741187898FE3A6EF58D45D7EEB3E1FB98305F604A2DD08AC22A0DF755894CB06
      Function 000002667B1C2340 Relevance: 9.4, APIs: 6, Instructions: 403networkCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1622 2667b1c2340-2667b1c237b socket 1623 2667b1c2384-2667b1c239b 1622->1623 1624 2667b1c237d-2667b1c237f 1622->1624 1628 2667b1c239d 1623->1628 1629 2667b1c23a7-2667b1c23bf WSAEventSelect 1623->1629 1625 2667b1c2999-2667b1c29a0 1624->1625 1630 2667b1c297c-2667b1c2997 1628->1630 1631 2667b1c23c1 1629->1631 1632 2667b1c23cb-2667b1c23d5 1629->1632 1630->1625 1633 2667b1c2971-2667b1c2972 1631->1633 1634 2667b1c25ee-2667b1c2603 1632->1634 1635 2667b1c23db-2667b1c23e5 1632->1635 1633->1630 1638 2667b1c2615-2667b1c2632 1634->1638 1639 2667b1c2605-2667b1c2613 1634->1639 1636 2667b1c23f4-2667b1c240b 1635->1636 1637 2667b1c23e7-2667b1c23f2 1635->1637 1641 2667b1c2446-2667b1c2484 connect 1636->1641 1646 2667b1c240d-2667b1c2426 gethostbyname 1636->1646 1637->1641 1642 2667b1c2679-2667b1c26c6 1638->1642 1647 2667b1c2634-2667b1c2653 1638->1647 1639->1642 1652 2667b1c248a-2667b1c2495 1641->1652 1653 2667b1c25e9 1641->1653 1642->1633 1656 2667b1c26cc-2667b1c26d7 1642->1656 1650 2667b1c243c 1646->1650 1651 2667b1c2428-2667b1c243a 1646->1651 1657 2667b1c2655-2667b1c266d 1647->1657 1658 2667b1c266f 1647->1658 1650->1633 1651->1641 1652->1653 1660 2667b1c249b-2667b1c24b6 1652->1660 1653->1633 1656->1633 1664 2667b1c26dd-2667b1c26fe 1656->1664 1657->1642 1658->1633 1662 2667b1c24cf-2667b1c24fa 1660->1662 1663 2667b1c24b8-2667b1c24cb 1660->1663 1668 2667b1c24fc-2667b1c2514 1662->1668 1669 2667b1c2519-2667b1c2521 1662->1669 1663->1662 1666 2667b1c2720-2667b1c2757 1664->1666 1667 2667b1c2700-2667b1c2719 1664->1667 1674 2667b1c2770-2667b1c2788 1666->1674 1675 2667b1c2759-2667b1c2764 1666->1675 1667->1666 1668->1625 1670 2667b1c2523-2667b1c253b 1669->1670 1671 2667b1c2540-2667b1c2545 1669->1671 1670->1625 1676 2667b1c25c5-2667b1c25ca 1671->1676 1677 2667b1c2547-2667b1c255e WSAEnumNetworkEvents 1671->1677 1674->1625 1675->1674 1679 2667b1c2766-2667b1c276e 1675->1679 1676->1653 1680 2667b1c25cc-2667b1c25e4 1676->1680 1681 2667b1c2560-2667b1c2578 1677->1681 1682 2667b1c257d-2667b1c2586 1677->1682 1679->1674 1686 2667b1c278d-2667b1c2795 1679->1686 1680->1625 1681->1625 1683 2667b1c25a5-2667b1c25ae 1682->1683 1684 2667b1c2588-2667b1c25a0 1682->1684 1683->1676 1690 2667b1c25b0-2667b1c25c0 WSACloseEvent 1683->1690 1684->1625 1686->1633 1689 2667b1c279b-2667b1c27b5 1686->1689 1698 2667b1c27d4-2667b1c27dc 1689->1698 1699 2667b1c27b7-2667b1c27cf 1689->1699 1690->1625 1701 2667b1c27de-2667b1c27f6 1698->1701 1702 2667b1c27fb-2667b1c2805 1698->1702 1699->1625 1701->1625 1703 2667b1c2822-2667b1c283f 1702->1703 1704 2667b1c2807-2667b1c2820 1702->1704 1713 2667b1c284e 1703->1713 1714 2667b1c2841-2667b1c284c 1703->1714 1706 2667b1c2859-2667b1c2861 1704->1706 1709 2667b1c28ea-2667b1c28f2 1706->1709 1710 2667b1c2867-2667b1c28ce call 2667b1c29b0 1706->1710 1709->1633 1712 2667b1c28f4-2667b1c295d call 2667b1c2b40 1709->1712 1720 2667b1c28e5 1710->1720 1721 2667b1c28d0-2667b1c28e0 1710->1721 1712->1633 1722 2667b1c295f-2667b1c296f 1712->1722 1713->1706 1714->1706 1720->1633 1721->1625 1722->1625 1722->1633
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: socket
      • String ID:
      • API String ID: 98920635-0
      • Opcode ID: 758074d2727f55353240e9f3834a2e572d1aeaaaa783303a230bcacbee708052
      • Instruction ID: 673e7f1d95fd7f7361a68a4b6d69b36bea5f0f0cd9ab0c7049a0bf2fea7ab08d
      • Opcode Fuzzy Hash: 758074d2727f55353240e9f3834a2e572d1aeaaaa783303a230bcacbee708052
      • Instruction Fuzzy Hash: 8302B974618785CFE7B5DF28C49CB9AB7E0FB99315F501A6DE48AC22A0DB35D840CB42
      Function 000002667B1AF740 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 159memoryfileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1907 2667b1af740-2667b1af771 call 2667b1b0060 1910 2667b1af9b5 1907->1910 1911 2667b1af777-2667b1af787 CreateDirectoryW 1907->1911 1912 2667b1af9b7-2667b1af9be 1910->1912 1913 2667b1af789-2667b1af794 1911->1913 1914 2667b1af79a-2667b1af7b5 LocalAlloc 1911->1914 1913->1914 1915 2667b1af9a2-2667b1af9a8 1913->1915 1914->1915 1916 2667b1af7bb-2667b1af80f 1914->1916 1915->1910 1918 2667b1af9aa-2667b1af9ab 1915->1918 1921 2667b1af98f-2667b1af995 1916->1921 1922 2667b1af815-2667b1af838 call 2667b1bc980 1916->1922 1918->1910 1921->1915 1923 2667b1af997-2667b1af998 1921->1923 1922->1921 1926 2667b1af83e-2667b1af897 CreateFileW 1922->1926 1923->1915 1928 2667b1af899-2667b1af8a1 1926->1928 1929 2667b1af8a7-2667b1af8af 1926->1929 1928->1929 1930 2667b1af976-2667b1af97f 1928->1930 1931 2667b1af8b1 1929->1931 1932 2667b1af8b5-2667b1af8f2 1929->1932 1930->1921 1934 2667b1af981-2667b1af982 1930->1934 1933 2667b1af927-2667b1af936 LocalFree 1931->1933 1937 2667b1af8f4-2667b1af917 1932->1937 1938 2667b1af952-2667b1af95b 1932->1938 1936 2667b1af940-2667b1af950 1933->1936 1934->1921 1936->1912 1937->1933 1943 2667b1af919-2667b1af91a 1937->1943 1939 2667b1af95d-2667b1af95e 1938->1939 1940 2667b1af96b-2667b1af96c 1938->1940 1939->1940 1940->1930 1943->1933
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: CreateLocal$AllocDirectoryFileFree
      • String ID: P
      • API String ID: 1520254948-3110715001
      • Opcode ID: da20fc7a7724216b2506d8b5ae4f75a843dfdb9977f341af6ed6c5acbf74433f
      • Instruction ID: 86bf8e04bb4d0875ab5786177f04478fb9c9976f4ee2fe8639abfb2a04493554
      • Opcode Fuzzy Hash: da20fc7a7724216b2506d8b5ae4f75a843dfdb9977f341af6ed6c5acbf74433f
      • Instruction Fuzzy Hash: 4261EB30118755CFE7B5EF28C49C79AF7E1FB95345F504A2EE08AC21A4CB759889CB02
      Function 000002667B1C2F40 Relevance: 7.8, APIs: 5, Instructions: 300timeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 2142 2667b1c2f40-2667b1c2f62 2143 2667b1c2f64-2667b1c2f84 call 2667b1c1b70 2142->2143 2144 2667b1c2f89-2667b1c2f91 2142->2144 2149 2667b1c3477-2667b1c347e 2143->2149 2145 2667b1c2f93-2667b1c2f95 2144->2145 2146 2667b1c2f9a-2667b1c2fea call 2667b1c0790 2144->2146 2145->2149 2153 2667b1c2fec 2146->2153 2154 2667b1c2ff6-2667b1c3027 call 2667b1c0790 2146->2154 2155 2667b1c345c-2667b1c346a 2153->2155 2160 2667b1c3039-2667b1c3047 2154->2160 2157 2667b1c3475 2155->2157 2158 2667b1c346c-2667b1c3473 2155->2158 2157->2149 2158->2149 2161 2667b1c3070-2667b1c3078 2160->2161 2162 2667b1c3049-2667b1c306e 2160->2162 2163 2667b1c307e-2667b1c3094 2161->2163 2164 2667b1c3449-2667b1c344f 2161->2164 2162->2160 2166 2667b1c30a6-2667b1c30b4 2163->2166 2164->2155 2167 2667b1c3451-2667b1c3456 CloseHandle 2164->2167 2168 2667b1c310d-2667b1c3115 2166->2168 2169 2667b1c30b6-2667b1c30d7 2166->2169 2167->2155 2170 2667b1c3121-2667b1c3153 call 2667b1c1b70 2168->2170 2171 2667b1c3117 2168->2171 2174 2667b1c310b 2169->2174 2175 2667b1c30d9-2667b1c3104 2169->2175 2178 2667b1c3165-2667b1c3173 2170->2178 2171->2164 2174->2166 2175->2174 2179 2667b1c3175-2667b1c3196 2178->2179 2180 2667b1c31cc-2667b1c31d4 2178->2180 2186 2667b1c31ca 2179->2186 2187 2667b1c3198-2667b1c31c3 2179->2187 2181 2667b1c31e0-2667b1c31e8 2180->2181 2182 2667b1c31d6 2180->2182 2184 2667b1c31f4-2667b1c31fc 2181->2184 2185 2667b1c31ea 2181->2185 2182->2164 2188 2667b1c326e-2667b1c3276 2184->2188 2189 2667b1c31fe-2667b1c3269 2184->2189 2185->2164 2186->2178 2187->2186 2191 2667b1c3442 2188->2191 2192 2667b1c327c-2667b1c3287 2188->2192 2189->2161 2191->2164 2192->2191 2194 2667b1c328d-2667b1c32a8 WSAEventSelect 2192->2194 2195 2667b1c32c3-2667b1c32f7 2194->2195 2196 2667b1c32aa-2667b1c32b9 2194->2196 2198 2667b1c3312-2667b1c331a 2195->2198 2199 2667b1c32f9-2667b1c3308 2195->2199 2196->2164 2200 2667b1c3335-2667b1c333d 2198->2200 2201 2667b1c331c-2667b1c332b 2198->2201 2199->2164 2202 2667b1c3343-2667b1c334e 2200->2202 2203 2667b1c33c6-2667b1c33e3 WSAEnumNetworkEvents 2200->2203 2201->2164 2206 2667b1c3360-2667b1c336e 2202->2206 2204 2667b1c33e5-2667b1c33f4 2203->2204 2205 2667b1c33f8-2667b1c3400 2203->2205 2204->2164 2207 2667b1c3402-2667b1c340e 2205->2207 2208 2667b1c3410-2667b1c3418 2205->2208 2209 2667b1c3370-2667b1c3391 2206->2209 2210 2667b1c33bc 2206->2210 2207->2208 2211 2667b1c341f-2667b1c342b 2207->2211 2208->2211 2212 2667b1c341a 2208->2212 2217 2667b1c3393-2667b1c33b3 2209->2217 2218 2667b1c33ba 2209->2218 2210->2164 2213 2667b1c3440-2667b1c3444 2211->2213 2214 2667b1c342d-2667b1c343c 2211->2214 2212->2161 2213->2161 2213->2164 2214->2164 2217->2218 2218->2206
      APIs
      • Concurrency::details::platform::__ChangeTimerQueueTimer.LIBCMTD ref: 000002667B1C2F7F
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: Timer$ChangeConcurrency::details::platform::__Queuerecv
      • String ID:
      • API String ID: 2709879575-0
      • Opcode ID: abcaa5fb699d6715226628e4e26e6b7be2197a5db06b6bcbd745b9b664a01fbc
      • Instruction ID: 2c56c78cc851ba6ef8cdd18516b234a61270bd54c0f716d0e5fd6116b42b2a43
      • Opcode Fuzzy Hash: abcaa5fb699d6715226628e4e26e6b7be2197a5db06b6bcbd745b9b664a01fbc
      • Instruction Fuzzy Hash: 54E1A5742187858FE7B6DF18D44CBAAB7E1FB89309F504A2DD08AC3290DB759885DB43
      Function 000002667B1C39B0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 392networkCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 2275 2667b1c39b0-2667b1c3a11 call 2667b1c3fb0 2279 2667b1c3a17-2667b1c3a1f 2275->2279 2280 2667b1c3f99 2275->2280 2281 2667b1c3a21-2667b1c3a29 2279->2281 2282 2667b1c3a2b 2279->2282 2283 2667b1c3f9b-2667b1c3fa2 2280->2283 2284 2667b1c3a33-2667b1c3aa9 call 2667b1c2340 2281->2284 2282->2284 2284->2280 2287 2667b1c3aaf-2667b1c3af4 setsockopt 2284->2287 2288 2667b1c3afa-2667b1c3b3c call 2667b1c3490 2287->2288 2289 2667b1c3f78-2667b1c3f8c 2287->2289 2288->2289 2293 2667b1c3b42-2667b1c3b87 call 2667b1c2f40 2288->2293 2289->2280 2293->2289 2296 2667b1c3b8d-2667b1c3b95 2293->2296 2296->2289 2297 2667b1c3b9b-2667b1c3beb call 2667b1c3490 2296->2297 2297->2289 2300 2667b1c3bf1-2667b1c3c36 call 2667b1c2f40 2297->2300 2300->2289 2303 2667b1c3c3c-2667b1c3c44 2300->2303 2303->2289 2304 2667b1c3c4a-2667b1c3c9a call 2667b1c3490 2303->2304 2304->2289 2307 2667b1c3ca0-2667b1c3cb6 call 2667b1c43b0 2304->2307 2307->2289 2310 2667b1c3cbc-2667b1c3d03 call 2667b1c3490 2307->2310 2313 2667b1c3f6a-2667b1c3f6b 2310->2313 2314 2667b1c3d09-2667b1c3d4e call 2667b1c2f40 2310->2314 2313->2289 2314->2313 2317 2667b1c3d54-2667b1c3d5c 2314->2317 2317->2313 2318 2667b1c3d62-2667b1c3db2 call 2667b1c3490 2317->2318 2318->2313 2321 2667b1c3db8-2667b1c3dce call 2667b1c41a0 2318->2321 2321->2313 2324 2667b1c3dd4-2667b1c3e1b call 2667b1c3490 2321->2324 2327 2667b1c3e21-2667b1c3e66 call 2667b1c2f40 2324->2327 2328 2667b1c3f5c-2667b1c3f5d 2324->2328 2327->2328 2331 2667b1c3e6c-2667b1c3e74 2327->2331 2328->2313 2331->2328 2332 2667b1c3e7a-2667b1c3ebf call 2667b1c2f40 2331->2332 2332->2328 2335 2667b1c3ec5-2667b1c3ecd 2332->2335 2335->2328 2336 2667b1c3ed3-2667b1c3ef7 2335->2336 2336->2328 2338 2667b1c3ef9-2667b1c3f17 WSAEventSelect 2336->2338 2339 2667b1c3f4e-2667b1c3f4f 2338->2339 2340 2667b1c3f19-2667b1c3f4c call 2667b1c07d0 2338->2340 2339->2328 2340->2283
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: Timer$ChangeConcurrency::details::platform::__Queueund_memcpy$EventInitializeSelectUninitializesetsockopt
      • String ID: 8
      • API String ID: 516064979-4194326291
      • Opcode ID: c6f8f8f1f16e8ede58b5fd9387a850f077d02c8ef557e43fae6377c933ae6fae
      • Instruction ID: cc9a872fe7e61e34c15628215298dd6c2f44989504f8065a266ef9ef1693ed01
      • Opcode Fuzzy Hash: c6f8f8f1f16e8ede58b5fd9387a850f077d02c8ef557e43fae6377c933ae6fae
      • Instruction Fuzzy Hash: A7F1FC705187888FE7A6DF18D48D7DAB7E0FB98305F404A2EE48AC3291DB359584CB87
      Function 000002667B1C474B Relevance: 6.2, APIs: 4, Instructions: 218threadCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: CreateThreadclosesocketsetsockoptshutdown
      • String ID:
      • API String ID: 3942381783-0
      • Opcode ID: 9b9f5911bb092ffef60129e7ce65391eaeb2486d330d4ccccebe1461689ea821
      • Instruction ID: 7ed1aa1216a8b24b2f8322feb2d348e94f23b82ff75dfe11973acbd9c226256a
      • Opcode Fuzzy Hash: 9b9f5911bb092ffef60129e7ce65391eaeb2486d330d4ccccebe1461689ea821
      • Instruction Fuzzy Hash: FB91FCB4118A458FF395EF64D95C75AB7E2FB95305F504938E08AC21F0CFB99885CB0A
      Function 00000266799EEF64 Relevance: 6.1, APIs: 4, Instructions: 133memoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410605768.0000026679980000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026679980000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_26679980000_Edge.jbxd
      Yara matches
      Similarity
      • API ID: ProtectVirtual$LibraryLoad
      • String ID:
      • API String ID: 895956442-0
      • Opcode ID: d24d4ce7223a552c1b01d238479d20a295a89e3d53a7350efd5ba8d12bfb46a0
      • Instruction ID: ecff2a857d314afda9beb5657bef4e98a442286bc697d4e031309b86d4a388fc
      • Opcode Fuzzy Hash: d24d4ce7223a552c1b01d238479d20a295a89e3d53a7350efd5ba8d12bfb46a0
      • Instruction Fuzzy Hash: 89317632318A084FE759EA58E84E76AB3D5F7D8725F04066AB84BC32C6ED61DD0646C1
      Function 000002667B1AFD50 Relevance: 6.1, APIs: 4, Instructions: 115registryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: CloseFreeLocalOpenValue
      • String ID:
      • API String ID: 2435347932-0
      • Opcode ID: 59d4a1ec69c95c336cf5cdf13455e3c421429cfd994267f0afb70d0c1f720dac
      • Instruction ID: 6a768b5670812f61583f108f81e8841ce5db7c7697bac906b200e4409aa63d5b
      • Opcode Fuzzy Hash: 59d4a1ec69c95c336cf5cdf13455e3c421429cfd994267f0afb70d0c1f720dac
      • Instruction Fuzzy Hash: 7141CC3011CB488FE755EF28D84C66BB7F1FB95346F50092EE58AC21A0DB79D945CB42
      Function 00000266799EEFD3 Relevance: 6.1, APIs: 4, Instructions: 89memoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410605768.0000026679980000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026679980000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_26679980000_Edge.jbxd
      Yara matches
      Similarity
      • API ID: ProtectVirtual
      • String ID:
      • API String ID: 544645111-0
      • Opcode ID: f2b484dd179f3dd10506a7a62fe75bc60ed010a6cf5ae84582fe1852291c4020
      • Instruction ID: fcc031a84cd3e296616a7d4cde7985051efafb79ed4550bf1514827f2a44ded0
      • Opcode Fuzzy Hash: f2b484dd179f3dd10506a7a62fe75bc60ed010a6cf5ae84582fe1852291c4020
      • Instruction Fuzzy Hash: 4221633270CA084FEB59AA5CE85A769B3D1F7D8715F18026ABC4BC32CADD25DD0646C1
      Function 000002667B1BC980 Relevance: 6.1, APIs: 4, Instructions: 75filememoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: File$AllocCloseCreateHandleLocalRead
      • String ID:
      • API String ID: 1443864953-0
      • Opcode ID: d5fc9f4b33cbbbcc9f8f3db8ab93582bc92b71007fb63339fe9d281fc4954cf0
      • Instruction ID: e66fbeecb5430318702c40c8361535b4d976da0df8436ad7425a01fb821b1ca5
      • Opcode Fuzzy Hash: d5fc9f4b33cbbbcc9f8f3db8ab93582bc92b71007fb63339fe9d281fc4954cf0
      • Instruction Fuzzy Hash: F121C5301187458FE794DF68C45C71BBBF0FB99356F504A2DE58AC32A0DBB59885CB42
      Function 000002667B1A8D30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66registryCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: CloseCreate_errno_invalid_parameter_noinfo
      • String ID: ?
      • API String ID: 3067000685-1684325040
      • Opcode ID: e1fa8e690777478dbb7aaf1e3c6718a9e7df1082e362113efa4485b0f282c34c
      • Instruction ID: 23ab6fb7471ada971df4e3aa7267a9acdbc796723f93350c1d953a35f84ab360
      • Opcode Fuzzy Hash: e1fa8e690777478dbb7aaf1e3c6718a9e7df1082e362113efa4485b0f282c34c
      • Instruction Fuzzy Hash: B2213030518A458BF755EF24C85CBABF7E1FB90308F500A2DA447C21A1EFB9D549CB81
      Function 000002667B1A8F60 Relevance: 4.6, APIs: 3, Instructions: 87registryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: FileLocal$AllocCloseCreateFreeHandleOpenReadValue_errno_invalid_parameter_noinfo
      • String ID:
      • API String ID: 9688765-0
      • Opcode ID: 59493ee6c7077778934f02759ea539db7f92bfe724745750aa23e1573cf8735b
      • Instruction ID: ccfdef1365ef28e6aaf11c120dabc3f031deebb9c64aa61f9c85562bd71d7827
      • Opcode Fuzzy Hash: 59493ee6c7077778934f02759ea539db7f92bfe724745750aa23e1573cf8735b
      • Instruction Fuzzy Hash: F531DE301186448FE7A5EF24DC9CB9BB7E5FBD4345F40092DD44EC61A0DA759584CB45
      Function 000002667B1C3FB0 Relevance: 4.6, APIs: 3, Instructions: 86COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: InitializeUninitializeund_memcpy
      • String ID:
      • API String ID: 134411786-0
      • Opcode ID: eef9f7042ad4823ae52cd53c198c972576b3e73edbb49f78d76cbf320d3a596a
      • Instruction ID: 7d057d973e1f5919a314a4af67b605a25082ae8d7e6d745702ba4760ee8fe32d
      • Opcode Fuzzy Hash: eef9f7042ad4823ae52cd53c198c972576b3e73edbb49f78d76cbf320d3a596a
      • Instruction Fuzzy Hash: 78314F30228A498FE7A5EF24C84D79FB7E1FB95304F40453DA4CAC22A1DE399859CB42
      Function 000002667B1A4FA0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 738COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: Local$AllocFree
      • String ID: #
      • API String ID: 2012307162-1885708031
      • Opcode ID: 64e3b8df7a6dcd6fec4db4893746b054cd88f440b44bdeff192032408970d9ca
      • Instruction ID: 6061f957e07a034eaccfd649e5cd77622db771db90eff0cd9370b13aea5c072f
      • Opcode Fuzzy Hash: 64e3b8df7a6dcd6fec4db4893746b054cd88f440b44bdeff192032408970d9ca
      • Instruction Fuzzy Hash: 5552FA3051CA458FE745EF04EC9996AB7F6FBA8301F40453AE44BC32A4DB79EA45CB42
      Function 00000266799F1814 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104libraryCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.3410605768.0000026679980000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026679980000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_26679980000_Edge.jbxd
      Yara matches
      Similarity
      • API ID: LibraryLoad
      • String ID: l
      • API String ID: 1029625771-2517025534
      • Opcode ID: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
      • Instruction ID: dcf798c440c84c28d72cfa06cb6e55c975e78fd5db2ce3cb73b4951cbfb9307c
      • Opcode Fuzzy Hash: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
      • Instruction Fuzzy Hash: 69319430518A858FF766DB28C148B66FBD6FBA930CF2856ACD0DAC7192D721D8468B41
      Function 000002667B1B2000 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 144memoryCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: AllocLocal_errno_invalid_parameter_noinfo
      • String ID: h
      • API String ID: 259714226-2439710439
      • Opcode ID: 14ca2ddfcce8b4881243e4c524c2883a0a1c3527abb3c7557773b7ebc18441d8
      • Instruction ID: 2d7fc7c4b1cabb1b54167baeec94001e46ae1f901231f60febf5c4e9d3cf7941
      • Opcode Fuzzy Hash: 14ca2ddfcce8b4881243e4c524c2883a0a1c3527abb3c7557773b7ebc18441d8
      • Instruction Fuzzy Hash: BD51D730118B49CFE754EF24D85DB6BBBE1FB98346F500929A586C32B0DB79D885CB42
      Function 000002667B1AA540 Relevance: 3.1, APIs: 2, Instructions: 111fileCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: CreateFileFreeLocal
      • String ID:
      • API String ID: 3879352100-0
      • Opcode ID: 147d1cb55de93b4ac58249bf9222c36d3788b614a1a0e0d3871ec9b2fcdb0ee9
      • Instruction ID: 3b2c06c31753fdbb0eae14eebcf51b90cdcd13da6692217f75f4f5f58530ea3a
      • Opcode Fuzzy Hash: 147d1cb55de93b4ac58249bf9222c36d3788b614a1a0e0d3871ec9b2fcdb0ee9
      • Instruction Fuzzy Hash: 3A412D301186458FE755EF28D85C76AB7F2FB99315F50062DE05AC22F0CBBA9945CF82
      Function 000002667B1B01B0 Relevance: 3.1, APIs: 2, Instructions: 87COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: CreateDirectoryFreeLocal
      • String ID:
      • API String ID: 2937684288-0
      • Opcode ID: 3d6c5400fb6232b5440fa9e95e054a6000238df74fb640f1787ec0ff3ebb7f51
      • Instruction ID: c434d0c60d2174a5c7857ae2fcce9b0c0fa3661b725be7ff365489fc9f4328f5
      • Opcode Fuzzy Hash: 3d6c5400fb6232b5440fa9e95e054a6000238df74fb640f1787ec0ff3ebb7f51
      • Instruction Fuzzy Hash: CE31BE30118B458FE7A5EF18D85CB5BB7F1FB95346F90482AF446C22A4DB799845CB02
      Function 000002667B1A76C0 Relevance: 3.1, APIs: 2, Instructions: 75registryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: OpenValue_errno_invalid_parameter_noinfo
      • String ID:
      • API String ID: 809911093-0
      • Opcode ID: bafd6c7505aa3cec60dc00240c711fa44000b726ee165bdf6933eea115b47741
      • Instruction ID: c70e9a5e511b9315049a34f67524098f388b237920ce71fbe9467c1f57e952a6
      • Opcode Fuzzy Hash: bafd6c7505aa3cec60dc00240c711fa44000b726ee165bdf6933eea115b47741
      • Instruction Fuzzy Hash: 41215431118A448BF365EF24E89CBABB3E5FBD8305F400529E54AC3194EE79D684CB45
      Function 00000266799EF090 Relevance: 3.1, APIs: 2, Instructions: 63memoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410605768.0000026679980000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000026679980000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_26679980000_Edge.jbxd
      Yara matches
      Similarity
      • API ID: ProtectVirtual$LibraryLoad
      • String ID:
      • API String ID: 895956442-0
      • Opcode ID: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
      • Instruction ID: 318c4bf39601cd302baad78dcd4118d0ae86fd905010c94d92031bf10f051a36
      • Opcode Fuzzy Hash: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
      • Instruction Fuzzy Hash: F2115632718A084FEB95EF18D88D76AB7D5FBDC704F44066AA84AC7249DE21DD418781
      Function 000002667B1A5CB0 Relevance: 1.9, APIs: 1, Instructions: 354fileCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: CreateFile
      • String ID:
      • API String ID: 823142352-0
      • Opcode ID: 08b2cacf798e75e69b7cb91aea6974694c8ad4a9290dab346ea5e9ab6722fae7
      • Instruction ID: 803bee4b00b7d07237be587c5961ee0cc96d458e4d97eaa38ea4945fba2b04c7
      • Opcode Fuzzy Hash: 08b2cacf798e75e69b7cb91aea6974694c8ad4a9290dab346ea5e9ab6722fae7
      • Instruction Fuzzy Hash: 97E1AC30118B45CFE7A5EF28D45CB9ABBE2FB94305F50492DE09EC32A1DB759885CB42
      Function 000002667B1A91E0 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: _errno_invalid_parameter_noinfo
      • String ID:
      • API String ID: 2959964966-0
      • Opcode ID: a40e8e4882deb632cbb976bceb1dbfc021a17528ebf96bf44d647521f47a5f93
      • Instruction ID: 1b8c1b3ab48a93b54167dd8a36dd2f2de4d6fbc8ca697ef50d96566ff090ba24
      • Opcode Fuzzy Hash: a40e8e4882deb632cbb976bceb1dbfc021a17528ebf96bf44d647521f47a5f93
      • Instruction Fuzzy Hash: AB413231228A888BE761EB34D8987DBB3E1FBD4304F504A3A958AC3190EF35D645CB46
      Function 000002667B1C4C44 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: shutdown
      • String ID:
      • API String ID: 2510479042-0
      • Opcode ID: 1e324129209cd893a82f5fa77545b34915027e85f67f82c093f94e049304d186
      • Instruction ID: 562ed6dcce71d9be32fea96c4bc14c88246fe3ebfdca98d304b9678c0043dab0
      • Opcode Fuzzy Hash: 1e324129209cd893a82f5fa77545b34915027e85f67f82c093f94e049304d186
      • Instruction Fuzzy Hash: AE21AA74159A85CEF377EF58D45D7EAB3E1FB88319F600A2DC08AC21A1DB365850CB02
      Function 000002667B1C5053 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: shutdown
      • String ID:
      • API String ID: 2510479042-0
      • Opcode ID: 4523e242cfff20cbfd5ada0557eb7095d386184abc3efdbd5f50bbc9581a3f54
      • Instruction ID: 84cca76ba6a3c8cfc5a2e5a0623a3683f8545da5f6ccf1abe1a4fe6984694abf
      • Opcode Fuzzy Hash: 4523e242cfff20cbfd5ada0557eb7095d386184abc3efdbd5f50bbc9581a3f54
      • Instruction Fuzzy Hash: C021CA74159A85CFF377EF18D45D7EAB2E1FB89305F600A2DC08AD2190DB369854CB02
      Function 000002667B1BCA80 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
      Download Yara Rule
      APIs
      • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32 ref: 000002667B1BCAC7
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: DescriptorSecurity$ConvertString
      • String ID:
      • API String ID: 3907675253-0
      • Opcode ID: 11272a2e7ab32d03185ac6325af245eb3004fbee0aa731c5a7eb43ec361abfc4
      • Instruction ID: baed19f9a95fde1dd9bc8475a3bc9cb172362d8c50046ef7ed17f0310b3646dc
      • Opcode Fuzzy Hash: 11272a2e7ab32d03185ac6325af245eb3004fbee0aa731c5a7eb43ec361abfc4
      • Instruction Fuzzy Hash: 0C11D670118B888FE754DF14D89879BFBF0FB94345F50092DE48AC62A0DBB9C985CB42
      Function 000002667B1C501A Relevance: 1.5, APIs: 1, Instructions: 49COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: shutdown
      • String ID:
      • API String ID: 2510479042-0
      • Opcode ID: b6bb2329e6b7e795b7e53ac47f74e02c624d07dddd1fe4acb381e2845aab207f
      • Instruction ID: 06c4b901f8a519890afa8c2cc520090683a611d3f97bdc824e1f5e3503c57ac8
      • Opcode Fuzzy Hash: b6bb2329e6b7e795b7e53ac47f74e02c624d07dddd1fe4acb381e2845aab207f
      • Instruction Fuzzy Hash: 5E11957415AA49CEF367EF58D45DBEAB2E4FB88315F600A2DC08AD2190DB369850CB02
      Function 000002667B1C5093 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: shutdown
      • String ID:
      • API String ID: 2510479042-0
      • Opcode ID: c18aa6a1ffd691c55e1d7561076d591147d0cbf13e51d69eaf643f805061d4c5
      • Instruction ID: 06c4b901f8a519890afa8c2cc520090683a611d3f97bdc824e1f5e3503c57ac8
      • Opcode Fuzzy Hash: c18aa6a1ffd691c55e1d7561076d591147d0cbf13e51d69eaf643f805061d4c5
      • Instruction Fuzzy Hash: 5E11957415AA49CEF367EF58D45DBEAB2E4FB88315F600A2DC08AD2190DB369850CB02
      Function 000002667B1C4C87 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: shutdown
      • String ID:
      • API String ID: 2510479042-0
      • Opcode ID: 9261c726d5e8489a350fd0b7f93cc126f99fd9a978a714275ad5321cbc0302af
      • Instruction ID: 06c4b901f8a519890afa8c2cc520090683a611d3f97bdc824e1f5e3503c57ac8
      • Opcode Fuzzy Hash: 9261c726d5e8489a350fd0b7f93cc126f99fd9a978a714275ad5321cbc0302af
      • Instruction Fuzzy Hash: 5E11957415AA49CEF367EF58D45DBEAB2E4FB88315F600A2DC08AD2190DB369850CB02
      Function 000002667B1C53A4 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: shutdown
      • String ID:
      • API String ID: 2510479042-0
      • Opcode ID: 648223be3ff819d6a8ec63125f758d837fbbac83531a3cd7abbd8aa1ae355420
      • Instruction ID: 06c4b901f8a519890afa8c2cc520090683a611d3f97bdc824e1f5e3503c57ac8
      • Opcode Fuzzy Hash: 648223be3ff819d6a8ec63125f758d837fbbac83531a3cd7abbd8aa1ae355420
      • Instruction Fuzzy Hash: 5E11957415AA49CEF367EF58D45DBEAB2E4FB88315F600A2DC08AD2190DB369850CB02
      Function 000002667B1B805F Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: AddressCallerLibraryLoadProc
      • String ID:
      • API String ID: 4215043672-0
      • Opcode ID: 0af500e9fc0feaf599aacb806cbe120ad5ae0dc2b63974d019f6ddcc2e35b223
      • Instruction ID: 13094f6f56e9a957dfaa64609e9cd00d7e3d59f533acd191cf487af567031f33
      • Opcode Fuzzy Hash: 0af500e9fc0feaf599aacb806cbe120ad5ae0dc2b63974d019f6ddcc2e35b223
      • Instruction Fuzzy Hash: C2111B34218B89CEE775FB18C44C7EAB3E0FB98305F40492ED08AC2695DB769581CB82
      Function 000002667B1B72E3 Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: AddressCallerLibraryLoadProc
      • String ID:
      • API String ID: 4215043672-0
      • Opcode ID: d3c6e82d341fdc58c4ee0e0beb1d402abe7649a5e2826e12daa8f3b61ba4bcb1
      • Instruction ID: 192da0511809b428672e8c2148dfb0079899ed06ad03286ab25eec45b5900091
      • Opcode Fuzzy Hash: d3c6e82d341fdc58c4ee0e0beb1d402abe7649a5e2826e12daa8f3b61ba4bcb1
      • Instruction Fuzzy Hash: 4811DB34218B89CFE775EB18C48C7EBB3E4FBA5305F90091ED48AC22A0DB355545CB02
      Function 000002667B1B7F29 Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: AddressCallerLibraryLoadProc
      • String ID:
      • API String ID: 4215043672-0
      • Opcode ID: 175f4f39c38ea6b1026292fd509b3c5c591c0c80c5e03c7319577518d773177d
      • Instruction ID: b05036a8bc5798d94d383a8877bb60f3dd85e492d13646e431cc8377faf21918
      • Opcode Fuzzy Hash: 175f4f39c38ea6b1026292fd509b3c5c591c0c80c5e03c7319577518d773177d
      • Instruction Fuzzy Hash: C411B734608B898EE775EB18C4587ABB3E0FBE6305F90491D908EC2650DB796495CB42
      Function 000002667B1A8E20 Relevance: 1.5, APIs: 1, Instructions: 40registryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: Value_errno_invalid_parameter_noinfo
      • String ID:
      • API String ID: 4005939669-0
      • Opcode ID: 5cbe764aeda1c5945a6e93de4f8dccfc6a9e97416addf78d358c4e106c5a5808
      • Instruction ID: 29715549de7d5a4a8eb3751d93d6a82ec2f12b379acd1a146882c6b71f98c894
      • Opcode Fuzzy Hash: 5cbe764aeda1c5945a6e93de4f8dccfc6a9e97416addf78d358c4e106c5a5808
      • Instruction Fuzzy Hash: CF013130118A498FF750EF14D84DB9AB7E4F794305F500A3EA849C3190EBB9D648CB46
      Function 000002667B1CDD3C Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: CreateHeap
      • String ID:
      • API String ID: 10892065-0
      • Opcode ID: f9a3cc9fd730fe19b287c6fb143de30e0ba3d7c76e97619f8157a05a0651c429
      • Instruction ID: 18ac4e6510003b4e9725b5d48e9ae762b561b5a24835134d20b141e4a4a95d0b
      • Opcode Fuzzy Hash: f9a3cc9fd730fe19b287c6fb143de30e0ba3d7c76e97619f8157a05a0651c429
      • Instruction Fuzzy Hash: 7FF06D74614A054BF789AF78EC5E76676E2FB88306F808439F48AC21D0DE3CC4918709
      Function 000002667B1C1B30 Relevance: 1.5, APIs: 1, Instructions: 20synchronizationCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: CreateMutex
      • String ID:
      • API String ID: 1964310414-0
      • Opcode ID: f814f6e7bafc190a419314394220be9ea48f845bea0626bfb9e640e2b12b39a9
      • Instruction ID: fee788a173503a7370099dbd0d1029648779496817f40ea5e9cd7099bef6d97c
      • Opcode Fuzzy Hash: f814f6e7bafc190a419314394220be9ea48f845bea0626bfb9e640e2b12b39a9
      • Instruction Fuzzy Hash: 76E02CB0800A0A8BFB2CEB24EECC31032B0E324308F804432C402C40E0EA7E82A48B0A
      Function 000002667B1AA6D0 Relevance: 1.3, APIs: 1, Instructions: 79COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: FreeLocal_errno_invalid_parameter_noinfo
      • String ID:
      • API String ID: 2288270173-0
      • Opcode ID: 9919e05bc297d9058610392caa52114b2fac805a0e07c5d48dad8591bd573e09
      • Instruction ID: 38be04e7d449752c0ac774673e067a892cb327a124e370cc23ca287a24942a18
      • Opcode Fuzzy Hash: 9919e05bc297d9058610392caa52114b2fac805a0e07c5d48dad8591bd573e09
      • Instruction Fuzzy Hash: D231DA302286458FE7A4AF64D85C72A77E5FB88309F640538E54AD26A0DB3DE946CB42
      Function 000002667B1B02E0 Relevance: 1.3, APIs: 1, Instructions: 59memoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: AllocLocal
      • String ID:
      • API String ID: 3494564517-0
      • Opcode ID: 4f85c4b8513adf3e20e9bbdad4db3ea0823c1d40a0288d0d0f5561b5b1c209b7
      • Instruction ID: f56a97a5bd7ab9c963b04537e8598e2985ee334e437acf63c4af9564b3b84ba9
      • Opcode Fuzzy Hash: 4f85c4b8513adf3e20e9bbdad4db3ea0823c1d40a0288d0d0f5561b5b1c209b7
      • Instruction Fuzzy Hash: 3F11EC30118B469FE394EF28C85CA2ABBE1FB94342F90542AB446C36B0DB78D545CB46
      Function 00B07CE0 Relevance: 1.3, APIs: 1, Instructions: 46COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3408540168.0000000000AA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00AA0000, based on PE: true
      • Associated: 00000002.00000002.3408517548.0000000000AA0000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000002.00000002.3408608631.0000000000B66000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000002.00000002.3408715014.0000000000CDB000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000002.00000002.3408732017.0000000000CDD000.00000008.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000002.00000002.3408749285.0000000000CE6000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000002.00000002.3408767888.0000000000CF2000.00000008.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000002.00000002.3408783469.0000000000CF3000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000002.00000002.3408783469.0000000000D0D000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000002.00000002.3408783469.0000000000D13000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000002.00000002.3408783469.0000000000D7A000.00000004.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000002.00000002.3408864798.0000000000D7F000.00000002.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000002.00000002.3408881063.0000000000D85000.00000008.00000001.01000000.00000005.sdmpDownload File
      • Associated: 00000002.00000002.3408895899.0000000000D86000.00000002.00000001.01000000.00000005.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_aa0000_Edge.jbxd
      Similarity
      • API ID: CloseHandle
      • String ID:
      • API String ID: 2962429428-0
      • Opcode ID: d0420e7b245c68536b1289b904fe6097933a37c154ff1c15fd575de53d0a58cb
      • Instruction ID: 586da2f59400bc42474d681669a7e93731841ad1ee1a19783554dc4dccf0f6d5
      • Opcode Fuzzy Hash: d0420e7b245c68536b1289b904fe6097933a37c154ff1c15fd575de53d0a58cb
      • Instruction Fuzzy Hash: 8A115276A45F40C1DB118B1AE44132973B4E748BE4F244365DFAD577A4DF29E1A2C740
      Function 000002667B1AF8B3 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: FreeLocal
      • String ID:
      • API String ID: 2826327444-0
      • Opcode ID: f992e332d222a4d17fc7fb876d1f1a6f1a1439ebee4c827675b39005004bd709
      • Instruction ID: e79c3713fbe6f7e4cc6654c2ed7af7215229d780baf7859bf22948b40d566b54
      • Opcode Fuzzy Hash: f992e332d222a4d17fc7fb876d1f1a6f1a1439ebee4c827675b39005004bd709
      • Instruction Fuzzy Hash: 79D05B341085048FE770FB14D85D71D77A1F795346F44002BA016C21B0CE7958C5CF03
      Function 000002667B1C311C Relevance: 1.3, APIs: 1, Instructions: 15COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: CloseHandle
      • String ID:
      • API String ID: 2962429428-0
      • Opcode ID: d7fd0beb65e5d93ff19426dc30d770c5b11bcaa72caf2a115345622c9e999f62
      • Instruction ID: 4bc73ede27e7d8d3800a6e2c6bb8def524624b90ee53e6a4c2e22f3e44ec1e5f
      • Opcode Fuzzy Hash: d7fd0beb65e5d93ff19426dc30d770c5b11bcaa72caf2a115345622c9e999f62
      • Instruction Fuzzy Hash: 9CE0EC70128241CFE2B39F04D04CBAAB2E0FB81709F804538A4C582190D7754840CA42
      Function 000002667B1C33C1 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: CloseHandle
      • String ID:
      • API String ID: 2962429428-0
      • Opcode ID: c3060fa1f2f046b91dd97d40c36785eed85d94b812621f463d5283587dc24e0d
      • Instruction ID: 4bc73ede27e7d8d3800a6e2c6bb8def524624b90ee53e6a4c2e22f3e44ec1e5f
      • Opcode Fuzzy Hash: c3060fa1f2f046b91dd97d40c36785eed85d94b812621f463d5283587dc24e0d
      • Instruction Fuzzy Hash: 9CE0EC70128241CFE2B39F04D04CBAAB2E0FB81709F804538A4C582190D7754840CA42
      Function 000002667B1C33F6 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: CloseHandle
      • String ID:
      • API String ID: 2962429428-0
      • Opcode ID: 35f35497773284dcd6208a393df6b65e13f0b0a98477e349121de233afb7f61f
      • Instruction ID: 4bc73ede27e7d8d3800a6e2c6bb8def524624b90ee53e6a4c2e22f3e44ec1e5f
      • Opcode Fuzzy Hash: 35f35497773284dcd6208a393df6b65e13f0b0a98477e349121de233afb7f61f
      • Instruction Fuzzy Hash: 9CE0EC70128241CFE2B39F04D04CBAAB2E0FB81709F804538A4C582190D7754840CA42
      Function 000002667B1C343E Relevance: 1.3, APIs: 1, Instructions: 15COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: CloseHandle
      • String ID:
      • API String ID: 2962429428-0
      • Opcode ID: a45a3181f08a1ad416db12fa2930dc51fb798c15210a78e7d8dbfc87fafb0470
      • Instruction ID: 4bc73ede27e7d8d3800a6e2c6bb8def524624b90ee53e6a4c2e22f3e44ec1e5f
      • Opcode Fuzzy Hash: a45a3181f08a1ad416db12fa2930dc51fb798c15210a78e7d8dbfc87fafb0470
      • Instruction Fuzzy Hash: 9CE0EC70128241CFE2B39F04D04CBAAB2E0FB81709F804538A4C582190D7754840CA42
      Function 000002667B1C32BE Relevance: 1.3, APIs: 1, Instructions: 15COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: CloseHandle
      • String ID:
      • API String ID: 2962429428-0
      • Opcode ID: 39f14356bcb22ffdf3dfa4a6e53cc2734c55786cb066a729666eda9afd83ce1d
      • Instruction ID: 4bc73ede27e7d8d3800a6e2c6bb8def524624b90ee53e6a4c2e22f3e44ec1e5f
      • Opcode Fuzzy Hash: 39f14356bcb22ffdf3dfa4a6e53cc2734c55786cb066a729666eda9afd83ce1d
      • Instruction Fuzzy Hash: 9CE0EC70128241CFE2B39F04D04CBAAB2E0FB81709F804538A4C582190D7754840CA42
      Function 000002667B1C330D Relevance: 1.3, APIs: 1, Instructions: 15COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: CloseHandle
      • String ID:
      • API String ID: 2962429428-0
      • Opcode ID: 9ad0a2e42fb40ed54dcc3dd8e4847c35b2bef5224b856b91ac6f9c81089941a7
      • Instruction ID: 4bc73ede27e7d8d3800a6e2c6bb8def524624b90ee53e6a4c2e22f3e44ec1e5f
      • Opcode Fuzzy Hash: 9ad0a2e42fb40ed54dcc3dd8e4847c35b2bef5224b856b91ac6f9c81089941a7
      • Instruction Fuzzy Hash: 9CE0EC70128241CFE2B39F04D04CBAAB2E0FB81709F804538A4C582190D7754840CA42
      Function 000002667B1C3330 Relevance: 1.3, APIs: 1, Instructions: 15COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: CloseHandle
      • String ID:
      • API String ID: 2962429428-0
      • Opcode ID: 20d295bb1bbdee28ab4bf1431ed95a1322f7ced704c44d6a164dde1c9af259ec
      • Instruction ID: 4bc73ede27e7d8d3800a6e2c6bb8def524624b90ee53e6a4c2e22f3e44ec1e5f
      • Opcode Fuzzy Hash: 20d295bb1bbdee28ab4bf1431ed95a1322f7ced704c44d6a164dde1c9af259ec
      • Instruction Fuzzy Hash: 9CE0EC70128241CFE2B39F04D04CBAAB2E0FB81709F804538A4C582190D7754840CA42
      Function 000002667B1C31DB Relevance: 1.3, APIs: 1, Instructions: 15COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: CloseHandle
      • String ID:
      • API String ID: 2962429428-0
      • Opcode ID: 1fdbc7bcf96cf6089f9b0486ed61ddb46f0fde7b31438bb0dab5b8de26ef8062
      • Instruction ID: 4bc73ede27e7d8d3800a6e2c6bb8def524624b90ee53e6a4c2e22f3e44ec1e5f
      • Opcode Fuzzy Hash: 1fdbc7bcf96cf6089f9b0486ed61ddb46f0fde7b31438bb0dab5b8de26ef8062
      • Instruction Fuzzy Hash: 9CE0EC70128241CFE2B39F04D04CBAAB2E0FB81709F804538A4C582190D7754840CA42
      Function 000002667B1C31EF Relevance: 1.3, APIs: 1, Instructions: 15COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: CloseHandle
      • String ID:
      • API String ID: 2962429428-0
      • Opcode ID: 1db0ee7de8519c4bb6de4c1fa1cf369719725ed1916abfe87c92e5fb5d0ca813
      • Instruction ID: 4bc73ede27e7d8d3800a6e2c6bb8def524624b90ee53e6a4c2e22f3e44ec1e5f
      • Opcode Fuzzy Hash: 1db0ee7de8519c4bb6de4c1fa1cf369719725ed1916abfe87c92e5fb5d0ca813
      • Instruction Fuzzy Hash: 9CE0EC70128241CFE2B39F04D04CBAAB2E0FB81709F804538A4C582190D7754840CA42

      Non-executed Functions

      Function 000002667B1B82B0 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 496COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: std::rethrow_exception
      • String ID: h
      • API String ID: 1317400359-2439710439
      • Opcode ID: d08b3387592623105df3724b1a06e7f04148ea0100b718e9429cf766d36afdeb
      • Instruction ID: 02edef24dd74eb03b2c1ef24ed23cfcae53d1253186d9836214a6530b666b512
      • Opcode Fuzzy Hash: d08b3387592623105df3724b1a06e7f04148ea0100b718e9429cf766d36afdeb
      • Instruction Fuzzy Hash: 2422D630118B89CFE7B5EF28C49C7EBB7E1FB98305F50492DA18AC2690DB759945CB42
      Function 000002667B1CFFD8 Relevance: 107.8, APIs: 86, Instructions: 270COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: free$_errno
      • String ID:
      • API String ID: 2288870239-0
      • Opcode ID: 892d27b847e74208b98b5f524de7e1165b6f73ba6f7e08818c88c9b05fc7fdc8
      • Instruction ID: 3cd03477f58568958754232609583ad5cd42f1355561c964f5db93ee65cb1bf9
      • Opcode Fuzzy Hash: 892d27b847e74208b98b5f524de7e1165b6f73ba6f7e08818c88c9b05fc7fdc8
      • Instruction Fuzzy Hash: 7AB1537013150E8BE78BEF24C8DD7E8A351FB48304F8486F5984D9A1BBCE126845C754
      Function 000002667B1CA218 Relevance: 30.2, APIs: 14, Strings: 3, Instructions: 493COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: _getptd$BlockUnwind$std::exception::exception$BaseImageThrowtype_info::operator==
      • String ID: csm$csm$csm
      • API String ID: 3798665358-393685449
      • Opcode ID: eca50f8fb2abfa1cd0a0d9359a125e8eb5c3fc85873ccf6f5cb86d1b7bb4f752
      • Instruction ID: 56eb67591e0778191d73c869fddb406aa0eac20c15e02d0ea1fd999310349451
      • Opcode Fuzzy Hash: eca50f8fb2abfa1cd0a0d9359a125e8eb5c3fc85873ccf6f5cb86d1b7bb4f752
      • Instruction Fuzzy Hash: A4F1B430624A0A8BEB5BAF68844D3A8F3E1FB54309F54577DE44AC3286DB76D841C782
      Function 000002667B1CC8A0 Relevance: 19.6, APIs: 13, Instructions: 135COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: free$__free_lconv_mon__free_lconv_num_errno
      • String ID:
      • API String ID: 2822633559-0
      • Opcode ID: 7b336d24eba5c0ac9b4bfec758739f2f0144249e4441c89cb6f65c36a07eadc0
      • Instruction ID: fbc12e2c6d4f8d064fdaabeefa1f1cdedff4075d169f1256a6a8bb64a9346273
      • Opcode Fuzzy Hash: 7b336d24eba5c0ac9b4bfec758739f2f0144249e4441c89cb6f65c36a07eadc0
      • Instruction Fuzzy Hash: 12410F3012190F8FEF97EF28C49D7A5B3D1FB58308F4816B99809DA1DACB269C81C751
      Function 000002667B1C9A54 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 150COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: _getptd$CreateFrameInfo
      • String ID: csm
      • API String ID: 4181383844-1018135373
      • Opcode ID: 271a7680a82432de43731500a77e144aee1314da8a6568f0176dc0a870e35dee
      • Instruction ID: 97f008c4574e8488189f930ce38a510e276d892809f300c4da30acac5b31db5b
      • Opcode Fuzzy Hash: 271a7680a82432de43731500a77e144aee1314da8a6568f0176dc0a870e35dee
      • Instruction Fuzzy Hash: B8517570518F068FDBA5EF18844DBA9B3E0FB95355F00167EE09DC3592E731A841CB82
      Function 000002667B1CF6BC Relevance: 12.2, APIs: 8, Instructions: 165COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: _errno$_invalid_parameter_noinfo
      • String ID:
      • API String ID: 2819658684-0
      • Opcode ID: ccf1906097c5c7367852938f8d44dc6cf4f8c05bff97315b0985e3b8af237a58
      • Instruction ID: 46578f2fd2d2f42ce2b3870bc909e2c80a27ffa22267b8983851dc1e721848bc
      • Opcode Fuzzy Hash: ccf1906097c5c7367852938f8d44dc6cf4f8c05bff97315b0985e3b8af237a58
      • Instruction Fuzzy Hash: 6B519130610B5B8BFBA79F6888AC3AEB7E0FB45318F644379D419C71D1DA36C8498791
      Function 000002667B1CDEE0 Relevance: 10.6, APIs: 7, Instructions: 93COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: __doserrno_errno
      • String ID:
      • API String ID: 921712934-0
      • Opcode ID: 8332160193843562de71c4d289b8d58b8c6d2cf8480fac3b4b3b286cd7da33ad
      • Instruction ID: 5b9434b268cc8ba857f73ba94c5a069fc82a457265882955b83f151803e90ee1
      • Opcode Fuzzy Hash: 8332160193843562de71c4d289b8d58b8c6d2cf8480fac3b4b3b286cd7da33ad
      • Instruction Fuzzy Hash: AC2108316187464FF35BAF58DC8E7B8B3C4FB46324F110369E546872E3E6661C0282A2
      Function 000002667B1CE724 Relevance: 10.6, APIs: 7, Instructions: 89COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: __doserrno_errno
      • String ID:
      • API String ID: 921712934-0
      • Opcode ID: d179daee219c0a372b9c0c2fe675cded6413435e6b79e95031c9228548ac58a3
      • Instruction ID: fabf0ce72f1aba07e08f71ffa86f5fe3b30ef3409120466de197283c618b9165
      • Opcode Fuzzy Hash: d179daee219c0a372b9c0c2fe675cded6413435e6b79e95031c9228548ac58a3
      • Instruction Fuzzy Hash: D12108326087464FF75BAF58DC8E3B8B3C4EB45324F214729F546871D3E6A6280182D2
      Function 000002667B1D1A20 Relevance: 10.6, APIs: 7, Instructions: 71COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: __doserrno_close_nolock_errno
      • String ID:
      • API String ID: 186997739-0
      • Opcode ID: 6fdfbaea6ec1a0d85f6374b39f0373fa194745ef1886cd0bed5a2f71856c5be3
      • Instruction ID: e5cd47f1731c6d2fdbdd0a9c6a1cae0afc3419590b94463402cf03ff89827dab
      • Opcode Fuzzy Hash: 6fdfbaea6ec1a0d85f6374b39f0373fa194745ef1886cd0bed5a2f71856c5be3
      • Instruction Fuzzy Hash: B4212731109AC24FF747AF34E89E368F695EF41328F220A2CE016872D3E6768850C252
      Function 000002667B1C9738 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 23COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: _getptd
      • String ID: MOC$RCC$csm
      • API String ID: 3186804695-2671469338
      • Opcode ID: 9b1d25e41cb6f60ff9d10fea1865af2b516c1639544035d129adf6bb36f99700
      • Instruction ID: ad81dbdaf68ca080171a794acb223b893d077a0c8a5cbf72f4ebddd00a7b8103
      • Opcode Fuzzy Hash: 9b1d25e41cb6f60ff9d10fea1865af2b516c1639544035d129adf6bb36f99700
      • Instruction Fuzzy Hash: BAF06D340112068EEB576F74814D3A8B1E4FF9838EF9667B594048A1E3E7BE5A80CA52
      Function 000002667B1CC568 Relevance: 9.2, APIs: 6, Instructions: 164COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: free$_errno_getptd$_lockmalloc
      • String ID:
      • API String ID: 1369581901-0
      • Opcode ID: 2cc960a6f43093fd45155cd576aa14387d6ccd6b150f6a58f040748e57cd9b75
      • Instruction ID: d31f88260279026c0293d1c9016f30ef44164db2048f1ccfca7b57a61c366148
      • Opcode Fuzzy Hash: 2cc960a6f43093fd45155cd576aa14387d6ccd6b150f6a58f040748e57cd9b75
      • Instruction Fuzzy Hash: FC51E630614A458FE792DF68958D769B7E1FB88318F205279D84EC32D3DB369C42C782
      Function 000002667B1C7F08 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: Initialize__setargv_cinit_wincmdln
      • String ID:
      • API String ID: 3072666766-0
      • Opcode ID: 9948d73fcbdb1ea35829390051104b9a8a354d6fb15230b932ca35e5377ed127
      • Instruction ID: bfcd0637c789aaf1ece5e3c1d87b92005d1e641af10d6d0210b3a972faae4036
      • Opcode Fuzzy Hash: 9948d73fcbdb1ea35829390051104b9a8a354d6fb15230b932ca35e5377ed127
      • Instruction Fuzzy Hash: DC417A306006478AFBA67FB4999D7B9B2D1EB8130CF000739A512C62D3EE7B9841C796
      Function 000002667B1CF20C Relevance: 9.1, APIs: 6, Instructions: 82COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: _set_error_mode$_errno$_lockfreemalloc
      • String ID:
      • API String ID: 360200360-0
      • Opcode ID: bd98f887ec16922817506143df98f8845ac85a219d2c625c9cc3db4b33229072
      • Instruction ID: f8393382604a5c7256f03f20e34c2bb2f65489179c28cc1ca6d1ceecae8a6c86
      • Opcode Fuzzy Hash: bd98f887ec16922817506143df98f8845ac85a219d2c625c9cc3db4b33229072
      • Instruction Fuzzy Hash: 9A213D3461860B8FF7A6BFA4D45D769B390EB58318F504639A009C31D2DB7AD848C742
      Function 000002667B1C7C14 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 284COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: _errno$_getptd_invalid_parameter_noinfo
      • String ID: $$$
      • API String ID: 2372577547-233714265
      • Opcode ID: c460adb36a8ff80a267e1a98acf9e65ed31786de6d2f7996c3ef535e335d8ea5
      • Instruction ID: 1c2780fdd1268b26609e8124d25d142a736459ed26dfac91dcff5edff5f7b2fb
      • Opcode Fuzzy Hash: c460adb36a8ff80a267e1a98acf9e65ed31786de6d2f7996c3ef535e335d8ea5
      • Instruction Fuzzy Hash: D5812331418A5B4AFB7B5E58D88D3B9F6D4FB42718F24137DC8D2871C3DAA68C428386
      Function 000002667B1C9FE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 224COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: _getptd$CallTranslator
      • String ID: MOC$RCC
      • API String ID: 3569367362-2084237596
      • Opcode ID: acedfe0d701db25aceef1ae8689c6b484a9020e323973e641f888c93eb17659d
      • Instruction ID: 2be798e87fd12fec2318da9bcd96d16cd4bf65f8ce63438c2eae5e4cb0ee85d7
      • Opcode Fuzzy Hash: acedfe0d701db25aceef1ae8689c6b484a9020e323973e641f888c93eb17659d
      • Instruction Fuzzy Hash: 46718E30118B0A8EE762EF54C44D7E9F3E1FB80318F504B6ED0498355AEBB5A561C782
      Function 000002667B1BF190 Relevance: 7.7, APIs: 5, Instructions: 208COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: und_memcpy
      • String ID:
      • API String ID: 2264155635-0
      • Opcode ID: 233c2dc3f6114190a0c3a58bca7bebfacb80644e2e843f1241ac7ac938ceac0f
      • Instruction ID: f53abf39e335d8c88cd5840ab3f5054cf54b628a6e9669a3dbe6b2b71e758250
      • Opcode Fuzzy Hash: 233c2dc3f6114190a0c3a58bca7bebfacb80644e2e843f1241ac7ac938ceac0f
      • Instruction Fuzzy Hash: B591B2742097899FE7B5DF18C498BEBB7E1FB99304F50882DA48DC7390DA359981CB42
      Function 000002667B1D171C Relevance: 7.6, APIs: 5, Instructions: 78COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: _errno$__doserrno
      • String ID:
      • API String ID: 2614100947-0
      • Opcode ID: 4bd1e0fa5e64410cca071e7a41e07a024ac0b2c8312f24266fdc862bd139fbf8
      • Instruction ID: 5871876326980d781d5ce6336666abf739eb78a16f3095cee332d10aace6e835
      • Opcode Fuzzy Hash: 4bd1e0fa5e64410cca071e7a41e07a024ac0b2c8312f24266fdc862bd139fbf8
      • Instruction Fuzzy Hash: D02149306047478FF757AFB8B89E36DF6C4EB45318F26062CE216872E3D66648108356
      Function 000002667B1D0EC0 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: __doserrno_errno
      • String ID:
      • API String ID: 921712934-0
      • Opcode ID: cc1a65610d45c684b4d644e34a1a9e911e9c410526ae494b7efd2ca09e7c409c
      • Instruction ID: 99c10104becc0af9ffc8aefbc1fc955929427e9eaf6d40783df2f906c6958fb4
      • Opcode Fuzzy Hash: cc1a65610d45c684b4d644e34a1a9e911e9c410526ae494b7efd2ca09e7c409c
      • Instruction Fuzzy Hash: EA01813152498B8EE79BEF68986D7A4B394EB11329F648365A105C71E2D67A4450C222
      Function 000002667B1C9B59 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 96COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: _getptd
      • String ID: csm
      • API String ID: 3186804695-1018135373
      • Opcode ID: 164f0c1f656baa0ebd7d7a303dff5e04f4e080cf505076c69543e30288755528
      • Instruction ID: 60c37d50dd11f03741a87f3e32161f88e1eba1bf3cb2f656643cdc95b4ebcca9
      • Opcode Fuzzy Hash: 164f0c1f656baa0ebd7d7a303dff5e04f4e080cf505076c69543e30288755528
      • Instruction Fuzzy Hash: 6D318A30118B058FEB66EF18D489BA9B3E0FB94755F40076CD49E83582E732F941C786
      Function 000002667B1CBADC Relevance: 6.2, APIs: 4, Instructions: 220COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: _errno$_invalid_parameter_noinfoiswctype
      • String ID:
      • API String ID: 248606491-0
      • Opcode ID: dced59d46eeafd0b66e48cc28987a4ba37129b116333acfcd2c0ae3b8ac26c49
      • Instruction ID: 118ac685a244ad541eba205b315247dc06805325da1242f22a9e116f745793a8
      • Opcode Fuzzy Hash: dced59d46eeafd0b66e48cc28987a4ba37129b116333acfcd2c0ae3b8ac26c49
      • Instruction Fuzzy Hash: 7051073180461F45FB7AED19998E37BF1C4EB51368F24033AF896C71C6EA67C842428A
      Function 000002667B1D12CC Relevance: 6.2, APIs: 4, Instructions: 154COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: _errno$_getbuf_invalid_parameter_noinfo_isatty
      • String ID:
      • API String ID: 3655708593-0
      • Opcode ID: f6cb1389b3d300155bab13a29e2be79a7747ea1a71811924160686b94840a2be
      • Instruction ID: ddfdd9c9f8ac511289c9b0ce18e55f3cd0c1f42bd9b202af6e1f712a4230424e
      • Opcode Fuzzy Hash: f6cb1389b3d300155bab13a29e2be79a7747ea1a71811924160686b94840a2be
      • Instruction Fuzzy Hash: 3D51F53110060A8FEB5AEF2CD4CE3A5B7D1FB44328F354268D856CB2D6D676D9628781
      Function 000002667B1C978C Relevance: 6.2, APIs: 4, Instructions: 154COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: _getptd$BaseImage
      • String ID:
      • API String ID: 2482573191-0
      • Opcode ID: cdd94a6968f71d5886603c0a1a985a3f2cf843edd6b454cac48455dfd8a9b1b8
      • Instruction ID: 43d92ad9f9afffe328c30db588c0a71c008bed17768b86d20b858831ff518f53
      • Opcode Fuzzy Hash: cdd94a6968f71d5886603c0a1a985a3f2cf843edd6b454cac48455dfd8a9b1b8
      • Instruction Fuzzy Hash: A2419531114A068EE3176F6C884E7E9B2D1FB8436CF6457BEE055C71E3EA66E8428385
      Function 000002667B1C80B8 Relevance: 6.2, APIs: 4, Instructions: 150COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: _errno$_getbuf_invalid_parameter_noinfo_isatty
      • String ID:
      • API String ID: 3655708593-0
      • Opcode ID: 400924676afdb6542912dbb754b0c6b2f42f88cbdf26364f46bcf7423cf333eb
      • Instruction ID: e3c1dad027b056a64bebc6ab36a12c2e15bf59c8f0b284c826076911c1a32348
      • Opcode Fuzzy Hash: 400924676afdb6542912dbb754b0c6b2f42f88cbdf26364f46bcf7423cf333eb
      • Instruction Fuzzy Hash: 8551E030114A4A8FEB9AEF2CC4CD779B6D0FB48318F1443A9D856CB2D6D636D891C781
      Function 000002667B1CA70C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: _getptd
      • String ID: csm$csm
      • API String ID: 3186804695-3733052814
      • Opcode ID: 6aff7aa4c748e3a33ad8cb204df13253e198ca2aad936b4e005454528593aa9e
      • Instruction ID: 52d416ce2247f5ef8464ca3af6fbd0d3b9c42995c7502a1d384a0925d4843257
      • Opcode Fuzzy Hash: 6aff7aa4c748e3a33ad8cb204df13253e198ca2aad936b4e005454528593aa9e
      • Instruction Fuzzy Hash: A2617330624B068FEBA79E68808D769B3E0FB58319F645B3DD44DC7299D7329C81C786
      Function 000002667B1C6C1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000002.00000002.3410643928.000002667B1A1000.00000020.10000000.00040000.00000000.sdmp, Offset: 000002667B1A1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_2_2_2667b1a1000_Edge.jbxd
      Similarity
      • API ID: _errno_invalid_parameter_noinfo
      • String ID: B
      • API String ID: 2959964966-1255198513
      • Opcode ID: 5b9fd8484ccd4287e022cca72682e00a1ed95e5f0e740e72b956befb73647925
      • Instruction ID: 1d648f50ee5cf93a6c08425717d6fb4411e2544ff835b053e96d32bf8d0901f9
      • Opcode Fuzzy Hash: 5b9fd8484ccd4287e022cca72682e00a1ed95e5f0e740e72b956befb73647925
      • Instruction Fuzzy Hash: 49319531910A1E9AEB52EF98D88D7EDFBF4FB54328F500336A816D7292DB3294448785

      Execution Graph

      Execution Coverage:4.1%
      Dynamic/Decrypted Code Coverage:100%
      Signature Coverage:0%
      Total number of Nodes:272
      Total number of Limit Nodes:49
      execution_graph 14772 261e6cf7f29 14774 261e6cf7f39 14772->14774 14773 261e6cf8031 LoadLibraryExW 14778 261e6cf8052 14773->14778 14781 261e6cf7fc6 14773->14781 14774->14773 14775 261e6cf7f82 GetProcAddressForCaller 14774->14775 14777 261e6cf7fcd 14774->14777 14775->14777 14775->14781 14776 261e6cf8167 LoadLibraryExW 14776->14781 14777->14773 14777->14781 14778->14776 14779 261e6cf80b8 GetProcAddressForCaller 14778->14779 14780 261e6cf8103 14778->14780 14779->14780 14779->14781 14780->14776 14780->14781 14884 261e6cf77c7 14886 261e6cf77d7 14884->14886 14885 261e6cf78d5 LoadLibraryExW 14889 261e6cf78f6 14885->14889 14901 261e6cf7867 14885->14901 14886->14885 14886->14901 14887 261e6cf7b4d LoadLibraryExW 14890 261e6cf7b6e 14887->14890 14887->14901 14888 261e6cf7c83 LoadLibraryExW 14892 261e6cf7caa 14888->14892 14888->14901 14889->14887 14889->14901 14890->14888 14890->14901 14891 261e6cf7efb LoadLibraryExW 14894 261e6cf7f1c 14891->14894 14891->14901 14892->14891 14892->14901 14893 261e6cf8031 LoadLibraryExW 14898 261e6cf8052 14893->14898 14893->14901 14894->14893 14895 261e6cf7f82 GetProcAddressForCaller 14894->14895 14897 261e6cf7fcd 14894->14897 14895->14897 14895->14901 14896 261e6cf8167 LoadLibraryExW 14896->14901 14897->14893 14897->14901 14898->14896 14899 261e6cf80b8 GetProcAddressForCaller 14898->14899 14900 261e6cf8103 14898->14900 14899->14900 14899->14901 14900->14896 14900->14901 14723 261e6cf72e3 14725 261e6cf72f3 14723->14725 14724 261e6cf73f1 LoadLibraryExW 14729 261e6cf7412 14724->14729 14746 261e6cf7383 14724->14746 14725->14724 14726 261e6cf733c GetProcAddressForCaller 14725->14726 14727 261e6cf738a 14725->14727 14726->14727 14726->14746 14727->14724 14727->14746 14728 261e6cf7793 LoadLibraryExW 14731 261e6cf77ba 14728->14731 14728->14746 14729->14728 14729->14746 14730 261e6cf78d5 LoadLibraryExW 14734 261e6cf78f6 14730->14734 14730->14746 14731->14730 14731->14746 14732 261e6cf7b4d LoadLibraryExW 14735 261e6cf7b6e 14732->14735 14732->14746 14733 261e6cf7c83 LoadLibraryExW 14737 261e6cf7caa 14733->14737 14733->14746 14734->14732 14734->14746 14735->14733 14735->14746 14736 261e6cf7efb LoadLibraryExW 14739 261e6cf7f1c 14736->14739 14736->14746 14737->14736 14737->14746 14738 261e6cf8031 LoadLibraryExW 14743 261e6cf8052 14738->14743 14738->14746 14739->14738 14740 261e6cf7f82 GetProcAddressForCaller 14739->14740 14742 261e6cf7fcd 14739->14742 14740->14742 14740->14746 14741 261e6cf8167 LoadLibraryExW 14741->14746 14742->14738 14742->14746 14743->14741 14744 261e6cf80b8 GetProcAddressForCaller 14743->14744 14745 261e6cf8103 14743->14745 14744->14745 14744->14746 14745->14741 14745->14746 14756 261e6cf7903 14758 261e6cf7913 14756->14758 14757 261e6cf7b4d LoadLibraryExW 14760 261e6cf7b6e 14757->14760 14771 261e6cf79a0 14757->14771 14758->14757 14758->14771 14759 261e6cf7c83 LoadLibraryExW 14762 261e6cf7caa 14759->14762 14759->14771 14760->14759 14760->14771 14761 261e6cf7efb LoadLibraryExW 14764 261e6cf7f1c 14761->14764 14761->14771 14762->14761 14762->14771 14763 261e6cf8031 LoadLibraryExW 14768 261e6cf8052 14763->14768 14763->14771 14764->14763 14765 261e6cf7f82 GetProcAddressForCaller 14764->14765 14767 261e6cf7fcd 14764->14767 14765->14767 14765->14771 14766 261e6cf8167 LoadLibraryExW 14766->14771 14767->14763 14767->14771 14768->14766 14769 261e6cf80b8 GetProcAddressForCaller 14768->14769 14770 261e6cf8103 14768->14770 14769->14770 14769->14771 14770->14766 14770->14771 14554 261e6ce1000 14555 261e6ce101f 14554->14555 14564 261e6cf6dc0 14555->14564 14557 261e6ce104b CreateMutexExW 14559 261e6ce10e3 14557->14559 14588 261e6ce91e0 14559->14588 14561 261e6ce10fe 14562 261e6ce11dc CloseHandle ExitProcess 14561->14562 14563 261e6ce11f2 _snprintf _LDint 14561->14563 14566 261e6cf6dd8 14564->14566 14565 261e6cf73f1 LoadLibraryExW 14570 261e6cf7412 14565->14570 14587 261e6cf6deb 14565->14587 14566->14565 14567 261e6cf733c GetProcAddressForCaller 14566->14567 14568 261e6cf738a 14566->14568 14566->14587 14567->14568 14567->14587 14568->14565 14568->14587 14569 261e6cf7793 LoadLibraryExW 14572 261e6cf77ba 14569->14572 14569->14587 14570->14569 14570->14587 14571 261e6cf78d5 LoadLibraryExW 14575 261e6cf78f6 14571->14575 14571->14587 14572->14571 14572->14587 14573 261e6cf7b4d LoadLibraryExW 14576 261e6cf7b6e 14573->14576 14573->14587 14574 261e6cf7c83 LoadLibraryExW 14578 261e6cf7caa 14574->14578 14574->14587 14575->14573 14575->14587 14576->14574 14576->14587 14577 261e6cf7efb LoadLibraryExW 14580 261e6cf7f1c 14577->14580 14577->14587 14578->14577 14578->14587 14579 261e6cf8031 LoadLibraryExW 14584 261e6cf8052 14579->14584 14579->14587 14580->14579 14581 261e6cf7f82 GetProcAddressForCaller 14580->14581 14583 261e6cf7fcd 14580->14583 14581->14583 14581->14587 14582 261e6cf8167 LoadLibraryExW 14582->14587 14583->14579 14583->14587 14584->14582 14585 261e6cf80b8 GetProcAddressForCaller 14584->14585 14586 261e6cf8103 14584->14586 14585->14586 14585->14587 14586->14582 14586->14587 14587->14557 14589 261e6ce9214 14588->14589 14590 261e6ce934b StrCmpIW 14589->14590 14591 261e6ce9362 14589->14591 14590->14591 14591->14561 14818 261e6cf805f 14821 261e6cf806f 14818->14821 14819 261e6cf8167 LoadLibraryExW 14820 261e6cf80fc 14819->14820 14821->14819 14822 261e6cf80b8 GetProcAddressForCaller 14821->14822 14823 261e6cf8103 14821->14823 14822->14820 14822->14823 14823->14819 14823->14820 14848 261e6cf741f 14849 261e6cf742f 14848->14849 14850 261e6cf7793 LoadLibraryExW 14849->14850 14867 261e6cf74bc 14849->14867 14852 261e6cf77ba 14850->14852 14850->14867 14851 261e6cf78d5 LoadLibraryExW 14855 261e6cf78f6 14851->14855 14851->14867 14852->14851 14852->14867 14853 261e6cf7b4d LoadLibraryExW 14856 261e6cf7b6e 14853->14856 14853->14867 14854 261e6cf7c83 LoadLibraryExW 14858 261e6cf7caa 14854->14858 14854->14867 14855->14853 14855->14867 14856->14854 14856->14867 14857 261e6cf7efb LoadLibraryExW 14860 261e6cf7f1c 14857->14860 14857->14867 14858->14857 14858->14867 14859 261e6cf8031 LoadLibraryExW 14864 261e6cf8052 14859->14864 14859->14867 14860->14859 14861 261e6cf7f82 GetProcAddressForCaller 14860->14861 14863 261e6cf7fcd 14860->14863 14861->14863 14861->14867 14862 261e6cf8167 LoadLibraryExW 14862->14867 14863->14859 14863->14867 14864->14862 14865 261e6cf80b8 GetProcAddressForCaller 14864->14865 14866 261e6cf8103 14864->14866 14865->14866 14865->14867 14866->14862 14866->14867 14902 261e6cf6dff 14904 261e6cf6e0f 14902->14904 14903 261e6cf73f1 LoadLibraryExW 14908 261e6cf7412 14903->14908 14925 261e6cf6e9f 14903->14925 14904->14903 14905 261e6cf733c GetProcAddressForCaller 14904->14905 14906 261e6cf738a 14904->14906 14904->14925 14905->14906 14905->14925 14906->14903 14906->14925 14907 261e6cf7793 LoadLibraryExW 14910 261e6cf77ba 14907->14910 14907->14925 14908->14907 14908->14925 14909 261e6cf78d5 LoadLibraryExW 14911 261e6cf78f6 14909->14911 14909->14925 14910->14909 14910->14925 14912 261e6cf7b4d LoadLibraryExW 14911->14912 14911->14925 14914 261e6cf7b6e 14912->14914 14912->14925 14913 261e6cf7c83 LoadLibraryExW 14916 261e6cf7caa 14913->14916 14913->14925 14914->14913 14914->14925 14915 261e6cf7efb LoadLibraryExW 14918 261e6cf7f1c 14915->14918 14915->14925 14916->14915 14916->14925 14917 261e6cf8031 LoadLibraryExW 14922 261e6cf8052 14917->14922 14917->14925 14918->14917 14919 261e6cf7f82 GetProcAddressForCaller 14918->14919 14921 261e6cf7fcd 14918->14921 14919->14921 14919->14925 14920 261e6cf8167 LoadLibraryExW 14920->14925 14921->14917 14921->14925 14922->14920 14923 261e6cf80b8 GetProcAddressForCaller 14922->14923 14924 261e6cf8103 14922->14924 14923->14924 14923->14925 14924->14920 14924->14925 14612 261e6cf7b7b 14614 261e6cf7b8b 14612->14614 14613 261e6cf7c83 LoadLibraryExW 14616 261e6cf7caa 14613->14616 14625 261e6cf7c18 14613->14625 14614->14613 14614->14625 14615 261e6cf7efb LoadLibraryExW 14618 261e6cf7f1c 14615->14618 14615->14625 14616->14615 14616->14625 14617 261e6cf8031 LoadLibraryExW 14622 261e6cf8052 14617->14622 14617->14625 14618->14617 14619 261e6cf7f82 GetProcAddressForCaller 14618->14619 14621 261e6cf7fcd 14618->14621 14619->14621 14619->14625 14620 261e6cf8167 LoadLibraryExW 14620->14625 14621->14617 14621->14625 14622->14620 14623 261e6cf80b8 GetProcAddressForCaller 14622->14623 14624 261e6cf8103 14622->14624 14623->14624 14623->14625 14624->14620 14624->14625 14626 261e54bfffc 14649 261e54c1aa4 14626->14649 14629 261e54c1aa4 LoadLibraryA 14630 261e54c0038 14629->14630 14631 261e54c1aa4 LoadLibraryA 14630->14631 14632 261e54c004e 14631->14632 14633 261e54c0060 VirtualAlloc 14632->14633 14640 261e54c0079 14632->14640 14634 261e54c00a5 14633->14634 14633->14640 14635 261e54c1aa4 LoadLibraryA 14634->14635 14634->14640 14638 261e54c0119 14635->14638 14636 261e54c1aa4 LoadLibraryA 14637 261e54c0170 14636->14637 14637->14636 14637->14640 14641 261e54c01b0 14637->14641 14638->14637 14638->14640 14687 261e54c1814 14638->14687 14641->14640 14648 261e54c0238 14641->14648 14691 261e54bef64 14641->14691 14643 261e54c020e 14644 261e54c0212 14643->14644 14653 261e54bf090 14643->14653 14644->14640 14644->14643 14648->14640 14662 261e54c0808 14648->14662 14650 261e54c1adb 14649->14650 14651 261e54c0025 14650->14651 14705 261e54bf5b0 14650->14705 14651->14629 14654 261e54c1814 LoadLibraryA 14653->14654 14655 261e54bf0ae 14654->14655 14656 261e54c18fc LoadLibraryA 14655->14656 14657 261e54bf0c3 14656->14657 14658 261e54bf10d 14657->14658 14659 261e54bf0cb VirtualProtect 14657->14659 14658->14640 14658->14648 14659->14658 14660 261e54bf0e5 14659->14660 14661 261e54bf0f7 VirtualProtect 14660->14661 14661->14658 14663 261e54c085c 14662->14663 14664 261e54c08b4 NtCreateSection 14663->14664 14666 261e54c08e3 14663->14666 14686 261e54c1090 14663->14686 14664->14666 14664->14686 14665 261e54c0989 NtMapViewOfSection 14674 261e54c09dd 14665->14674 14666->14665 14666->14686 14667 261e54c0d58 VirtualAlloc 14676 261e54c0e0f 14667->14676 14668 261e54c1814 LoadLibraryA 14668->14674 14670 261e54c1814 LoadLibraryA 14671 261e54c0cb9 14670->14671 14671->14667 14671->14670 14680 261e54c18fc LoadLibraryA 14671->14680 14672 261e54c0f0b VirtualProtect 14673 261e54c101e VirtualProtect 14672->14673 14683 261e54c0f33 14672->14683 14675 261e54c105a 14673->14675 14674->14668 14674->14671 14677 261e54c18fc LoadLibraryA 14674->14677 14674->14686 14675->14686 14719 261e54c15b8 14675->14719 14676->14672 14678 261e54c0e87 NtUnmapViewOfSection 14676->14678 14677->14674 14679 261e54c0e9f NtMapViewOfSection 14678->14679 14678->14686 14679->14672 14679->14686 14680->14671 14681 261e54c1011 14681->14673 14683->14681 14684 261e54c0fe4 VirtualProtect 14683->14684 14684->14683 14686->14640 14689 261e54c1832 14687->14689 14688 261e54c18dd LoadLibraryA 14690 261e54c18e5 14688->14690 14689->14688 14689->14690 14690->14638 14692 261e54c1814 LoadLibraryA 14691->14692 14693 261e54bef83 14692->14693 14694 261e54bef8b 14693->14694 14695 261e54c18fc LoadLibraryA 14693->14695 14694->14643 14696 261e54befaa 14695->14696 14696->14694 14697 261e54befcd VirtualProtect 14696->14697 14697->14694 14698 261e54befeb 14697->14698 14699 261e54beff9 VirtualProtect 14698->14699 14700 261e54c18fc LoadLibraryA 14699->14700 14701 261e54bf021 14700->14701 14701->14694 14702 261e54bf03c VirtualProtect 14701->14702 14702->14694 14703 261e54bf055 14702->14703 14704 261e54bf063 VirtualProtect 14703->14704 14704->14694 14706 261e54bf5f0 14705->14706 14708 261e54bf687 14705->14708 14706->14708 14709 261e54bf768 14706->14709 14708->14650 14711 261e54bf7ab 14709->14711 14714 261e54bf7d4 14709->14714 14710 261e54c1814 LoadLibraryA 14712 261e54bf7e4 14710->14712 14711->14712 14711->14714 14715 261e54c18fc 14711->14715 14712->14708 14714->14710 14714->14712 14716 261e54c1a6c 14715->14716 14717 261e54c1932 14715->14717 14716->14711 14717->14716 14718 261e54bf768 LoadLibraryA 14717->14718 14718->14716 14722 261e54c15f4 14719->14722 14720 261e54c17f0 14720->14686 14721 261e54c18fc LoadLibraryA 14721->14722 14722->14720 14722->14721 14806 261e6cf7cb7 14808 261e6cf7cc7 14806->14808 14807 261e6cf7efb LoadLibraryExW 14810 261e6cf7f1c 14807->14810 14817 261e6cf7d57 14807->14817 14808->14807 14808->14817 14809 261e6cf8031 LoadLibraryExW 14814 261e6cf8052 14809->14814 14809->14817 14810->14809 14811 261e6cf7f82 GetProcAddressForCaller 14810->14811 14812 261e6cf7fcd 14810->14812 14811->14812 14811->14817 14812->14809 14812->14817 14813 261e6cf8167 LoadLibraryExW 14813->14817 14814->14813 14815 261e6cf80b8 GetProcAddressForCaller 14814->14815 14816 261e6cf8103 14814->14816 14815->14816 14815->14817 14816->14813 14816->14817 14747 261e54befd3 VirtualProtect 14748 261e54bef8b 14747->14748 14749 261e54befeb 14747->14749 14750 261e54beff9 VirtualProtect 14749->14750 14751 261e54c18fc LoadLibraryA 14750->14751 14752 261e54bf021 14751->14752 14752->14748 14753 261e54bf03c VirtualProtect 14752->14753 14753->14748 14754 261e54bf055 14753->14754 14755 261e54bf063 VirtualProtect 14754->14755 14755->14748

      Executed Functions

      Function 00000261E54C0808 Relevance: 16.8, APIs: 8, Strings: 1, Instructions: 1070memorynativeCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000004.00000002.2350558821.00000261E5450000.00000040.00000020.00020000.00000000.sdmp, Offset: 00000261E5450000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e5450000_Edge.jbxd
      Yara matches
      Similarity
      • API ID: SectionVirtual$ProtectView$AllocCreateUnmap
      • String ID: @
      • API String ID: 1653215272-2766056989
      • Opcode ID: c637d99d209d1ca9699a6f6406458f9f86e5ddc939b9afbe853fcc5f8e29eda5
      • Instruction ID: 96e02dbbe88be8084ae780d2dbd5045d6cfed03ed6b97afe888b8ad22d2bae11
      • Opcode Fuzzy Hash: c637d99d209d1ca9699a6f6406458f9f86e5ddc939b9afbe853fcc5f8e29eda5
      • Instruction Fuzzy Hash: A8727830618B488BEB6DDF28C8897A973E1FB98314F14451ED89BC7285EF36F5528B41
      Function 00000261E6CE1000 Relevance: 9.8, APIs: 6, Instructions: 790synchronizationCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID: Dint$CloseCreateExitHandleMutexProcess
      • String ID:
      • API String ID: 3586310-0
      • Opcode ID: f98d3638bcb4881571893d0b64532fb7071e35af9423874bbb812e626070e764
      • Instruction ID: 33c5d08852ba7aa3eb3bb8871a684ae0a4e65c1ae60344b7799505b656bbeccf
      • Opcode Fuzzy Hash: f98d3638bcb4881571893d0b64532fb7071e35af9423874bbb812e626070e764
      • Instruction Fuzzy Hash: A57277702086448FFB64EB24DC5C7BA77E2FB94305FA4052DE58AC31A1DB7AD590CB46
      Function 00000261E54BFFFC Relevance: 1.6, APIs: 1, Instructions: 382memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 769 261e54bfffc-261e54c0054 call 261e54c1aa4 * 3 776 261e54c0086 769->776 777 261e54c0056-261e54c0059 769->777 779 261e54c0089-261e54c00a4 776->779 777->776 778 261e54c005b-261e54c005e 777->778 778->776 780 261e54c0060-261e54c0077 VirtualAlloc 778->780 781 261e54c0079-261e54c0080 780->781 782 261e54c00a5-261e54c00ce call 261e54c2024 call 261e54c2044 780->782 781->776 783 261e54c0082 781->783 788 261e54c00d0-261e54c0104 call 261e54c1c58 call 261e54c1b18 782->788 789 261e54c010a-261e54c0120 call 261e54c1aa4 782->789 783->776 788->789 798 261e54c035f-261e54c0360 788->798 789->776 795 261e54c0126-261e54c0127 789->795 797 261e54c012d-261e54c0133 795->797 799 261e54c0170-261e54c017b 797->799 800 261e54c0135 797->800 803 261e54c0365-261e54c0376 798->803 801 261e54c017d-261e54c0197 call 261e54c1aa4 799->801 802 261e54c01b0-261e54c01b9 799->802 804 261e54c0137-261e54c0139 800->804 821 261e54c0199-261e54c01a0 801->821 822 261e54c01a6-261e54c01ae 801->822 806 261e54c01da-261e54c01e3 802->806 807 261e54c01bb-261e54c01cb call 261e54bf120 802->807 808 261e54c03a9-261e54c03ca call 261e54c2044 803->808 809 261e54c0378-261e54c0382 803->809 810 261e54c013b-261e54c0141 804->810 811 261e54c0152-261e54c0154 804->811 806->803 817 261e54c01e9-261e54c01f3 806->817 807->803 830 261e54c01d1-261e54c01d8 807->830 838 261e54c03d0-261e54c03d2 808->838 839 261e54c03cc 808->839 809->808 815 261e54c0384-261e54c03a2 call 261e54c2044 809->815 810->811 816 261e54c0143-261e54c0150 810->816 811->799 818 261e54c0156-261e54c016e call 261e54c1814 811->818 815->808 816->804 816->811 825 261e54c01fd-261e54c0204 817->825 826 261e54c01f5-261e54c01f6 817->826 818->797 821->798 821->822 822->801 822->802 828 261e54c0206-261e54c0207 825->828 829 261e54c0238-261e54c023c 825->829 826->825 832 261e54c0209 call 261e54bef64 828->832 834 261e54c02ef-261e54c02f7 829->834 835 261e54c0242-261e54c026b 829->835 830->825 837 261e54c020e-261e54c0210 832->837 840 261e54c0349-261e54c034f call 261e54c0808 834->840 841 261e54c02f9-261e54c02ff 834->841 835->803 851 261e54c0271-261e54c028b call 261e54c2024 835->851 842 261e54c021f-261e54c0222 call 261e54bf090 837->842 843 261e54c0212-261e54c0219 837->843 838->779 839->838 849 261e54c0354-261e54c035b 840->849 845 261e54c0316-261e54c0328 call 261e54bfd88 841->845 846 261e54c0301-261e54c0307 841->846 854 261e54c0227-261e54c0229 842->854 843->803 843->842 858 261e54c033a-261e54c0347 call 261e54bf818 845->858 859 261e54c032a-261e54c0335 call 261e54c03d8 845->859 846->849 850 261e54c0309-261e54c0314 call 261e54c12bc 846->850 849->803 855 261e54c035d 849->855 850->849 863 261e54c028d-261e54c0290 851->863 864 261e54c02a7-261e54c02ea 851->864 854->829 860 261e54c022b-261e54c0232 854->860 855->855 858->849 859->858 860->803 860->829 863->834 867 261e54c0292-261e54c02a5 call 261e54c1da8 863->867 864->803 872 261e54c02ec-261e54c02ed 864->872 867->872 872->834
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350558821.00000261E5450000.00000040.00000020.00020000.00000000.sdmp, Offset: 00000261E5450000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e5450000_Edge.jbxd
      Yara matches
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 08c3b473a1f7362871bcf2729fe2c144e163769adb635b581bed10db9dac86c4
      • Instruction ID: 599d4abc7607d85b501eae9353fef5f21b8236e3679ebaa9ab1e92f57079621e
      • Opcode Fuzzy Hash: 08c3b473a1f7362871bcf2729fe2c144e163769adb635b581bed10db9dac86c4
      • Instruction Fuzzy Hash: C8C15530614A054BFB5EEE2884997ADB3D1FBD8300F18426BDC4EC7196EB27F9718691
      Function 00000261E6CF6DC0 Relevance: 18.0, APIs: 11, Instructions: 1455COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c5a17312eacb160121f9eea0b528651a09acfa2ad52bd57e63ccf263f8cb0842
      • Instruction ID: c9ced2c4c3f22ffe8f8823bbb42e72c9c0e359f8a9bb86df4e2b9fe9f771a2e1
      • Opcode Fuzzy Hash: c5a17312eacb160121f9eea0b528651a09acfa2ad52bd57e63ccf263f8cb0842
      • Instruction Fuzzy Hash: B7C22230219A88DFFB75EB18D4487EA77E0FBA4301FA4091ED44AC31A1DB36A5D5CB52
      Function 00000261E54BEF64 Relevance: 6.1, APIs: 4, Instructions: 133memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350558821.00000261E5450000.00000040.00000020.00020000.00000000.sdmp, Offset: 00000261E5450000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e5450000_Edge.jbxd
      Yara matches
      Similarity
      • API ID: ProtectVirtual$LibraryLoad
      • String ID:
      • API String ID: 895956442-0
      • Opcode ID: d24d4ce7223a552c1b01d238479d20a295a89e3d53a7350efd5ba8d12bfb46a0
      • Instruction ID: d186c5c54439a64e2f25b99ce8fe6ead5d47af0a3bc98662db23cab4c01e15a4
      • Opcode Fuzzy Hash: d24d4ce7223a552c1b01d238479d20a295a89e3d53a7350efd5ba8d12bfb46a0
      • Instruction Fuzzy Hash: 8A31763131CA084BE758EE18984976AB3D5E7D4720F14066BAC4FC32D6ED63ED2647C1
      Function 00000261E54BEFD3 Relevance: 6.1, APIs: 4, Instructions: 89memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350558821.00000261E5450000.00000040.00000020.00020000.00000000.sdmp, Offset: 00000261E5450000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e5450000_Edge.jbxd
      Yara matches
      Similarity
      • API ID: ProtectVirtual
      • String ID:
      • API String ID: 544645111-0
      • Opcode ID: f2b484dd179f3dd10506a7a62fe75bc60ed010a6cf5ae84582fe1852291c4020
      • Instruction ID: 6ffe06d081b5af64ff40f9c4a8862e174fe0cfdf3692f237a705b02f748d74d8
      • Opcode Fuzzy Hash: f2b484dd179f3dd10506a7a62fe75bc60ed010a6cf5ae84582fe1852291c4020
      • Instruction Fuzzy Hash: A321513170CA084BDB98AD5CA859769B3D1E7C8710F14016BAD4FC32DAED66ED2647C1
      Function 00000261E54C1814 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 742 261e54c1814-261e54c1830 743 261e54c184b-261e54c185a 742->743 744 261e54c1832-261e54c1836 742->744 745 261e54c185c-261e54c1881 743->745 746 261e54c1886-261e54c1898 743->746 744->743 747 261e54c1838-261e54c1849 744->747 745->746 748 261e54c189b-261e54c18a2 746->748 747->743 747->744 749 261e54c18dd-261e54c18e2 LoadLibraryA 748->749 750 261e54c18a4-261e54c18b3 748->750 753 261e54c18e5-261e54c18f4 749->753 751 261e54c18d0-261e54c18d6 750->751 752 261e54c18b5-261e54c18ce call 261e54c2080 750->752 751->748 755 261e54c18d8-261e54c18db 751->755 752->751 757 261e54c18f5-261e54c18f8 752->757 755->749 755->753 757->753
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000004.00000002.2350558821.00000261E5450000.00000040.00000020.00020000.00000000.sdmp, Offset: 00000261E5450000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e5450000_Edge.jbxd
      Yara matches
      Similarity
      • API ID: LibraryLoad
      • String ID: l
      • API String ID: 1029625771-2517025534
      • Opcode ID: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
      • Instruction ID: b7f8d6b7ae815501d121283d771bf9f22bad59d11e1c417b6dec3c983e8afba9
      • Opcode Fuzzy Hash: 1385f4a438fc17bb376d03bd0145f1e19b120c532c3e81762a8c516170bfbca4
      • Instruction Fuzzy Hash: DB31B47051CA858FF759DF288048B22BBD5FBE9308F2856ADD4DAC3192E722D8168711
      Function 00000261E54BF090 Relevance: 3.1, APIs: 2, Instructions: 63memoryCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350558821.00000261E5450000.00000040.00000020.00020000.00000000.sdmp, Offset: 00000261E5450000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e5450000_Edge.jbxd
      Yara matches
      Similarity
      • API ID: ProtectVirtual$LibraryLoad
      • String ID:
      • API String ID: 895956442-0
      • Opcode ID: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
      • Instruction ID: 96d700db53da09cbbfcbfb438e7e1e546208f414956447dde476d18757729d29
      • Opcode Fuzzy Hash: b17c4479f7010fd41cbad95f9fb04bd4be79ef02ed8fc175b75ead6b9ebb131e
      • Instruction Fuzzy Hash: B3116931718A184BDB94EF28D88976A77D5FBD8740F04056AAC4FC7249EE23ED518781
      Function 00000261E6CE91E0 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 873 261e6ce91e0-261e6ce9216 875 261e6ce921c-261e6ce924f 873->875 876 261e6ce9397 873->876 875->876 879 261e6ce9255-261e6ce9288 875->879 877 261e6ce9399-261e6ce93a1 876->877 879->876 881 261e6ce928e-261e6ce9360 call 261e6d06c1c * 3 StrCmpIW 879->881 888 261e6ce9390-261e6ce9395 881->888 889 261e6ce9362-261e6ce9377 881->889 888->877 889->888 891 261e6ce9379-261e6ce938e 889->891 891->876 891->888
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID: _errno_invalid_parameter_noinfo
      • String ID:
      • API String ID: 2959964966-0
      • Opcode ID: a40e8e4882deb632cbb976bceb1dbfc021a17528ebf96bf44d647521f47a5f93
      • Instruction ID: 853d57c62872eb997db1eed9d931d7cee44a6d0eed4671d5634952674b6473c7
      • Opcode Fuzzy Hash: a40e8e4882deb632cbb976bceb1dbfc021a17528ebf96bf44d647521f47a5f93
      • Instruction Fuzzy Hash: 1E413331218A884BE760EB34D8547DB77E2FB94300FA0493A958EC3195EF36D655C786
      Function 00000261E6CF805F Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1134 261e6cf805f-261e6cf807b 1136 261e6cf8167-261e6cf817f LoadLibraryExW 1134->1136 1137 261e6cf8081-261e6cf8089 1134->1137 1138 261e6cf8188-261e6cf8193 1136->1138 1139 261e6cf8181-261e6cf8183 1136->1139 1140 261e6cf808b-261e6cf80b3 call 261e6cf6c80 1137->1140 1141 261e6cf8105-261e6cf8159 1137->1141 1143 261e6cf81a5-261e6cf81b1 1138->1143 1142 261e6cf829c-261e6cf82a3 1139->1142 1145 261e6cf80b8-261e6cf80fa GetProcAddressForCaller 1140->1145 1153 261e6cf815b-261e6cf815d 1141->1153 1154 261e6cf8162 1141->1154 1147 261e6cf8297 1143->1147 1148 261e6cf81b7-261e6cf81bf 1143->1148 1151 261e6cf80fc-261e6cf80fe 1145->1151 1152 261e6cf8103 1145->1152 1147->1142 1149 261e6cf8238-261e6cf828c 1148->1149 1150 261e6cf81c1-261e6cf8230 call 261e6cf6c80 1148->1150 1158 261e6cf828e-261e6cf8290 1149->1158 1159 261e6cf8292 1149->1159 1162 261e6cf8236 1150->1162 1163 261e6cf8232-261e6cf8234 1150->1163 1151->1142 1152->1154 1153->1142 1154->1136 1158->1142 1159->1143 1162->1159 1163->1142
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID: AddressCallerLibraryLoadProc
      • String ID:
      • API String ID: 4215043672-0
      • Opcode ID: 0af500e9fc0feaf599aacb806cbe120ad5ae0dc2b63974d019f6ddcc2e35b223
      • Instruction ID: 2c1d47e2d4e55386d0cadafc601b53c51e51b1402c66cec3972bec8632fab288
      • Opcode Fuzzy Hash: 0af500e9fc0feaf599aacb806cbe120ad5ae0dc2b63974d019f6ddcc2e35b223
      • Instruction Fuzzy Hash: 73111E34218B488EE775FB18C4487EA73E0FB98301F50491ED48AC3195DB76A595CBC2
      Function 00000261E6CF7F29 Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1090 261e6cf7f29-261e6cf7f45 1092 261e6cf7f4b-261e6cf7f53 1090->1092 1093 261e6cf8031-261e6cf8049 LoadLibraryExW 1090->1093 1096 261e6cf7fcf-261e6cf8023 1092->1096 1097 261e6cf7f55-261e6cf7f7d call 261e6cf6c80 1092->1097 1094 261e6cf804b-261e6cf804d 1093->1094 1095 261e6cf8052-261e6cf807b 1093->1095 1099 261e6cf829c-261e6cf82a3 1094->1099 1103 261e6cf8167-261e6cf817f LoadLibraryExW 1095->1103 1104 261e6cf8081-261e6cf8089 1095->1104 1107 261e6cf802c 1096->1107 1108 261e6cf8025-261e6cf8027 1096->1108 1101 261e6cf7f82-261e6cf7fc4 GetProcAddressForCaller 1097->1101 1105 261e6cf7fcd 1101->1105 1106 261e6cf7fc6-261e6cf7fc8 1101->1106 1109 261e6cf8188-261e6cf8193 1103->1109 1110 261e6cf8181-261e6cf8183 1103->1110 1111 261e6cf808b-261e6cf80b3 call 261e6cf6c80 1104->1111 1112 261e6cf8105-261e6cf8159 1104->1112 1105->1107 1106->1099 1107->1093 1108->1099 1113 261e6cf81a5-261e6cf81b1 1109->1113 1110->1099 1115 261e6cf80b8-261e6cf80fa GetProcAddressForCaller 1111->1115 1123 261e6cf815b-261e6cf815d 1112->1123 1124 261e6cf8162 1112->1124 1117 261e6cf8297 1113->1117 1118 261e6cf81b7-261e6cf81bf 1113->1118 1121 261e6cf80fc-261e6cf80fe 1115->1121 1122 261e6cf8103 1115->1122 1117->1099 1119 261e6cf8238-261e6cf828c 1118->1119 1120 261e6cf81c1-261e6cf8230 call 261e6cf6c80 1118->1120 1128 261e6cf828e-261e6cf8290 1119->1128 1129 261e6cf8292 1119->1129 1132 261e6cf8236 1120->1132 1133 261e6cf8232-261e6cf8234 1120->1133 1121->1099 1122->1124 1123->1099 1124->1103 1128->1099 1129->1113 1132->1129 1133->1099
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID: AddressCallerLibraryLoadProc
      • String ID:
      • API String ID: 4215043672-0
      • Opcode ID: 175f4f39c38ea6b1026292fd509b3c5c591c0c80c5e03c7319577518d773177d
      • Instruction ID: ce83ec733bdadb8d58b06cabac91c30aa2d297a5622d31d2db318871aef7f327
      • Opcode Fuzzy Hash: 175f4f39c38ea6b1026292fd509b3c5c591c0c80c5e03c7319577518d773177d
      • Instruction Fuzzy Hash: 4D11BA346087888EE775EB14C4587AA73E0FBD6301F90491DD48EC3151DB7AA595CB82
      Function 00000261E6CF72E3 Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID: AddressCallerLibraryLoadProc
      • String ID:
      • API String ID: 4215043672-0
      • Opcode ID: d3c6e82d341fdc58c4ee0e0beb1d402abe7649a5e2826e12daa8f3b61ba4bcb1
      • Instruction ID: 532336d7ca81b09fc64ef78e319d3a2d319b75115d03d8929cb40af472aceb23
      • Opcode Fuzzy Hash: d3c6e82d341fdc58c4ee0e0beb1d402abe7649a5e2826e12daa8f3b61ba4bcb1
      • Instruction Fuzzy Hash: EA11DB34219B888FEB75EB14D4887EB77E4FB95301F90091ED48AC3191DB36A495CB42

      Non-executed Functions

      Function 00000261E6CF82B0 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 496COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 2282 261e6cf82b0-261e6cf835a call 261e6d06d10 call 261e6cf9970 2287 261e6cf835c-261e6cf837d call 261e6cf99b0 2282->2287 2288 261e6cf8382-261e6cf838d 2282->2288 2294 261e6cf8a84-261e6cf8a8c 2287->2294 2290 261e6cf839f-261e6cf83ad 2288->2290 2292 261e6cf83af-261e6cf83d4 2290->2292 2293 261e6cf83d6-261e6cf83de 2290->2293 2292->2290 2297 261e6cf83e0-261e6cf8401 call 261e6cf99b0 2293->2297 2298 261e6cf8406-261e6cf8421 2293->2298 2297->2294 2302 261e6cf897d-261e6cf8982 2298->2302 2303 261e6cf8427-261e6cf8448 2298->2303 2304 261e6cf8988-261e6cf89c0 call 261e6cf9a10 2302->2304 2305 261e6cf8a63-261e6cf8a7d call 261e6cf99b0 2302->2305 2310 261e6cf844e-261e6cf847c 2303->2310 2311 261e6cf8972-261e6cf8973 2303->2311 2315 261e6cf89e8-261e6cf8a61 call 261e6cf9a10 call 261e6cf9a30 call 261e6d06da0 call 261e6cf9a10 call 261e6cf99b0 2304->2315 2316 261e6cf89c2-261e6cf89e3 call 261e6cf99b0 2304->2316 2305->2294 2317 261e6cf8964-261e6cf896a 2310->2317 2318 261e6cf8482-261e6cf84a3 2310->2318 2311->2302 2315->2294 2316->2294 2317->2311 2325 261e6cf84a9-261e6cf851d call 261e6d06b30 2318->2325 2326 261e6cf8956-261e6cf8957 2318->2326 2334 261e6cf8948-261e6cf8949 2325->2334 2335 261e6cf8523-261e6cf8555 2325->2335 2326->2317 2334->2326 2335->2334 2340 261e6cf855b-261e6cf858a 2335->2340 2342 261e6cf8590-261e6cf85ee 2340->2342 2343 261e6cf893a-261e6cf893b 2340->2343 2342->2343 2346 261e6cf85f4-261e6cf8601 2342->2346 2343->2334 2347 261e6cf8610 2346->2347 2348 261e6cf8603-261e6cf860e 2346->2348 2349 261e6cf861b-261e6cf8678 2347->2349 2348->2349 2351 261e6cf867e-261e6cf8691 2349->2351 2352 261e6cf892c-261e6cf892d 2349->2352 2353 261e6cf86ce-261e6cf86d6 2351->2353 2354 261e6cf8693-261e6cf86c7 2351->2354 2352->2343 2355 261e6cf86d8-261e6cf86e0 2353->2355 2356 261e6cf86f4-261e6cf8727 2353->2356 2354->2353 2358 261e6cf891e-261e6cf891f 2355->2358 2359 261e6cf86e6-261e6cf86ee 2355->2359 2356->2358 2361 261e6cf872d-261e6cf875d 2356->2361 2358->2352 2359->2356 2359->2358 2361->2358 2363 261e6cf8763-261e6cf8776 2361->2363 2363->2358 2365 261e6cf877c-261e6cf87ac 2363->2365 2365->2358 2367 261e6cf87b2-261e6cf87f3 2365->2367 2369 261e6cf87fa-261e6cf882a call 261e6d078d4 2367->2369 2370 261e6cf87f5 2367->2370 2373 261e6cf882c 2369->2373 2374 261e6cf8831-261e6cf884b 2369->2374 2370->2358 2373->2358 2375 261e6cf884d-261e6cf8852 2374->2375 2375->2358 2376 261e6cf8858-261e6cf8879 2375->2376 2378 261e6cf8880-261e6cf88b0 2376->2378 2379 261e6cf887b 2376->2379 2381 261e6cf88b4-261e6cf88bd 2378->2381 2382 261e6cf88b2 2378->2382 2379->2358 2383 261e6cf88bf-261e6cf88c7 2381->2383 2384 261e6cf88c9-261e6cf8919 call 261e6cf99e0 call 261e6cf9c60 2381->2384 2382->2358 2383->2358 2384->2375
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID: std::rethrow_exception
      • String ID: h
      • API String ID: 1317400359-2439710439
      • Opcode ID: 8ee3f583c56d212dec831c16406cf4e4c95e6968c2955d7366080fd8d4f38ae1
      • Instruction ID: b759bda493615d4e8df8f70dad4a3431cac42819bfbc92f45f3774664215a3e8
      • Opcode Fuzzy Hash: 8ee3f583c56d212dec831c16406cf4e4c95e6968c2955d7366080fd8d4f38ae1
      • Instruction Fuzzy Hash: E422F93021CB888FE7B5DF18C4587EAB7E1FB98305F64492DE58AC3291DB359985CB42
      Function 00000261E6D0FFD8 Relevance: 107.8, APIs: 86, Instructions: 270COMMONLIBRARYCODE
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1243 261e6d0ffd8-261e6d0ffdb 1244 261e6d0ffe1-261e6d103c4 call 261e6d0ac60 * 86 1243->1244 1245 261e6d103c5 1243->1245 1244->1245
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID: free$_errno
      • String ID:
      • API String ID: 2288870239-0
      • Opcode ID: 892d27b847e74208b98b5f524de7e1165b6f73ba6f7e08818c88c9b05fc7fdc8
      • Instruction ID: 44d5448b90bc9f59ab6c43e5e4d77b7c0e1573fbfa41d967404bdf0348ab1385
      • Opcode Fuzzy Hash: 892d27b847e74208b98b5f524de7e1165b6f73ba6f7e08818c88c9b05fc7fdc8
      • Instruction Fuzzy Hash: C5B1633812150D8BE6C9EB24C8D97E86352BB48340FED81F99C8DDA1E7CE53AC55C794
      Function 00000261E6D0C8A0 Relevance: 19.6, APIs: 13, Instructions: 135COMMONLIBRARYCODE
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1852 261e6d0c8a0-261e6d0c8bc 1853 261e6d0c937-261e6d0c941 1852->1853 1854 261e6d0c8be-261e6d0c8c8 1852->1854 1855 261e6d0c943-261e6d0c946 1853->1855 1856 261e6d0c98a-261e6d0c99b 1853->1856 1854->1853 1857 261e6d0c8ca-261e6d0c8d4 1854->1857 1855->1856 1858 261e6d0c948-261e6d0c985 call 261e6d0ac60 * 4 1855->1858 1859 261e6d0c9b7-261e6d0c9bb 1856->1859 1860 261e6d0c99d-261e6d0c9a4 1856->1860 1857->1853 1861 261e6d0c8d6-261e6d0c8d9 1857->1861 1858->1856 1863 261e6d0c9c0-261e6d0c9cb 1859->1863 1860->1859 1865 261e6d0c9a6-261e6d0c9b2 call 261e6d0ffd8 call 261e6d0ac60 1860->1865 1861->1853 1862 261e6d0c8db-261e6d0c8e5 1861->1862 1866 261e6d0c8e7-261e6d0c8ea 1862->1866 1867 261e6d0c8fd-261e6d0c907 1862->1867 1868 261e6d0c9cd-261e6d0c9d3 1863->1868 1869 261e6d0c9df-261e6d0c9e4 1863->1869 1865->1859 1866->1867 1872 261e6d0c8ec-261e6d0c8f8 call 261e6d0ac60 call 261e6d10434 1866->1872 1875 261e6d0c909-261e6d0c90c 1867->1875 1876 261e6d0c91f-261e6d0c932 call 261e6d0ac60 * 2 1867->1876 1868->1869 1873 261e6d0c9d5-261e6d0c9d8 1868->1873 1877 261e6d0c9e6-261e6d0c9ed 1869->1877 1878 261e6d0c9f9-261e6d0ca00 1869->1878 1872->1867 1873->1869 1881 261e6d0c9da call 261e6d0ac60 1873->1881 1875->1876 1883 261e6d0c90e-261e6d0c91a call 261e6d0ac60 call 261e6d103c8 1875->1883 1876->1853 1877->1878 1884 261e6d0c9ef-261e6d0c9f2 1877->1884 1878->1863 1885 261e6d0ca02-261e6d0ca13 1878->1885 1881->1869 1883->1876 1884->1878 1892 261e6d0c9f4 call 261e6d0ac60 1884->1892 1892->1878
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID: free$__free_lconv_mon__free_lconv_num_errno
      • String ID:
      • API String ID: 2822633559-0
      • Opcode ID: 7b336d24eba5c0ac9b4bfec758739f2f0144249e4441c89cb6f65c36a07eadc0
      • Instruction ID: 87095d55b7302f99ecdf23c6ce0a8d9032b1a75aec14ed6ef1472dd1c0762a35
      • Opcode Fuzzy Hash: 7b336d24eba5c0ac9b4bfec758739f2f0144249e4441c89cb6f65c36a07eadc0
      • Instruction Fuzzy Hash: 0D410A3811090D8BEFD5EB58D4997A47292FB58385FFD01B99C89DA1D3CA33E8A1C790
      Function 00000261E6D0EAF4 Relevance: 18.2, APIs: 12, Instructions: 216COMMONLIBRARYCODE
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 1901 261e6d0eaf4-261e6d0eb1f 1902 261e6d0eb25-261e6d0eb3e call 261e6d0eacc 1901->1902 1903 261e6d0ecaa-261e6d0ecb7 1901->1903 1910 261e6d0eb75-261e6d0eb76 1902->1910 1911 261e6d0eb40-261e6d0eb4b call 261e6d0eacc 1902->1911 1905 261e6d0ecc8-261e6d0ecce call 261e6d112cc 1903->1905 1906 261e6d0ecb9-261e6d0ecbc 1903->1906 1912 261e6d0ecd3-261e6d0ecf2 call 261e6d0ac40 1905->1912 1908 261e6d0ecbf-261e6d0ecc6 1906->1908 1908->1912 1914 261e6d0eb78-261e6d0eb80 1910->1914 1911->1910 1921 261e6d0eb4d-261e6d0eb73 call 261e6d0eacc * 2 1911->1921 1917 261e6d0ec93-261e6d0eca0 1914->1917 1918 261e6d0eb86-261e6d0eb91 call 261e6d0eacc 1914->1918 1917->1905 1920 261e6d0eca2-261e6d0eca8 1917->1920 1926 261e6d0eb93-261e6d0eb9e call 261e6d0eacc 1918->1926 1927 261e6d0ebc8-261e6d0ebc9 1918->1927 1920->1908 1921->1914 1926->1927 1934 261e6d0eba0-261e6d0ebc6 call 261e6d0eacc * 2 1926->1934 1930 261e6d0ebcb-261e6d0ebd3 1927->1930 1930->1917 1933 261e6d0ebd9-261e6d0ebe4 call 261e6d0eacc 1930->1933 1939 261e6d0ebe6-261e6d0ebf1 call 261e6d0eacc 1933->1939 1940 261e6d0ec17-261e6d0ec1b 1933->1940 1934->1930 1939->1940 1948 261e6d0ebf3-261e6d0ec14 call 261e6d0eacc * 2 1939->1948 1940->1903 1942 261e6d0ec21-261e6d0ec3e call 261e6d0f880 1940->1942 1950 261e6d0ec4a-261e6d0ec4e 1942->1950 1951 261e6d0ec40-261e6d0ec45 1942->1951 1948->1940 1953 261e6d0ec8e-261e6d0ec91 1950->1953 1954 261e6d0ec50-261e6d0ec51 1950->1954 1951->1912 1953->1912 1956 261e6d0ec55-261e6d0ec58 1954->1956 1958 261e6d0ec5a-261e6d0ec6e 1956->1958 1959 261e6d0ec70-261e6d0ec7c call 261e6d080b8 1956->1959 1960 261e6d0ec7e-261e6d0ec81 1958->1960 1959->1960 1960->1951 1962 261e6d0ec83-261e6d0ec8c 1960->1962 1962->1953 1962->1956
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID: _fileno$_errno$_invalid_parameter_noinfo
      • String ID:
      • API String ID: 482796045-0
      • Opcode ID: 028979bd5b13ade2da22324f9a5c4af98c9790d4944bca090fd0f536f3016bc3
      • Instruction ID: 05ecd881503a9a07e95518c27782c3795d461b37960639f823ae6bbe87f9934d
      • Opcode Fuzzy Hash: 028979bd5b13ade2da22324f9a5c4af98c9790d4944bca090fd0f536f3016bc3
      • Instruction Fuzzy Hash: 7B61C938114E494AE698AB2844993B976D6FB49350FFC0219E8FAC31D3D627E46293C5
      Function 00000261E6D0F6BC Relevance: 12.2, APIs: 8, Instructions: 165COMMONLIBRARYCODE
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 2224 261e6d0f6bc-261e6d0f6dd 2225 261e6d0f6f2-261e6d0f6f5 2224->2225 2226 261e6d0f6df-261e6d0f6e2 2224->2226 2228 261e6d0f6f7 2225->2228 2229 261e6d0f6fa-261e6d0f701 2225->2229 2226->2225 2227 261e6d0f6e4-261e6d0f6e7 2226->2227 2230 261e6d0f6e9 2227->2230 2231 261e6d0f6eb-261e6d0f6ed 2227->2231 2228->2229 2232 261e6d0f703-261e6d0f70f call 261e6d090c4 call 261e6d0905c 2229->2232 2233 261e6d0f718-261e6d0f72e call 261e6d07b70 2229->2233 2230->2231 2235 261e6d0f77c-261e6d0f78b 2231->2235 2244 261e6d0f714-261e6d0f716 2232->2244 2239 261e6d0f734-261e6d0f740 2233->2239 2240 261e6d0f7e6-261e6d0f81a 2233->2240 2242 261e6d0f742-261e6d0f745 2239->2242 2243 261e6d0f78c-261e6d0f78f 2239->2243 2256 261e6d0f81c-261e6d0f820 2240->2256 2257 261e6d0f82f-261e6d0f838 2240->2257 2245 261e6d0f747-261e6d0f74a 2242->2245 2246 261e6d0f759-261e6d0f76f call 261e6d090c4 * 2 2242->2246 2248 261e6d0f7c1-261e6d0f7c4 2243->2248 2249 261e6d0f791-261e6d0f794 2243->2249 2244->2235 2245->2246 2252 261e6d0f74c-261e6d0f754 call 261e6d06b30 2245->2252 2246->2235 2273 261e6d0f771-261e6d0f775 2246->2273 2254 261e6d0f7c6 2248->2254 2255 261e6d0f7cc-261e6d0f7d0 2248->2255 2250 261e6d0f796-261e6d0f7a9 call 261e6d090c4 call 261e6d0905c 2249->2250 2251 261e6d0f7bf 2249->2251 2250->2244 2274 261e6d0f7af-261e6d0f7ba 2250->2274 2251->2248 2252->2246 2254->2255 2255->2231 2261 261e6d0f7d6-261e6d0f7e1 2255->2261 2256->2246 2262 261e6d0f826-261e6d0f829 2256->2262 2257->2246 2268 261e6d0f83e-261e6d0f841 2257->2268 2261->2231 2262->2255 2263 261e6d0f82b-261e6d0f82d 2262->2263 2263->2255 2271 261e6d0f843-261e6d0f846 2268->2271 2272 261e6d0f855-261e6d0f86a call 261e6d090c4 call 261e6d0905c 2268->2272 2271->2272 2275 261e6d0f848-261e6d0f850 call 261e6d06b30 2271->2275 2272->2244 2281 261e6d0f870-261e6d0f87b 2272->2281 2273->2235 2274->2244 2275->2272 2281->2244
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID: _errno$_invalid_parameter_noinfo
      • String ID:
      • API String ID: 2819658684-0
      • Opcode ID: ccf1906097c5c7367852938f8d44dc6cf4f8c05bff97315b0985e3b8af237a58
      • Instruction ID: 0d3450c4557553c5670f4fcd495f7e2ad2fc3d8007e09248dcaf687054b04750
      • Opcode Fuzzy Hash: ccf1906097c5c7367852938f8d44dc6cf4f8c05bff97315b0985e3b8af237a58
      • Instruction Fuzzy Hash: 2851A634914A098BEBD5DB1884583AB36E2FB84790FFC1259DC99C71D3CA37E85587C2
      Function 00000261E6D0DEE0 Relevance: 10.6, APIs: 7, Instructions: 93COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID: __doserrno_errno
      • String ID:
      • API String ID: 921712934-0
      • Opcode ID: cf1cf9e5ee490599d654468345f8dd86778b0f50a3bdec84bd96aa650e994298
      • Instruction ID: b5435effb7f816cf6278616c31d95476ea7ccb4f3bba78dd028a28c9db19b151
      • Opcode Fuzzy Hash: cf1cf9e5ee490599d654468345f8dd86778b0f50a3bdec84bd96aa650e994298
      • Instruction Fuzzy Hash: BD216E746187444EF398AB58D88A3B877C5FB45360FF8420AED858B1E3D6A7B81182D2
      Function 00000261E6D0E724 Relevance: 10.6, APIs: 7, Instructions: 89COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID: __doserrno_errno
      • String ID:
      • API String ID: 921712934-0
      • Opcode ID: 253ccbe714b82c328477c76466321d949f30074f1a6150cf967292407ae3f5db
      • Instruction ID: 49593647c505961bcc3aa1ee7e6eabd9e111402d14027dec3dbec18419391478
      • Opcode Fuzzy Hash: 253ccbe714b82c328477c76466321d949f30074f1a6150cf967292407ae3f5db
      • Instruction Fuzzy Hash: 0B212975A0C7044EF398AB58988A37833D6FB85360FF80609FD954B1E3D6A7B81182D1
      Function 00000261E6D0F20C Relevance: 9.1, APIs: 6, Instructions: 82COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID: _set_error_mode$_errno$_lockfreemalloc
      • String ID:
      • API String ID: 360200360-0
      • Opcode ID: 52b3feda2cd18445a43c6f8d2fc7ed35086aeb53fe70fc1ac63f9a8d8bfcb4c0
      • Instruction ID: c6193cca57f8897ed3f2b76bfed1a6cc285637be6a53725b128e2ced30e84349
      • Opcode Fuzzy Hash: 52b3feda2cd18445a43c6f8d2fc7ed35086aeb53fe70fc1ac63f9a8d8bfcb4c0
      • Instruction Fuzzy Hash: 9C216D3C5196498FF7E4ABA4D44976A7292F754380FF814299889C31D3DA7BE86087C1
      Function 00000261E6D07C14 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 284COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID: _errno$_getptd_invalid_parameter_noinfo
      • String ID: $$$
      • API String ID: 2372577547-233714265
      • Opcode ID: c460adb36a8ff80a267e1a98acf9e65ed31786de6d2f7996c3ef535e335d8ea5
      • Instruction ID: 20c68c88d9e9ab990558db85091d48beb46a2b1fec499f94ba2ffc996e6de195
      • Opcode Fuzzy Hash: c460adb36a8ff80a267e1a98acf9e65ed31786de6d2f7996c3ef535e335d8ea5
      • Instruction Fuzzy Hash: A18103384186198AF7F95618988D3B93AD2FB827B0FFC125DCCD28E1C3D527E86242D5
      Function 00000261E6CFF190 Relevance: 7.7, APIs: 5, Instructions: 208COMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID: und_memcpy
      • String ID:
      • API String ID: 2264155635-0
      • Opcode ID: 233c2dc3f6114190a0c3a58bca7bebfacb80644e2e843f1241ac7ac938ceac0f
      • Instruction ID: b0afab174b7e4ec0dfe8e3bdb26e7770af0ec5a91c0cd778db667c98c788e4f1
      • Opcode Fuzzy Hash: 233c2dc3f6114190a0c3a58bca7bebfacb80644e2e843f1241ac7ac938ceac0f
      • Instruction Fuzzy Hash: A191C7747087849FE7B4DB18C494BEAB7E1FB99304F60882D948DC7291DB35E985CB42
      Function 00000261E6D112CC Relevance: 7.7, APIs: 5, Instructions: 154COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
      • String ID:
      • API String ID: 2574049805-0
      • Opcode ID: f6cb1389b3d300155bab13a29e2be79a7747ea1a71811924160686b94840a2be
      • Instruction ID: 929b61e66110f06fd204087a87d4fcd95779e4b82e3bc9c31f9a57196e7fa920
      • Opcode Fuzzy Hash: f6cb1389b3d300155bab13a29e2be79a7747ea1a71811924160686b94840a2be
      • Instruction Fuzzy Hash: AA51C3341046098AE798EF58C88E36576D1FB44350FF80259DCA5CB1DBD6B7EC6286C1
      Function 00000261E6D080B8 Relevance: 7.6, APIs: 5, Instructions: 150COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID: _errno$_fileno_getbuf_invalid_parameter_noinfo_isatty
      • String ID:
      • API String ID: 2574049805-0
      • Opcode ID: 400924676afdb6542912dbb754b0c6b2f42f88cbdf26364f46bcf7423cf333eb
      • Instruction ID: a34a01fb235fe69004509b834c1e4788f4532d3ba37c74dfef4bc515c5f61467
      • Opcode Fuzzy Hash: 400924676afdb6542912dbb754b0c6b2f42f88cbdf26364f46bcf7423cf333eb
      • Instruction Fuzzy Hash: D451BF34114A084FEBD89F28C48976576D2FB543A0FF80259DCA5CB2D7D6A7E87187C1
      Function 00000261E6D10EC0 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID: __doserrno_errno
      • String ID:
      • API String ID: 921712934-0
      • Opcode ID: cc1a65610d45c684b4d644e34a1a9e911e9c410526ae494b7efd2ca09e7c409c
      • Instruction ID: c6c80bce8208007420d80395ebb06e0613acc5b539ce0ce67c6860d3452a2639
      • Opcode Fuzzy Hash: cc1a65610d45c684b4d644e34a1a9e911e9c410526ae494b7efd2ca09e7c409c
      • Instruction Fuzzy Hash: 9001D67552494D8EF759BB24885A36432D1FB10321FF88254A955CB1E3CABBE461C291
      Function 00000261E6D0C1A4 Relevance: 6.1, APIs: 4, Instructions: 66COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID: _amsg_exit$_getptd_lockfree
      • String ID:
      • API String ID: 2148533958-0
      • Opcode ID: 4046e20d8c9ee5f78bc00f49ff3442623897f32c527e484218f0333f02347ad5
      • Instruction ID: 05bd6191f9e19e0f5f5cf227d9d58cf08f793dd3f0ab12e6c8c02231b1de71c7
      • Opcode Fuzzy Hash: 4046e20d8c9ee5f78bc00f49ff3442623897f32c527e484218f0333f02347ad5
      • Instruction Fuzzy Hash: 22212E34614A488FE7D5EB68C4C8B6572E5FB58340FF81169E849C31D2DB32E8548792
      Function 00000261E6D0CA74 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID: _amsg_exit_getptd$_lock
      • String ID:
      • API String ID: 3670291111-0
      • Opcode ID: 9551b0adf5f97ad9614b394a459279b2b61166ac4730dc1e728ddb053ef1bccd
      • Instruction ID: 3f55774b8f624fa8d728642d955223191135a966bfdeb91cdc0efa94563b8b1c
      • Opcode Fuzzy Hash: 9551b0adf5f97ad9614b394a459279b2b61166ac4730dc1e728ddb053ef1bccd
      • Instruction Fuzzy Hash: B6F04F386119048BF7C4EBA8C4D9FA522A6FB08380FF81274DC89C71D3DA67A864C791
      Function 00000261E6D06C1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000004.00000002.2350671493.00000261E6CE1000.00000020.10000000.00040000.00000000.sdmp, Offset: 00000261E6CE1000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_4_2_261e6ce1000_Edge.jbxd
      Similarity
      • API ID: _errno_invalid_parameter_noinfo
      • String ID: B
      • API String ID: 2959964966-1255198513
      • Opcode ID: 5b9fd8484ccd4287e022cca72682e00a1ed95e5f0e740e72b956befb73647925
      • Instruction ID: 92daae16a2b749ed16d3ff2ba87f9d828b8c7ac9b76cf3b694ebacada58d89d2
      • Opcode Fuzzy Hash: 5b9fd8484ccd4287e022cca72682e00a1ed95e5f0e740e72b956befb73647925
      • Instruction Fuzzy Hash: 5931F634914A4C9AEF91EB68D8887DD7BB1FB44360FF40226AC45D6292DA33E45087C1

      Execution Graph

      Execution Coverage:2.2%
      Dynamic/Decrypted Code Coverage:15.4%
      Signature Coverage:0%
      Total number of Nodes:996
      Total number of Limit Nodes:92
      execution_graph 56182 18f784cfffc 56205 18f784d1aa4 56182->56205 56185 18f784d1aa4 LoadLibraryA 56186 18f784d0038 56185->56186 56187 18f784d1aa4 LoadLibraryA 56186->56187 56188 18f784d004e 56187->56188 56189 18f784d0079 56188->56189 56190 18f784d0060 VirtualAlloc 56188->56190 56190->56189 56191 18f784d00a5 56190->56191 56191->56189 56192 18f784d1aa4 LoadLibraryA 56191->56192 56194 18f784d0119 56192->56194 56193 18f784d1aa4 LoadLibraryA 56195 18f784d0170 56193->56195 56194->56189 56194->56195 56243 18f784d1814 56194->56243 56195->56189 56195->56193 56196 18f784d01b0 56195->56196 56196->56189 56204 18f784d0238 56196->56204 56247 18f784cef64 VirtualProtect VirtualProtect VirtualProtect VirtualProtect LoadLibraryA 56196->56247 56199 18f784d020e 56200 18f784d0212 56199->56200 56209 18f784cf090 56199->56209 56200->56189 56200->56199 56204->56189 56218 18f784d0808 56204->56218 56206 18f784d1adb 56205->56206 56207 18f784d0025 56206->56207 56248 18f784cf5b0 LoadLibraryA 56206->56248 56207->56185 56210 18f784d1814 LoadLibraryA 56209->56210 56211 18f784cf0ae 56210->56211 56249 18f784d18fc 56211->56249 56214 18f784cf0cb VirtualProtect 56215 18f784cf10d 56214->56215 56216 18f784cf0e5 56214->56216 56215->56189 56215->56204 56217 18f784cf0f7 VirtualProtect 56216->56217 56217->56215 56219 18f784d085c 56218->56219 56220 18f784d08b4 NtCreateSection 56219->56220 56222 18f784d08e3 56219->56222 56242 18f784d1090 56219->56242 56220->56222 56220->56242 56221 18f784d0989 NtMapViewOfSection 56229 18f784d09dd 56221->56229 56222->56221 56222->56242 56223 18f784d0d58 VirtualAlloc 56230 18f784d0e0f 56223->56230 56224 18f784d1814 LoadLibraryA 56224->56229 56226 18f784d1814 LoadLibraryA 56227 18f784d0cb9 56226->56227 56227->56223 56227->56226 56234 18f784d18fc LoadLibraryA 56227->56234 56228 18f784d0f0b VirtualProtect 56231 18f784d101e VirtualProtect 56228->56231 56238 18f784d0f33 56228->56238 56229->56224 56229->56227 56232 18f784d18fc LoadLibraryA 56229->56232 56229->56242 56230->56228 56233 18f784d0e87 NtUnmapViewOfSection 56230->56233 56237 18f784d105a 56231->56237 56232->56229 56235 18f784d0e9f NtMapViewOfSection 56233->56235 56233->56242 56234->56227 56235->56228 56235->56242 56236 18f784d1011 56236->56231 56237->56242 56254 18f784d15b8 LoadLibraryA 56237->56254 56238->56236 56241 18f784d0fe4 VirtualProtect 56238->56241 56241->56238 56242->56189 56245 18f784d1832 56243->56245 56244 18f784d18dd LoadLibraryA 56246 18f784d18e5 56244->56246 56245->56244 56245->56246 56246->56194 56247->56199 56248->56206 56250 18f784d1932 56249->56250 56252 18f784cf0c3 56249->56252 56250->56252 56253 18f784cf768 LoadLibraryA 56250->56253 56252->56214 56252->56215 56253->56252 56254->56242 56255 18f79d0805f 56257 18f79d0806f 56255->56257 56256 18f79d08167 LoadLibraryExW 56259 18f79d080fc 56256->56259 56257->56256 56258 18f79d080b8 GetProcAddressForCaller 56257->56258 56260 18f79d08103 56257->56260 56258->56259 56258->56260 56260->56256 56260->56259 56261 18f79d072e3 56263 18f79d072f3 56261->56263 56262 18f79d073f1 LoadLibraryExW 56267 18f79d07412 56262->56267 56284 18f79d07383 56262->56284 56263->56262 56264 18f79d0733c GetProcAddressForCaller 56263->56264 56265 18f79d0738a 56263->56265 56264->56265 56264->56284 56265->56262 56265->56284 56266 18f79d07793 LoadLibraryExW 56269 18f79d077ba 56266->56269 56266->56284 56267->56266 56267->56284 56268 18f79d078d5 LoadLibraryExW 56271 18f79d078f6 56268->56271 56268->56284 56269->56268 56269->56284 56270 18f79d07b4d LoadLibraryExW 56273 18f79d07b6e 56270->56273 56270->56284 56271->56270 56271->56284 56272 18f79d07c83 LoadLibraryExW 56275 18f79d07caa 56272->56275 56272->56284 56273->56272 56273->56284 56274 18f79d07efb LoadLibraryExW 56277 18f79d07f1c 56274->56277 56274->56284 56275->56274 56275->56284 56276 18f79d08031 LoadLibraryExW 56280 18f79d08052 56276->56280 56276->56284 56277->56276 56279 18f79d07f82 GetProcAddressForCaller 56277->56279 56281 18f79d07fcd 56277->56281 56278 18f79d08167 LoadLibraryExW 56278->56284 56279->56281 56279->56284 56280->56278 56282 18f79d080b8 GetProcAddressForCaller 56280->56282 56283 18f79d08103 56280->56283 56281->56276 56281->56284 56282->56283 56282->56284 56283->56278 56283->56284 56285 18f784cefd3 VirtualProtect 56286 18f784cef8b 56285->56286 56287 18f784cefeb 56285->56287 56288 18f784ceff9 VirtualProtect 56287->56288 56289 18f784d18fc LoadLibraryA 56288->56289 56290 18f784cf021 56289->56290 56290->56286 56291 18f784cf03c VirtualProtect 56290->56291 56291->56286 56292 18f784cf055 56291->56292 56293 18f784cf063 VirtualProtect 56292->56293 56293->56286 56294 aae700 56295 aae706 56294->56295 56295->56294 56298 aae740 56295->56298 56297 aae728 56303 aae74a 56298->56303 56299 ad7400 CloseHandle 56299->56303 56300 aae785 56301 aae85b 56300->56301 56302 aae796 56300->56302 56304 ab6840 CloseHandle 56301->56304 56306 aae7ca 56302->56306 56325 aac120 CloseHandle 56302->56325 56303->56298 56303->56299 56303->56300 56305 aae865 56304->56305 56305->56297 56312 aae856 56306->56312 56320 ab6840 56306->56320 56310 aae8c9 56314 aae905 56310->56314 56327 ad18e0 56310->56327 56311 aae970 56346 ad7400 CloseHandle 56311->56346 56347 aac380 CloseHandle 56311->56347 56312->56310 56326 aac380 CloseHandle 56312->56326 56314->56297 56319 ad18e0 CloseHandle 56319->56314 56321 ad18e0 CloseHandle 56320->56321 56322 ab685b 56321->56322 56348 ad4e80 56322->56348 56325->56306 56326->56310 56328 ad1905 56327->56328 56329 aae8f0 56328->56329 56369 ad8ea0 CloseHandle 56328->56369 56329->56319 56331 ad1925 56370 ad9720 CloseHandle 56331->56370 56333 ad1936 56371 ad9460 CloseHandle 56333->56371 56335 ad1945 56372 ad9720 CloseHandle 56335->56372 56337 ad1956 56373 ad9540 CloseHandle 56337->56373 56339 ad1965 56374 ad90e0 CloseHandle 56339->56374 56341 ad196a 56375 ad8f00 CloseHandle 56341->56375 56343 ad196f 56376 ad7400 CloseHandle 56343->56376 56345 ad1985 56346->56311 56347->56311 56351 ad4c20 56348->56351 56352 ad4c3c 56351->56352 56355 b06180 56352->56355 56354 aae845 56354->56311 56354->56312 56356 b061a5 56355->56356 56357 b06207 56355->56357 56356->56357 56360 b061ba 56356->56360 56358 b06160 CloseHandle 56357->56358 56359 b06221 56358->56359 56359->56354 56363 b06160 56360->56363 56366 b07ce0 56363->56366 56364 b0616d 56364->56354 56368 b07d00 CloseHandle 56366->56368 56368->56364 56369->56331 56370->56333 56371->56335 56372->56337 56373->56339 56374->56341 56375->56343 56376->56345 56377 18f79d0768b 56379 18f79d0769b 56377->56379 56378 18f79d07793 LoadLibraryExW 56381 18f79d077ba 56378->56381 56396 18f79d07728 56378->56396 56379->56378 56379->56396 56380 18f79d078d5 LoadLibraryExW 56383 18f79d078f6 56380->56383 56380->56396 56381->56380 56381->56396 56382 18f79d07b4d LoadLibraryExW 56385 18f79d07b6e 56382->56385 56382->56396 56383->56382 56383->56396 56384 18f79d07c83 LoadLibraryExW 56386 18f79d07caa 56384->56386 56384->56396 56385->56384 56385->56396 56387 18f79d07efb LoadLibraryExW 56386->56387 56386->56396 56388 18f79d07f1c 56387->56388 56387->56396 56389 18f79d08031 LoadLibraryExW 56388->56389 56391 18f79d07fcd 56388->56391 56392 18f79d07f82 GetProcAddressForCaller 56388->56392 56393 18f79d08052 56389->56393 56389->56396 56390 18f79d08167 LoadLibraryExW 56390->56396 56391->56389 56391->56396 56392->56391 56392->56396 56393->56390 56394 18f79d080b8 GetProcAddressForCaller 56393->56394 56395 18f79d08103 56393->56395 56394->56395 56394->56396 56395->56390 56395->56396 56397 ac86a0 56399 ac86a6 56397->56399 56398 ac86e6 56403 ac8ac0 56398->56403 56399->56397 56399->56398 56437 ac7e40 CloseHandle 56399->56437 56402 ac86fc 56413 ac8acf 56403->56413 56404 aac120 CloseHandle 56404->56413 56405 ac8c1d 56408 ac8cde 56405->56408 56474 ac89c0 56405->56474 56407 acc7a0 CloseHandle 56407->56413 56501 aac380 CloseHandle 56408->56501 56413->56403 56413->56404 56413->56405 56413->56407 56414 ac8c74 56413->56414 56423 ac8bd0 56413->56423 56438 ac9360 56413->56438 56498 acde40 CloseHandle 56413->56498 56499 aac380 CloseHandle 56413->56499 56506 ad7400 CloseHandle 56413->56506 56500 aac380 CloseHandle 56414->56500 56416 ac8c85 56416->56402 56418 ac8eb6 56482 ac9080 56418->56482 56420 ac8f05 56421 ac8f58 56420->56421 56488 ab6b00 56420->56488 56424 ad18e0 CloseHandle 56421->56424 56423->56418 56502 ac3040 CloseHandle 56423->56502 56427 ac8f74 56424->56427 56428 ac8f95 56427->56428 56430 ad18e0 CloseHandle 56427->56430 56504 ad19a0 CloseHandle 56428->56504 56429 ad18e0 CloseHandle 56429->56421 56430->56428 56432 ac8e67 56432->56418 56503 abd1a0 CloseHandle 56432->56503 56434 ac8fa5 56505 ad1a80 CloseHandle 56434->56505 56436 ac9014 56436->56402 56437->56398 56439 ac936a 56438->56439 56439->56438 56449 ac93f6 56439->56449 56507 aacdc0 56439->56507 56442 ad18e0 CloseHandle 56445 ac95a9 56442->56445 56443 ac94dc 56534 ad8ea0 CloseHandle 56443->56534 56444 ac93df 56444->56449 56452 ad18e0 CloseHandle 56444->56452 56541 ad19a0 CloseHandle 56445->56541 56447 ac9505 56535 ad9720 CloseHandle 56447->56535 56449->56442 56451 ac95b5 56542 ad1a80 CloseHandle 56451->56542 56455 ac9446 56452->56455 56453 ac9516 56536 ad9460 CloseHandle 56453->56536 56532 ad19a0 CloseHandle 56455->56532 56457 ac95cc 56523 acac60 56457->56523 56459 ac9525 56537 ad9720 CloseHandle 56459->56537 56461 ac9452 56533 ad1a80 CloseHandle 56461->56533 56463 ac95e5 56463->56413 56465 ac9536 56538 ad9460 CloseHandle 56465->56538 56466 ac9469 56468 acac60 CloseHandle 56466->56468 56468->56449 56469 ac9548 56539 ad9720 CloseHandle 56469->56539 56471 ac9559 56540 ad8f00 CloseHandle 56471->56540 56473 ac955e 56473->56413 56475 ac89ca 56474->56475 56475->56474 56476 ac89fd 56475->56476 56480 ac89e5 56475->56480 56580 ab9840 56476->56580 56478 ac8a08 56478->56408 56479 ac8a29 56479->56408 56480->56479 56481 ab9840 CloseHandle 56480->56481 56481->56480 56484 ac908a 56482->56484 56484->56482 56485 aca620 CloseHandle 56484->56485 56486 ac928b 56484->56486 56487 ad6040 CloseHandle 56484->56487 56733 ac8860 CloseHandle 56484->56733 56485->56484 56486->56420 56487->56484 56494 ab6b0a 56488->56494 56489 ad4e80 CloseHandle 56489->56494 56490 ab6b73 56490->56429 56491 ad8ea0 CloseHandle 56491->56494 56492 ad9720 CloseHandle 56492->56494 56493 ad9460 CloseHandle 56493->56494 56494->56488 56494->56489 56494->56490 56494->56491 56494->56492 56494->56493 56495 ad90e0 CloseHandle 56494->56495 56496 ad8f00 CloseHandle 56494->56496 56497 ad7400 CloseHandle 56494->56497 56495->56494 56496->56494 56497->56494 56498->56413 56499->56413 56500->56416 56501->56423 56502->56432 56503->56418 56504->56434 56505->56436 56506->56413 56522 aacdcf 56507->56522 56508 aaea00 CloseHandle 56508->56522 56513 ad7400 CloseHandle 56513->56522 56514 ad4e80 CloseHandle 56514->56522 56515 ab9840 CloseHandle 56515->56522 56516 ad95a0 CloseHandle 56516->56522 56517 aae640 CloseHandle 56517->56522 56518 aad119 56518->56443 56518->56444 56519 ad9720 CloseHandle 56519->56522 56522->56507 56522->56508 56522->56513 56522->56514 56522->56515 56522->56516 56522->56517 56522->56518 56522->56519 56543 ab6e40 56522->56543 56550 ab6d60 CloseHandle 56522->56550 56551 aad580 CloseHandle 56522->56551 56552 ad8ea0 CloseHandle 56522->56552 56553 ad90e0 CloseHandle 56522->56553 56554 ad8f00 CloseHandle 56522->56554 56530 acac6a 56523->56530 56528 acae8c 56528->56463 56529 ab6840 CloseHandle 56529->56530 56530->56523 56530->56528 56530->56529 56555 acd0c0 56530->56555 56570 ac3da0 CloseHandle 56530->56570 56571 ad0960 CloseHandle 56530->56571 56572 ad0d40 CloseHandle 56530->56572 56573 ad7400 CloseHandle 56530->56573 56532->56461 56533->56466 56534->56447 56535->56453 56536->56459 56537->56465 56538->56469 56539->56471 56540->56473 56541->56451 56542->56457 56545 ab6e4a 56543->56545 56544 ad4e80 CloseHandle 56546 ab6e85 56544->56546 56545->56543 56545->56544 56547 ab6ea5 56546->56547 56548 ad4e80 CloseHandle 56546->56548 56547->56522 56549 ab6ee5 56548->56549 56549->56522 56550->56522 56551->56522 56552->56522 56553->56522 56554->56522 56563 acd0cf 56555->56563 56557 ad9720 CloseHandle 56557->56563 56558 ad95a0 CloseHandle 56558->56563 56559 acd447 56575 acd660 CloseHandle 56559->56575 56562 acd475 56562->56530 56563->56555 56563->56557 56563->56558 56563->56559 56567 ad09e0 CloseHandle 56563->56567 56568 ad18e0 CloseHandle 56563->56568 56569 ab6b00 CloseHandle 56563->56569 56574 ad0960 CloseHandle 56563->56574 56576 ad8ea0 CloseHandle 56563->56576 56577 ad90e0 CloseHandle 56563->56577 56578 ad8f00 CloseHandle 56563->56578 56579 ad7400 CloseHandle 56563->56579 56567->56563 56568->56563 56569->56563 56570->56530 56571->56530 56572->56530 56573->56530 56574->56563 56575->56562 56576->56563 56577->56563 56578->56563 56579->56563 56589 ab984a 56580->56589 56581 ab985e 56583 ab9867 56581->56583 56584 ab98b7 56581->56584 56592 aae640 56581->56592 56583->56478 56585 ab98e7 56584->56585 56596 ac7a60 56584->56596 56585->56478 56589->56580 56589->56581 56602 ad8ea0 CloseHandle 56589->56602 56603 ad9720 CloseHandle 56589->56603 56604 ad8f00 CloseHandle 56589->56604 56605 ad7400 CloseHandle 56589->56605 56594 aae646 56592->56594 56594->56592 56606 b04580 56594->56606 56595 aae69c 56595->56584 56599 ac7a6a 56596->56599 56597 ab6840 CloseHandle 56597->56599 56598 ac7bbc 56598->56585 56599->56596 56599->56597 56599->56598 56731 ab68e0 CloseHandle 56599->56731 56732 ad7400 CloseHandle 56599->56732 56602->56589 56603->56589 56604->56589 56605->56589 56607 b045a1 56606->56607 56609 b045ff 56606->56609 56607->56609 56612 ae36e0 56607->56612 56620 aff040 56607->56620 56608 b045c9 56608->56595 56609->56595 56613 ae36e6 56612->56613 56613->56612 56638 ae3740 CloseHandle 56613->56638 56615 ae36ff 56639 ae7760 CloseHandle 56615->56639 56617 ae371a 56618 ae3728 56617->56618 56624 aded60 56617->56624 56618->56608 56621 aff046 56620->56621 56621->56620 56622 ade180 CloseHandle 56621->56622 56623 aff065 56622->56623 56623->56608 56625 aded6a 56624->56625 56625->56624 56626 aded95 56625->56626 56629 adee28 56625->56629 56631 adede8 56625->56631 56661 aac120 CloseHandle 56625->56661 56662 ae7700 CloseHandle 56625->56662 56665 ad7400 CloseHandle 56625->56665 56626->56618 56664 aac380 CloseHandle 56629->56664 56663 aac380 CloseHandle 56631->56663 56632 adee3b 56640 ade720 56632->56640 56636 adedf6 56636->56618 56637 adee4c 56637->56618 56638->56615 56639->56617 56650 ade72a 56640->56650 56643 ad7400 CloseHandle 56643->56650 56644 ade82c 56682 adaf40 CloseHandle 56644->56682 56646 ade831 56683 aac380 CloseHandle 56646->56683 56647 ade8c4 56654 ade8db 56647->56654 56685 aac380 CloseHandle 56647->56685 56650->56640 56650->56643 56650->56644 56650->56647 56653 ade825 56650->56653 56679 aac120 CloseHandle 56650->56679 56680 ae7560 CloseHandle 56650->56680 56681 aac380 CloseHandle 56650->56681 56652 ade851 56666 ade180 56652->56666 56686 aac480 CloseHandle 56653->56686 56654->56637 56657 ade878 56659 ade892 56657->56659 56684 aac120 CloseHandle 56657->56684 56658 ade929 56658->56637 56659->56637 56661->56625 56662->56625 56663->56636 56664->56632 56665->56625 56667 ade18a 56666->56667 56667->56666 56669 ade287 56667->56669 56673 ade212 56667->56673 56687 add6a0 56667->56687 56727 aac120 CloseHandle 56667->56727 56730 ad7400 CloseHandle 56667->56730 56710 ade300 56669->56710 56671 ade28c 56671->56657 56675 ade249 56673->56675 56728 aac480 CloseHandle 56673->56728 56729 aac380 CloseHandle 56675->56729 56678 ade257 56678->56657 56679->56650 56680->56650 56681->56650 56682->56646 56683->56652 56684->56659 56685->56654 56686->56658 56688 add6aa 56687->56688 56688->56687 56689 ae9940 CloseHandle 56688->56689 56690 add6cd 56689->56690 56691 add6fa 56690->56691 56692 ae54a0 CloseHandle 56690->56692 56693 add725 56691->56693 56694 aac120 CloseHandle 56691->56694 56692->56691 56695 aae380 CloseHandle 56693->56695 56703 add712 56694->56703 56698 add731 56695->56698 56696 add912 56700 aac380 CloseHandle 56696->56700 56697 adafa0 CloseHandle 56699 add765 56697->56699 56698->56697 56702 ae3540 CloseHandle 56699->56702 56700->56693 56701 af82c0 CloseHandle 56701->56703 56705 add76f 56702->56705 56703->56696 56703->56701 56704 b04580 CloseHandle 56703->56704 56704->56703 56706 add7d5 56705->56706 56707 ae5700 CloseHandle 56705->56707 56708 ae9a60 CloseHandle 56706->56708 56707->56706 56709 add816 56708->56709 56709->56667 56713 ade30a 56710->56713 56711 ade3a3 56714 ae9940 CloseHandle 56711->56714 56712 ade33c 56716 ae9940 CloseHandle 56712->56716 56713->56710 56713->56711 56713->56712 56715 ad7400 CloseHandle 56713->56715 56717 ade3b4 56714->56717 56715->56713 56719 ade365 56716->56719 56718 ad4500 CloseHandle 56717->56718 56720 ade3be 56718->56720 56721 b06180 CloseHandle 56719->56721 56722 ae9a60 CloseHandle 56720->56722 56723 ade37f 56721->56723 56724 ade3ca 56722->56724 56725 ae9a60 CloseHandle 56723->56725 56724->56671 56726 ade39d 56725->56726 56726->56671 56727->56667 56728->56675 56729->56678 56730->56667 56731->56599 56732->56599 56733->56484 56734 adcda0 56735 adcdb3 56734->56735 56740 adce20 56735->56740 56739 adce14 56741 adce2a 56740->56741 56741->56740 56742 adce49 56741->56742 56804 ad7400 CloseHandle 56741->56804 56755 ad46a0 56742->56755 56745 adce85 56747 adce9c 56745->56747 56802 adcf20 CloseHandle 56745->56802 56749 adcebd 56747->56749 56771 ae5d80 56747->56771 56748 adcede 56788 ae1200 56748->56788 56749->56748 56803 ae54a0 CloseHandle 56749->56803 56754 adcf60 CloseHandle 56754->56739 56760 ad46af 56755->56760 56758 ad4c20 CloseHandle 56758->56760 56760->56755 56760->56758 56761 ad9460 CloseHandle 56760->56761 56762 ad4e80 CloseHandle 56760->56762 56764 ad488c 56760->56764 56765 ad8ea0 CloseHandle 56760->56765 56766 ad9720 CloseHandle 56760->56766 56767 ad90e0 CloseHandle 56760->56767 56768 ad95a0 CloseHandle 56760->56768 56769 ad7400 CloseHandle 56760->56769 56770 ad8f00 CloseHandle 56760->56770 56805 ad5000 56760->56805 56808 aac120 CloseHandle 56760->56808 56809 aac380 CloseHandle 56760->56809 56810 ad4e00 56760->56810 56761->56760 56762->56760 56764->56745 56765->56760 56766->56760 56767->56760 56768->56760 56769->56760 56770->56760 56785 ae5d8a 56771->56785 56773 b04580 CloseHandle 56773->56785 56774 aac120 CloseHandle 56774->56785 56776 b06180 CloseHandle 56776->56785 56782 ae0ec0 CloseHandle 56782->56785 56783 ad3340 CloseHandle 56783->56785 56784 ae58e0 CloseHandle 56784->56785 56785->56771 56785->56773 56785->56774 56785->56776 56785->56782 56785->56783 56785->56784 56787 aac380 CloseHandle 56785->56787 56813 ae6320 56785->56813 56826 ae5940 CloseHandle 56785->56826 56827 af54a0 CloseHandle 56785->56827 56828 aac8c0 CloseHandle 56785->56828 56829 ad27e0 CloseHandle 56785->56829 56830 ac2a80 CloseHandle 56785->56830 56831 ab9c60 CloseHandle 56785->56831 56832 ae6720 CloseHandle 56785->56832 56787->56785 56800 ae120a 56788->56800 56791 ad7400 CloseHandle 56791->56800 56794 aac120 CloseHandle 56794->56800 56795 aded60 CloseHandle 56795->56800 56796 ae1437 56797 adf2c0 CloseHandle 56796->56797 56799 adce0a 56797->56799 56799->56754 56800->56788 56800->56791 56800->56794 56800->56795 56800->56796 56801 aac380 CloseHandle 56800->56801 56954 adeea0 56800->56954 56970 ae0e40 56800->56970 56976 adf2c0 56800->56976 56986 adf120 CloseHandle 56800->56986 56987 adf480 CloseHandle 56800->56987 56801->56800 56802->56747 56803->56748 56804->56741 56806 ad4c20 CloseHandle 56805->56806 56807 ad5056 56806->56807 56807->56760 56808->56760 56809->56760 56811 ad4c20 CloseHandle 56810->56811 56812 ad4e56 56811->56812 56812->56760 56815 ae632a 56813->56815 56815->56813 56837 aac120 CloseHandle 56815->56837 56816 ae6427 56838 aac380 CloseHandle 56816->56838 56818 ae6435 56818->56785 56821 ae58e0 CloseHandle 56824 ae6345 56821->56824 56824->56816 56824->56821 56833 ae6680 56824->56833 56839 aac380 CloseHandle 56824->56839 56840 af7e80 CloseHandle 56824->56840 56841 adea00 56824->56841 56887 aac120 CloseHandle 56824->56887 56826->56785 56827->56785 56828->56785 56829->56785 56830->56785 56831->56785 56832->56785 56835 ae6686 56833->56835 56834 ae66d5 56834->56824 56835->56833 56835->56834 56888 ad5320 56835->56888 56837->56824 56838->56818 56839->56824 56840->56824 56844 adea0a 56841->56844 56842 aded2d 56843 ade720 CloseHandle 56842->56843 56845 aded36 56843->56845 56844->56841 56844->56842 56850 adea56 56844->56850 56845->56824 56846 adeb42 56847 adeb96 56846->56847 56851 adeb75 56846->56851 56945 aac120 CloseHandle 56847->56945 56849 adead4 56849->56846 56855 adeb33 56849->56855 56850->56849 56856 adeac5 56850->56856 56853 ade720 CloseHandle 56851->56853 56852 adeba5 56854 adebaf 56852->56854 56866 adebef 56852->56866 56857 adeb90 56853->56857 56858 adebdb 56854->56858 56946 aac480 CloseHandle 56854->56946 56859 ade720 CloseHandle 56855->56859 56860 ade720 CloseHandle 56856->56860 56857->56824 56947 aac380 CloseHandle 56858->56947 56863 adeb3c 56859->56863 56864 adeace 56860->56864 56863->56824 56864->56824 56865 adebe9 56865->56824 56867 adec51 56866->56867 56948 aac480 CloseHandle 56866->56948 56868 aded0b 56867->56868 56869 adec66 56867->56869 56953 aac380 CloseHandle 56868->56953 56870 adecab 56869->56870 56872 adec85 56869->56872 56950 ae73c0 CloseHandle 56870->56950 56949 aac380 CloseHandle 56872->56949 56873 aded19 56876 ade720 CloseHandle 56873->56876 56880 aded27 56876->56880 56878 adece5 56951 aac380 CloseHandle 56878->56951 56879 adec93 56882 ade720 CloseHandle 56879->56882 56880->56824 56884 adeca5 56882->56884 56883 adecf3 56885 aded05 56883->56885 56952 ae0de0 CloseHandle 56883->56952 56884->56824 56885->56824 56887->56824 56889 ad5332 56888->56889 56889->56888 56890 ad5745 56889->56890 56892 ad5397 56889->56892 56894 ad5000 CloseHandle 56889->56894 56896 ad5446 56889->56896 56917 ad7400 CloseHandle 56889->56917 56930 aac120 CloseHandle 56889->56930 56940 ad8ea0 CloseHandle 56889->56940 56941 ad9720 CloseHandle 56889->56941 56942 ad9460 CloseHandle 56889->56942 56943 ad90e0 CloseHandle 56889->56943 56944 ad8f00 CloseHandle 56889->56944 56890->56834 56931 aac380 CloseHandle 56892->56931 56894->56889 56895 ad53a6 56895->56834 56932 aac380 CloseHandle 56896->56932 56898 ad5455 56933 aac120 CloseHandle 56898->56933 56901 ad5490 56927 ad4d00 56901->56927 56905 ad54cd 56934 ad4d80 56905->56934 56906 ad56e1 56939 aac380 CloseHandle 56906->56939 56912 ad56ef 56914 ad4d00 CloseHandle 56912->56914 56916 ad570c 56914->56916 56916->56834 56917->56889 56918 ad5517 56919 ad5645 56918->56919 56938 ad89e0 CloseHandle 56918->56938 56920 ad4d00 CloseHandle 56919->56920 56922 ad5692 56920->56922 56924 ad4d00 CloseHandle 56922->56924 56923 ad55ed 56923->56919 56926 ad4d80 CloseHandle 56923->56926 56925 ad56c5 56924->56925 56925->56834 56926->56919 56928 ad4c20 CloseHandle 56927->56928 56929 ad4d56 56928->56929 56929->56905 56929->56906 56930->56889 56931->56895 56932->56898 56933->56901 56935 ad4c20 CloseHandle 56934->56935 56936 ad4dd6 56935->56936 56937 aac380 CloseHandle 56936->56937 56937->56918 56938->56923 56939->56912 56940->56889 56941->56889 56942->56889 56943->56889 56944->56889 56945->56852 56946->56858 56947->56865 56948->56867 56949->56879 56950->56878 56951->56883 56952->56885 56953->56873 56957 adeeaa 56954->56957 56957->56954 56959 adea00 CloseHandle 56957->56959 56960 adef4a 56957->56960 56963 ad9720 CloseHandle 56957->56963 56964 ad8f00 CloseHandle 56957->56964 56965 ad8ea0 CloseHandle 56957->56965 56966 ad96a0 CloseHandle 56957->56966 56967 ad9460 CloseHandle 56957->56967 56968 ad90e0 CloseHandle 56957->56968 56969 ad7400 CloseHandle 56957->56969 56988 ae5700 56957->56988 56994 ae58e0 CloseHandle 56957->56994 56995 aac500 CloseHandle 56957->56995 56959->56957 56996 ae54a0 CloseHandle 56960->56996 56962 adef5a 56962->56800 56963->56957 56964->56957 56965->56957 56966->56957 56967->56957 56968->56957 56969->56957 56971 ae0e46 56970->56971 56971->56970 56972 ae0e79 56971->56972 56974 ad7400 CloseHandle 56971->56974 56973 aded60 CloseHandle 56972->56973 56975 ae0e7e 56973->56975 56974->56971 56975->56800 56977 adf2ca 56976->56977 56977->56976 56979 adf2f9 56977->56979 56999 ad00c0 CloseHandle 56977->56999 57000 adbd80 CloseHandle 56979->57000 56981 adf35b 56983 adf3b3 56981->56983 57001 ad5240 CloseHandle 56981->57001 56984 adf3e5 56983->56984 57002 af7640 CloseHandle 56983->57002 56984->56800 56986->56800 56987->56800 56989 ae570a 56988->56989 56989->56988 56990 ae5745 56989->56990 56997 af6de0 CloseHandle 56989->56997 56998 ae57a0 CloseHandle 56990->56998 56993 ae5785 56993->56957 56994->56957 56995->56957 56996->56962 56997->56990 56998->56993 56999->56979 57000->56981 57001->56983 57002->56984 57003 adabe0 57022 adabea 57003->57022 57022->57003 57023 adade9 57022->57023 57027 aaca40 57022->57027 57042 aa1a80 57022->57042 57048 ad3900 57022->57048 57063 ae91a0 57022->57063 57079 ae8920 CloseHandle 57022->57079 57080 af13a0 CloseHandle 57022->57080 57081 ae8420 CloseHandle 57022->57081 57082 aa4ee0 CloseHandle 57022->57082 57083 adafa0 CloseHandle 57022->57083 57084 af1180 CloseHandle 57022->57084 57085 afd640 CloseHandle 57022->57085 57086 aaaf20 CloseHandle 57022->57086 57087 aef7c0 CloseHandle 57022->57087 57088 ab9980 CloseHandle 57022->57088 57089 aecc60 57022->57089 57098 aac120 CloseHandle 57022->57098 57099 aa8340 CloseHandle 57022->57099 57100 ae4b00 CloseHandle 57022->57100 57102 ad7400 CloseHandle 57022->57102 57101 aac380 CloseHandle 57023->57101 57026 adadf7 57038 aaca4a 57027->57038 57028 ad8ea0 CloseHandle 57028->57038 57029 ad9460 CloseHandle 57029->57038 57030 ad9720 CloseHandle 57030->57038 57031 aacb0b 57103 ac7cc0 57031->57103 57034 ad9540 CloseHandle 57034->57038 57036 ad8f00 CloseHandle 57036->57038 57037 ad7400 CloseHandle 57037->57038 57038->57027 57038->57028 57038->57029 57038->57030 57038->57031 57038->57034 57038->57036 57038->57037 57039 aacba2 57039->57022 57040 aacb1c 57040->57039 57041 ab9840 CloseHandle 57040->57041 57041->57040 57045 aa1a86 57042->57045 57044 aa1a9d 57173 aa1ae0 CloseHandle 57044->57173 57045->57042 57163 aa2020 57045->57163 57047 aa1aac 57047->57022 57049 ad390a 57048->57049 57049->57048 57050 ad4c20 CloseHandle 57049->57050 57052 ad3a5c 57049->57052 57061 ad3b0b 57049->57061 57224 aebd60 CloseHandle 57049->57224 57225 af0620 CloseHandle 57049->57225 57050->57049 57053 ad4d00 CloseHandle 57052->57053 57055 ad3a71 57053->57055 57226 b02a00 CloseHandle 57055->57226 57057 ad3aaf 57058 ad4d80 CloseHandle 57057->57058 57059 ad3acd 57058->57059 57212 ad3100 57059->57212 57061->57022 57062 ad3ae5 57062->57022 57064 ae91aa 57063->57064 57064->57063 57229 aa8340 CloseHandle 57064->57229 57066 ae91eb 57067 aae380 CloseHandle 57066->57067 57069 ae9205 57067->57069 57230 b00f80 CloseHandle 57069->57230 57070 ae9245 57231 ae94a0 CloseHandle 57070->57231 57072 ae929e 57232 ae94a0 CloseHandle 57072->57232 57074 ae92af 57233 aa8340 CloseHandle 57074->57233 57076 ae92db 57234 b022c0 CloseHandle 57076->57234 57078 ae92e5 57078->57022 57079->57022 57080->57022 57081->57022 57082->57022 57083->57022 57084->57022 57085->57022 57086->57022 57087->57022 57088->57022 57097 aecc6a 57089->57097 57090 ad7400 CloseHandle 57090->57097 57091 ab6840 CloseHandle 57091->57097 57092 aac120 CloseHandle 57092->57097 57094 aac380 CloseHandle 57094->57097 57095 aeccf1 57095->57022 57097->57089 57097->57090 57097->57091 57097->57092 57097->57094 57097->57095 57235 ac8720 57097->57235 57241 ac9aa0 CloseHandle 57097->57241 57098->57022 57099->57022 57100->57022 57101->57026 57102->57022 57105 ac7cca 57103->57105 57105->57103 57137 ab9720 CloseHandle 57105->57137 57106 ac7cfe 57138 ab9720 CloseHandle 57106->57138 57108 ac7d25 57139 ab9720 CloseHandle 57108->57139 57110 ac7d49 57140 ab9720 CloseHandle 57110->57140 57112 ac7d6d 57141 ab9720 CloseHandle 57112->57141 57114 ac7d91 57142 ab9720 CloseHandle 57114->57142 57116 ac7db5 57143 ab9720 CloseHandle 57116->57143 57118 ac7dd9 57122 acaaa0 57118->57122 57121 ab5620 CloseHandle 57121->57040 57123 acaaaa 57122->57123 57123->57122 57126 acaaca 57123->57126 57127 ad9720 CloseHandle 57123->57127 57129 ad9540 CloseHandle 57123->57129 57132 ad8f00 CloseHandle 57123->57132 57134 ad8ea0 CloseHandle 57123->57134 57135 ad90e0 CloseHandle 57123->57135 57157 ad7400 CloseHandle 57123->57157 57125 acab16 57148 accf80 57125->57148 57144 ad0ac0 57126->57144 57127->57123 57129->57123 57130 acab25 57153 ac3cc0 57130->57153 57132->57123 57134->57123 57135->57123 57137->57106 57138->57108 57139->57110 57140->57112 57141->57114 57142->57116 57143->57118 57145 ad0ac6 57144->57145 57145->57144 57146 aae640 CloseHandle 57145->57146 57147 ad0afa 57146->57147 57147->57125 57151 accf8a 57148->57151 57149 acd085 57149->57130 57150 ab6e40 CloseHandle 57150->57151 57151->57148 57151->57149 57151->57150 57158 ad7400 CloseHandle 57151->57158 57154 ac3cca 57153->57154 57154->57153 57159 acd960 57154->57159 57156 aacb17 57156->57121 57157->57123 57158->57151 57160 acd966 57159->57160 57160->57159 57161 ab6e40 CloseHandle 57160->57161 57162 acd985 57161->57162 57162->57156 57164 aa202a 57163->57164 57164->57163 57174 aae380 57164->57174 57166 aa203e 57169 aa219b 57166->57169 57178 aebe40 CloseHandle 57166->57178 57171 aa23ad 57169->57171 57179 aebe40 CloseHandle 57169->57179 57172 aa25ba 57171->57172 57180 aebe40 CloseHandle 57171->57180 57172->57044 57173->57047 57175 aae386 57174->57175 57175->57174 57181 aad960 57175->57181 57177 aae3a5 57177->57166 57178->57169 57179->57171 57180->57172 57182 aad96a 57181->57182 57182->57181 57184 aad9ab 57182->57184 57186 ad7400 CloseHandle 57182->57186 57189 aadb36 57182->57189 57192 aad760 CloseHandle 57182->57192 57193 aae0d8 57182->57193 57196 aae0c9 57182->57196 57203 aae260 CloseHandle 57182->57203 57204 ab59c0 CloseHandle 57182->57204 57205 ab5400 CloseHandle 57182->57205 57206 ac0b00 CloseHandle 57182->57206 57207 aae460 CloseHandle 57182->57207 57185 aae640 CloseHandle 57184->57185 57187 aad9f9 57185->57187 57186->57182 57187->57177 57189->57177 57192->57182 57195 aae106 57193->57195 57209 ad04a0 CloseHandle 57193->57209 57197 aae174 57195->57197 57210 ab9c60 CloseHandle 57195->57210 57208 aae2e0 CloseHandle 57196->57208 57197->57177 57201 aae165 57201->57197 57211 ab9d60 CloseHandle 57201->57211 57203->57182 57204->57182 57205->57182 57206->57182 57207->57182 57208->57193 57209->57195 57210->57201 57211->57197 57213 ad310a 57212->57213 57213->57212 57214 ad4e00 CloseHandle 57213->57214 57215 ad3145 57214->57215 57216 ad321a 57215->57216 57227 ad2c40 CloseHandle 57215->57227 57216->57062 57218 ad317d 57219 ad3214 57218->57219 57228 b02a00 CloseHandle 57218->57228 57219->57062 57221 ad31ba 57222 ad4e00 CloseHandle 57221->57222 57223 ad31fc 57222->57223 57223->57062 57224->57049 57225->57049 57226->57057 57227->57218 57228->57221 57229->57066 57230->57070 57231->57072 57232->57074 57233->57076 57234->57078 57240 ac8726 57235->57240 57236 ac8732 57237 ac8ac0 CloseHandle 57236->57237 57239 ac8739 57237->57239 57239->57097 57240->57235 57240->57236 57242 ad7400 CloseHandle 57240->57242 57241->57097 57242->57240 57243 ad3760 57244 ad376a 57243->57244 57244->57243 57265 ad2da0 57244->57265 57254 ad37b6 57295 ad2d00 57254->57295 57258 ad37ca 57317 ad3240 57258->57317 57260 ad37cf 57261 ad4d00 CloseHandle 57260->57261 57262 ad3805 57261->57262 57263 ad4d80 CloseHandle 57262->57263 57264 ad3845 57263->57264 57269 ad2daa 57265->57269 57266 ad7400 CloseHandle 57266->57269 57267 ad2c40 CloseHandle 57267->57269 57268 ad4e00 CloseHandle 57268->57269 57269->57265 57269->57266 57269->57267 57269->57268 57270 ad3070 57269->57270 57271 aeabe0 57270->57271 57272 aeabea 57271->57272 57272->57271 57273 ad4c20 CloseHandle 57272->57273 57274 aeac0a 57273->57274 57275 ad4d00 CloseHandle 57274->57275 57276 aeac25 57275->57276 57277 ad4d80 CloseHandle 57276->57277 57278 aeac65 57277->57278 57279 ad4d00 CloseHandle 57278->57279 57280 ad37a5 57279->57280 57281 aead40 57280->57281 57282 aead4a 57281->57282 57282->57281 57283 ad4d80 CloseHandle 57282->57283 57284 aead77 57283->57284 57285 ad4d80 CloseHandle 57284->57285 57286 aeadae 57285->57286 57287 ad4d80 CloseHandle 57286->57287 57288 ad37aa 57287->57288 57289 ad3400 57288->57289 57290 ad340a 57289->57290 57290->57289 57291 ad4e80 CloseHandle 57290->57291 57292 ad343b 57291->57292 57293 ad3473 57292->57293 57294 ad4d00 CloseHandle 57292->57294 57324 ad3340 CloseHandle 57293->57324 57294->57293 57297 ad2d0a 57295->57297 57296 ad4d80 CloseHandle 57296->57297 57297->57295 57297->57296 57298 ad2d5b 57297->57298 57325 ad7400 CloseHandle 57297->57325 57300 ad34a0 57298->57300 57304 ad34aa 57300->57304 57301 ad4e00 CloseHandle 57301->57304 57302 ad35ce 57302->57258 57303 ad4c20 CloseHandle 57303->57304 57304->57300 57304->57301 57304->57302 57304->57303 57307 ad3679 57304->57307 57326 ad3880 CloseHandle 57304->57326 57327 ae85c0 CloseHandle 57304->57327 57308 ad5000 CloseHandle 57307->57308 57310 ad36b3 57308->57310 57309 ad3710 57309->57258 57310->57309 57328 ad8ea0 CloseHandle 57310->57328 57312 ad36f3 57329 ad9720 CloseHandle 57312->57329 57314 ad3705 57330 ad8f00 CloseHandle 57314->57330 57316 ad370a 57316->57258 57319 ad324a 57317->57319 57318 ad4e00 CloseHandle 57320 ad3291 57318->57320 57319->57317 57319->57318 57321 ad4d00 CloseHandle 57320->57321 57323 ad332b 57320->57323 57322 ad32dd 57321->57322 57322->57260 57323->57260 57324->57254 57325->57297 57326->57304 57327->57304 57328->57312 57329->57314 57330->57316 57331 aedd80 57347 aedd92 57331->57347 57332 ad95a0 CloseHandle 57332->57347 57333 ad8ea0 CloseHandle 57333->57347 57335 aee106 57338 aee11b 57335->57338 57393 aeea40 CloseHandle 57335->57393 57336 ad96a0 CloseHandle 57336->57347 57337 aee151 57345 aee18f 57337->57345 57396 af2a20 CloseHandle 57337->57396 57342 aee13e 57338->57342 57394 ae1cc0 CloseHandle 57338->57394 57340 aee262 57363 aee2aa 57340->57363 57399 ad8ea0 CloseHandle 57340->57399 57395 ae18c0 CloseHandle 57342->57395 57345->57340 57346 aee1ed 57345->57346 57397 adbd80 CloseHandle 57346->57397 57347->57331 57347->57332 57347->57333 57347->57335 57347->57336 57347->57337 57359 ad9720 CloseHandle 57347->57359 57370 ad90e0 CloseHandle 57347->57370 57371 afa840 CloseHandle 57347->57371 57373 ad7400 CloseHandle 57347->57373 57375 ad8f00 CloseHandle 57347->57375 57406 ad9460 CloseHandle 57347->57406 57407 af1be0 CloseHandle 57347->57407 57348 ad8ea0 CloseHandle 57348->57363 57351 aee274 57400 ad9720 CloseHandle 57351->57400 57352 aee209 57376 aed940 57352->57376 57357 aee285 57401 ad9460 CloseHandle 57357->57401 57359->57347 57362 aee232 57363->57348 57365 ad9720 CloseHandle 57363->57365 57369 ad8f00 CloseHandle 57363->57369 57372 ad95a0 CloseHandle 57363->57372 57404 ad7400 CloseHandle 57363->57404 57405 ad9460 CloseHandle 57363->57405 57364 aee291 57402 ad9720 CloseHandle 57364->57402 57365->57363 57367 aee2a5 57403 ad8f00 CloseHandle 57367->57403 57369->57363 57370->57347 57371->57347 57372->57363 57373->57347 57375->57347 57377 aed94f 57376->57377 57377->57376 57378 aed972 57377->57378 57379 ad7400 CloseHandle 57377->57379 57380 aecc60 CloseHandle 57378->57380 57379->57377 57381 aeda25 57380->57381 57383 aeda9a 57381->57383 57385 aedacd 57381->57385 57412 ad7400 CloseHandle 57381->57412 57413 aed7e0 CloseHandle 57383->57413 57408 af8e00 CloseHandle 57385->57408 57389 aedc16 57391 aedc3c 57389->57391 57409 aed440 CloseHandle 57389->57409 57410 af9440 CloseHandle 57389->57410 57390 aedc71 57398 adbd80 CloseHandle 57390->57398 57411 aecf40 CloseHandle 57391->57411 57393->57338 57394->57342 57395->57337 57396->57345 57397->57352 57398->57362 57399->57351 57400->57357 57401->57364 57402->57367 57403->57363 57404->57363 57405->57363 57406->57347 57407->57347 57408->57389 57409->57389 57410->57389 57411->57390 57412->57383 57413->57385 57414 ae6240 57415 ae624a 57414->57415 57415->57414 57418 ae62a7 57415->57418 57420 ad4f80 57415->57420 57417 ad4d80 CloseHandle 57419 ae62fa 57417->57419 57418->57417 57421 ad4c20 CloseHandle 57420->57421 57422 ad4fd6 57421->57422 57422->57418 57423 b042e0 57424 b04300 57423->57424 57427 b0b140 57424->57427 57426 b04449 57430 ae3660 57427->57430 57432 ae3666 57430->57432 57431 b04580 CloseHandle 57433 ae36ab 57431->57433 57432->57430 57432->57431 57433->57426 57434 b04500 57435 b04534 57434->57435 57436 b0452f 57434->57436 57443 ae16a0 57435->57443 57457 ada800 CloseHandle 57436->57457 57444 ae16aa 57443->57444 57444->57443 57459 adbd80 CloseHandle 57444->57459 57446 ae16f8 57451 ae1725 57446->57451 57460 af7940 CloseHandle 57446->57460 57448 ae1887 57449 ae1200 CloseHandle 57448->57449 57450 ae188c 57449->57450 57458 ada840 CloseHandle 57450->57458 57451->57448 57461 adbd80 CloseHandle 57451->57461 57453 ae181d 57454 ae183b 57453->57454 57462 af7a80 CloseHandle 57453->57462 57455 adf2c0 CloseHandle 57454->57455 57455->57448 57459->57446 57460->57451 57461->57453 57462->57454 57463 18f79cf1000 57464 18f79cf101f 57463->57464 57473 18f79d06dc0 57464->57473 57466 18f79cf104b CreateMutexExW 57468 18f79cf10e3 57466->57468 57497 18f79cf91e0 57468->57497 57470 18f79cf10fe 57471 18f79cf11dc CloseHandle ExitProcess 57470->57471 57472 18f79cf11f2 _snprintf _LDint 57470->57472 57475 18f79d06dd8 57473->57475 57474 18f79d073f1 LoadLibraryExW 57479 18f79d07412 57474->57479 57496 18f79d06deb 57474->57496 57475->57474 57476 18f79d0733c GetProcAddressForCaller 57475->57476 57477 18f79d0738a 57475->57477 57475->57496 57476->57477 57476->57496 57477->57474 57477->57496 57478 18f79d07793 LoadLibraryExW 57481 18f79d077ba 57478->57481 57478->57496 57479->57478 57479->57496 57480 18f79d078d5 LoadLibraryExW 57483 18f79d078f6 57480->57483 57480->57496 57481->57480 57481->57496 57482 18f79d07b4d LoadLibraryExW 57485 18f79d07b6e 57482->57485 57482->57496 57483->57482 57483->57496 57484 18f79d07c83 LoadLibraryExW 57487 18f79d07caa 57484->57487 57484->57496 57485->57484 57485->57496 57486 18f79d07efb LoadLibraryExW 57489 18f79d07f1c 57486->57489 57486->57496 57487->57486 57487->57496 57488 18f79d08031 LoadLibraryExW 57492 18f79d08052 57488->57492 57488->57496 57489->57488 57491 18f79d07f82 GetProcAddressForCaller 57489->57491 57493 18f79d07fcd 57489->57493 57490 18f79d08167 LoadLibraryExW 57490->57496 57491->57493 57491->57496 57492->57490 57494 18f79d080b8 GetProcAddressForCaller 57492->57494 57495 18f79d08103 57492->57495 57493->57488 57493->57496 57494->57495 57494->57496 57495->57490 57495->57496 57496->57466 57498 18f79cf9214 57497->57498 57499 18f79cf934b StrCmpIW 57498->57499 57500 18f79cf9362 57498->57500 57499->57500 57500->57470

      Executed Functions

      Function 0000018F784D0808 Relevance: 16.8, APIs: 8, Strings: 1, Instructions: 1070memorynativeCOMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000005.00000002.2435764747.0000018F78460000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000018F78460000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_18f78460000_Edge.jbxd
      Yara matches
      Similarity
      • API ID: SectionVirtual$ProtectView$AllocCreateUnmap
      • String ID: @
      • API String ID: 1653215272-2766056989
      • Opcode ID: 4b22fe138627849a766478aa8e442552939c912139603cedaa36243b0ace8e26
      • Instruction ID: 89c4fddccd3e0805c22bc8c7b46cad32ba4f02f7de5c0a3fa45412c8f38f480a
      • Opcode Fuzzy Hash: 4b22fe138627849a766478aa8e442552939c912139603cedaa36243b0ace8e26
      • Instruction Fuzzy Hash: 7E72B830628B488BEB69DF28C8857E9B3E1FB98310F14853DD98BC7241DF74E6528B55
      Function 0000018F784CFFFC Relevance: 1.6, APIs: 1, Instructions: 382memoryCOMMON
      Download Yara Rule
      APIs
      Memory Dump Source
      • Source File: 00000005.00000002.2435764747.0000018F78460000.00000040.00000020.00020000.00000000.sdmp, Offset: 0000018F78460000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_5_2_18f78460000_Edge.jbxd
      Yara matches
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: a3c9e5f65659c10088e35569a0d5ca214acd241ea4d0d9f80ecf011f2679decb
      • Instruction ID: 6fcb1f69e42be6a718ddba0e0dd1b88308a79522c01fe8834f5c73954a32c876
      • Opcode Fuzzy Hash: a3c9e5f65659c10088e35569a0d5ca214acd241ea4d0d9f80ecf011f2679decb
      • Instruction Fuzzy Hash: ADC19731624A058BFB59EE28C4897E9B3D1FB94300F54813ED54BC3386DF60EA6387A5